On Mon 14/11/11 17:30 , Greg Hudson [email protected] sent: > On 11/14/2011 11:49 AM, Greg Hudson wrote: > > I would expect 1.6.1 to send the TGS request with > the canonicalize bit> set. Can you look at the packet trace for 1.6.1 > (or post results if> you've already looked at it)? Perhaps there's a > difference there which> will explain the different outcome. > > Nevermind, I think I know why 1.6.1 succeeds and 1.9 fails. 1.6 > through1.8 have a workaround for this specific AD behavior (fall back to a > non-referral request if you get back a TGT to the same realm), and 1.9 > only has a workaround for a related but different behavior (fall back > ifyou get a non-TGT service name other than the requested service) > described in the same ticket (#4955). > > I am guessing that this version of AD is implementing the behavior > described in appendix A of the referrals draft. It wants to change the > client-visible server name, and the way it does so is by returning a > TGTto the same realm with a PA-SVR-REFERRAL-DATA entry in the encrypted > padata. > This should be easy enough to fix, since I have a test case in a local > AD realm. If you are in a position to test a patch, I can furnish one; > otherwise it should hit a 1.9 patch release at some point.
Yes please Greg, happy to test a patch. Thanks, Mark. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
