[16972] in Kerberos-V5-bugs
[krbdev.mit.edu #9136] S4U2Proxy API error
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Sun Sep 8 11:10:29 2024
From: "Greg Hudson via RT" <rt@kerborg-prod-app-1.mit.edu>
In-Reply-To: <SJ0PR10MB5744F37321D9413EF852534A828F2@SJ0PR10MB5744.namprd10.prod.outlook.com>
Message-ID: <rt-4.4.3-2-2468298-1725808222-1776.9136-5-0@kerborg-prod-app-1.mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9136":;
Date: Sun, 08 Sep 2024 11:10:22 -0400
MIME-Version: 1.0
Reply-To: rt@kerborg-prod-app-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
<URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9136 >
The S4U2Proxy code has been tested against Active Directory and the MIT krb5
KDC. Typically S4U2Proxy operations are initiated via the GSSAPI, however;
see https://web.mit.edu/kerberos/krb5-latest/doc/appdev/gssapi.html#
constrained-delegation-s4u and the test program t_s4u.c.
The protocol error code corresponding to "KDC can't fulfill requested option"
can have a variety of causes. One that immediately comes to mind is using a
non-forwardable evidence ticket, but there are many others. It's possible
that KDC logs could provide more information, but I am not very familiar with
Active Directory's logging.
As a note, MIT krb5 is an open source project and does not have an SLA with
any other organization. We cannot guarantee any specific response time for
bug reports or promise that they will be resolved.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
