Ahh, thank you for pointing me up the right tree :-)... and especially for commiting the patch.
We may indeed have to try to breach the SEP field around our KDC setup... On 06/02/2011 08:06 PM, Greg Hudson wrote: > On Thu, 2011-06-02 at 17:29 -0400, Marc W. Mengel wrote: >> but when you go to request a ticket for a specific >> host, it looks like in s4u_identify_user() >> (http://src.mit.edu/krb5/xref/trunk/src/lib/krb5/krb/s4u_creds.c#102) >> the options are set to have canonicalize true, and then later in >> krb5_init_creds_init() >> (http://src.mit.edu/krb5/xref/trunk/src/lib/krb5/krb/get_in_tkt.c#868) >> if its already set to true, any options in the krb5.conf in the realm >> or what have you are ignored, because they are only checked if the >> options word has the flag turned off. > > Neither of these functions is used in the TGS request path. What > actually happened was a change in the fallback behavior when get_creds.c > was rewritten for 1.9. Previously, we would retry without the > canonicalize bit set any time we got an error from our first referral > request, but in 1.9 we only retry if we would be doing so in a different > realm. > > The old fallback behavior will be restored in 1.9.2 (I just committed > the patch), but depending on your deployment scenario, it may be easier > to work around this problem by patching the KDC. It would be a very > simple patch to validate_tgs_request() in kdc_util.c. > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
