On Thu, 2011-06-02 at 17:29 -0400, Marc W. Mengel wrote: > but when you go to request a ticket for a specific > host, it looks like in s4u_identify_user() > (http://src.mit.edu/krb5/xref/trunk/src/lib/krb5/krb/s4u_creds.c#102) > the options are set to have canonicalize true, and then later in > krb5_init_creds_init() > (http://src.mit.edu/krb5/xref/trunk/src/lib/krb5/krb/get_in_tkt.c#868) > if its already set to true, any options in the krb5.conf in the realm > or what have you are ignored, because they are only checked if the > options word has the flag turned off.
Neither of these functions is used in the TGS request path. What actually happened was a change in the fallback behavior when get_creds.c was rewritten for 1.9. Previously, we would retry without the canonicalize bit set any time we got an error from our first referral request, but in 1.9 we only retry if we would be doing so in a different realm. The old fallback behavior will be restored in 1.9.2 (I just committed the patch), but depending on your deployment scenario, it may be easier to work around this problem by patching the KDC. It would be a very simple patch to validate_tgs_request() in kdc_util.c. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
