So here's our problem. With MIT kerberos 1.9 clients (under Fedora 15 in particular) when users try to ssh or rsh or what have you to one of our hosts, we get errors logged on the KDC like:
131.225.202.31(88): INVALID TGS OPTIONS: authtime 1306970595, [email protected] for host/[email protected], KDC can't fulfill requested option which I suspect is due to KRB5_GET_INIT_CREDS_OPT_CANONICALIZE being set in the request, which the KDC (being an older one) rejects out of hand, as an invalid option. The problem is, in the latest code, there seems to be no way to turn this off. You can turn canonicalize off and on for the initial TGT request in kinit, (and turning it on makes those requests fail similarly) but when you go to request a ticket for a specific host, it looks like in s4u_identify_user() (http://src.mit.edu/krb5/xref/trunk/src/lib/krb5/krb/s4u_creds.c#102) the options are set to have canonicalize true, and then later in krb5_init_creds_init() (http://src.mit.edu/krb5/xref/trunk/src/lib/krb5/krb/get_in_tkt.c#868) if its already set to true, any options in the krb5.conf in the realm or what have you are ignored, because they are only checked if the options word has the flag turned off. Or am I missing something? Marc ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
