[16707] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

[krbdev.mit.edu #8982] Unable to renew ticket after CVE-2020-17049

daemon@ATHENA.MIT.EDU (Morten Minde Neergaard via RT)
Mon Feb 1 22:58:25 2021

From: "Morten Minde Neergaard via RT" <rt-comment@krbdev.mit.edu>
In-Reply-To: <20210201230539.GC2292@8d.no>
Message-ID: <rt-4.4.4-36422-1612238296-1893.8982-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #8982":;
Date: Mon, 01 Feb 2021 22:58:17 -0500
MIME-Version: 1.0
Reply-To: rt-comment@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu


Mon Feb 01 22:58:16 2021: Request 8982 was acted upon.
 Transaction: Ticket created by m-krb@8d.no
       Queue: krb5
     Subject: Unable to renew ticket after CVE-2020-17049
       Owner: Nobody
  Requestors: m-krb@8d.no
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8982 >


Hi,

after Microsoft released their fix to CVE-2020-17049 a while back, I
can't renew my tickets made against upgraded Windows servers.

The details have apparently been reported to the kerberos mailing list
earlier[0] but I'll show the symptoms:

    $ kinit
    Password for username@DOMAIN: 
    $ klist -f
    Ticket cache: FILE:/tmp/krb5cc_1116501893
    Default principal: username@DOMAIN

    Valid starting       Expires              Service principal
    2021-02-01 23:57:41  2021-02-02 09:57:41  krbtgt/DOMAIN@DOMAIN
            renew until 2021-02-02 23:57:37, Flags: RIA
    $ kinit -R
    kinit: KDC can't fulfill requested option while renewing credentials

If you need any further information, I can try to reproduce and help as
I can (although James Ralston, the author of the aforementioned email,
appears to know more about what he's talking about...)


[0]: https://mailman.mit.edu/pipermail/kerberos/2020-November/022582.html

-- 
Morten Minde Neergaard

_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
home help back first fref pref prev next nref lref last post