tkt->client must be equal to in_cred->client

Nikhil Mishra nikhilm at
Tue Feb 24 12:56:00 EST 2009

Hi All ,

I have been working on developing client support for MS S4U
extensions in  MIT kerberos .

There are couple of things that I think is worth putting forward and
then I will follow up my questions :

1. I am calling standard krb5_get_credentials() for doing a S4U2self .
    Now , S4U2self  requires three parameters .
        1.  TGT for process
        2.  Delegating SPN viz. service principal of the process .
        3.  Delegating UPN viz. Username/UPN on whose behalf
                this request is done .

  My understanding is in_cred parameter that is being passed to
    krb5_get_credentials should ideally have client as delegating UPN,
server as Delegating SPN .

This will create two problems :

1. To retrieve TGT for the process , we need a client UPN in
    krb5_get_cred_from_kdc_opt() .

    This we can resolve by calling krb5_cc_get_principal() and
    assigning it to client .

2. In krb5_get_cred_via_tkt() there is a strict checking
     /* tkt->client must be equal to in_cred->client */
    if (!krb5_principal_compare(context, tkt->client, in_cred->client))
        return KRB5_PRINC_NOMATCH;

    Why are we checking for this equality here ?

I am trying to push S4U feature in existing infrastructure and
that is why the issues .

Thanks & Regards


More information about the krbdev mailing list