[krbdev.mit.edu #8619] ksu command doesn't use service ticket in cache file but always re-requests to TGS
Fabiano Tarlao via RT
rt-comment at krbdev.mit.edu
Mon Nov 13 17:07:42 EST 2017
ksu command doesn't use service ticket in the cache file but always
re-requests to TGS (or fails when there is no TGT in cache)
The documentation states it should not re-request the service ticket (for
end-server) but use the already cached quote:
Otherwise, ksu looks for an appropriate Kerberos ticket in the source
cache. The ticket can either be for the end-server or a ticket granting
ticket (TGT) for the target principal’s realm. If the ticket for the
end-server is already in the cache, it’s decrypted and verified. If it’s
not in the cache but the TGT is, the TGT is used to obtain the ticket for
the end-server. The end-server ticket is then verified.
Details about the problem (my experiments and my enviroment) in this (long)
serverfault question:
https://serverfault.com/questions/882476/linux-ksu-kerberized-super-user-command-fails-to-use-cached-service-host-tic
I already asked to but got no solution in the Krb5 mailing lists and no
response on serverfault.
Regards
Fabiano
More information about the krb5-bugs
mailing list