On 11/14/2011 11:49 AM, Greg Hudson wrote: > I would expect 1.6.1 to send the TGS request with the canonicalize bit > set. Can you look at the packet trace for 1.6.1 (or post results if > you've already looked at it)? Perhaps there's a difference there which > will explain the different outcome.
Nevermind, I think I know why 1.6.1 succeeds and 1.9 fails. 1.6 through 1.8 have a workaround for this specific AD behavior (fall back to a non-referral request if you get back a TGT to the same realm), and 1.9 only has a workaround for a related but different behavior (fall back if you get a non-TGT service name other than the requested service) described in the same ticket (#4955). I am guessing that this version of AD is implementing the behavior described in appendix A of the referrals draft. It wants to change the client-visible server name, and the way it does so is by returning a TGT to the same realm with a PA-SVR-REFERRAL-DATA entry in the encrypted padata. This should be easy enough to fix, since I have a test case in a local AD realm. If you are in a position to test a patch, I can furnish one; otherwise it should hit a 1.9 patch release at some point. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
