[krbdev.mit.edu #6673] S4U2Proxy and kvno error
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Fri Mar 5 15:25:41 EST 2010
The reason for not matching the name is to work with service aliases.
See http://k5wiki.kerberos.org/wiki/Projects/Aliases, specifically the
section "Server Principals". There was also some discussion of this on
krbdev in December 2008 starting here:
http://mailman.mit.edu/pipermail/krbdev/2008-December/007154.html
The change being discussed there was to krb5_rd_req, and the change to
krb5_server_decrypt_ticket_keytab didn't happen until it was necessary
in order to make S4U testing with kvno work. But the reasoning is the same.
I don't know the best resolution for your use case, because I'm not
familiar enough with AD to underestand why you'd have multiple entries
in a keytab for the same key with different names.
More information about the krb5-bugs
mailing list