S4U2Proxy "Cannot find ticket for requested realm" error

[Arlene Berry]

I've seen this with both GSS API and kvno but I'm debugging it with kvno.  I've tracked this down and the ultimate cause is that when krb5_server_decrypt_ticket_keytab() decrypts the encrypted part of the impersonated ticket it tries every keytab entry it finds with the right key type and the first one that works it uses.  It doesn't match the principal or the key version.  The problem occurs when krb5_server_decrypt_ticket_keytab() replaces the server principal in the ticket with the one in the keytab entry.  Since I'm using Active Directory for the KDC and have the account set up as a computer account, I have several variations on the principal name stored as separate keytab entries and the right one may not be the first keytab entry that can decrypt the ticket.  The result is that  when kvno tries to use the impersonated credentials to get credentials for a service and krb5_get_credentials_for_proxy() looks for the proxy's TGT, it's looking for a TGT with the wrong principal name and ultimately returns KRB5_NO_TKT_IN_RLM.  What is the right way to fix this?  Is there a reason why krb5_server_decrypt_ticket_keytab() doesn't match the principal name?  Why does krb5_server_decrypt_ticket_keytab() replace the ticket's server principal?

Arlene Berry

 		 	   		  
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
http://clk.atdmt.com/GBL/go/201469228/direct/01/