Spurious tickets when using DNS realm configuration

Greg Hudson ghudson at mit.edu
Wed Jul 24 12:28:12 EDT 2019

On 7/24/19 2:13 AM, David Cross wrote:
> Specifically if I auth as user at REALM and klist I see my tgt as expected. If i then ssh to a host and klist I get 2 tickets:
> host/foo@
> host/foo at REALM

This is expected, and results from not having a [domain_realm] map entry
for the server host.  (Using DNS realm configuration shouldn't affect
this one way or another.)  Because the realm of the server is not known,
the initial principal we request credentials for is host/foo@, and we
don't find out that the actual name is host/foo at REALM until we get the
ticket.  We need to cache the result under host/foo@ or we would make a
repeat query the next time around.

In the next release there will only be one cache entry, which will
appear in klist like:

07/24/19 12:18:54  07/25/19 12:18:41  host/small-gods.mit.edu@
	Ticket server: host/small-gods.mit.edu at KRBTEST.COM

> Additionally on the kdc i see that it additionally requests the tgt again.

The TGT or the service ticket?  Regardless, I don't have a good
explanation for that; I wouldn't expect there to be multiple TGS
requests in a simple referral scenario.  Getting KRB5_TRACE output might
help determine what's going on.

More information about the krbdev mailing list