[3499] in Kerberos-V5-bugs
[krbdev.mit.edu #1204] Unable to get a TGT cross-realm referral
daemon@ATHENA.MIT.EDU (Ken Hornstein via RT)
Wed Oct 2 10:06:11 2002
Message-Id: <rt-1204-3103.10.5412990245435@krbdev.mit.edu>
In-Reply-To: <rt-1204@krbdev.mit.edu>
From: "Ken Hornstein via RT" <rt-comment@krbdev.mit.edu>
Reply-To: rt-comment@krbdev.mit.edu
To: krb5-prs@mit.edu
Errors-To: krb5-bugs-admin@mit.edu
Date: Wed, 2 Oct 2002 10:05:33 -0400 (EDT)
When requesting a TGT for cross-realm, a KDC is permitted to return a
TGT for other than the reqeusted realm (see RFC 1510 section 3.3.1).
But if this actually happens, the library code will fail with
KRB5_KDCREP_MODIFIED.
This is due to the code at the end of krb5_get_cred_via_tkt() (which is
called is by krb5_get_credentials() to get the cross-realm TGT) which
verifies that none of the fields in the response from the KDC has
changes. Obviously, the referral case, the TGS service name has
changed, and it triggers this code.
I'm not sure if the right answer is that this check should be removed,
or the API should be changed to not check to see if the service
principal has been changed in the TGS case.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
http://mailman.mit.edu/mailman/listinfo/krb5-bugs
