I’m seeing some “Cannot find ticket for
requested realm” errors when using kvno with S4U2Proxy. I
tracked it down and the ultimate cause is that when
krb5_server_decrypt_ticket_keytab() decrypts the encrypted part of the
impersonated ticket it tries every keytab entry it finds with the right key
type and the first one that works it uses. It doesn't match the principal
or the key version. The problem occurs when
krb5_server_decrypt_ticket_keytab() replaces the server principal in the ticket
with the one in the keytab entry. Since I'm using Active Directory for
the KDC and have the account set up as a computer account, I have several
variations on the principal name stored as separate keytab entries and the
right one may not be the first keytab entry that can decrypt the ticket.
The result is that when kvno tries to use the impersonated credentials to get
credentials for a service and krb5_get_credentials_for_proxy() looks for the
proxy's TGT, it's looking for a TGT with the wrong principal name and
ultimately returns KRB5_NO_TKT_IN_RLM. I’m not sure what the right
way to fix this is. Is there a reason why
krb5_server_decrypt_ticket_keytab() doesn't match the principal name? Why
does krb5_server_decrypt_ticket_keytab() replace the ticket's server principal?