[krbdev.mit.edu #5663] kinit -S can fail if using a "fallback" mechanism to determine realm
Public Submitter via RT
rt-comment at krbdev.mit.edu
Fri Aug 17 18:31:43 EDT 2007
If a fallback mechanism is being used to determine the realm for a
service (for e.g. DNS), kinit -S is essentially rendered useless.
Taken from the krbdev mailing list:
----
I've been syncing the client-side referrals code from 1.6 to Solaris
Nevada.
During testing I came arross an interesting problem.
Unless the krb5.conf file is properly populated (and no fallbacks are
being used) "kinit -S" is essentially rendered useless.
e.g
$ kinit -S host/zup.czech.sun.com mark
-> stores host/zup.czech.sun.com at SUN.COM in the cred-cache
$ ssh zup.czech.sun.com
-> looks for host/zup.czech.sun.com@ in the cred-cache and fails.
I've verified that is what happens with the MIT code (1.6.2).
----
The attached patch modifies kinit to always cache the service
credentials twice - both with and without a server realm. This ensures
that the ticket will be usable in both scenarios.
More information about the krb5-bugs
mailing list