I'm using kvno to get some tickets using protocol transition (S4U2Self) with a Win2k3 KDC. Essentially I am running the following 3 shell commands kdestroy kinit -k -t my_keytab delegate_user kvno -k my_keytab -U fakeuser -P delegate_user cifs/2008FileServer Idea being for to get a service ticket for cifs for user "fakeuser". Version 1.9.3 works fine. (Compiled from MIT source on ubuntu) output is: delegate_user@TEST.MYDOMAIN.COM: kvno = 2, keytab entry valid cifs/2008FileServer@TEST.MYDOMAIN.COM: kvno = 2, keytab entry valid Version 1.10.1 does not (Again, compiled from MIT source) output is: kvno: Generic preauthentication failure while getting credentials for delegate_user@TEST.MYDOMAIN.COM kvno: Generic preauthentication failure while getting credentials for cifs/2008FileServer@TEST.MYDOMAIN.COM Reason being : some error code returns have changed in the krb5 lib and the s4u code no longer does what it is supposed to, as it can't properly handle KRB5_PREAUTH_FAILED. The difference in packet flow is : for 1.9.3 you see AS-REQ, then AS-REP with preauth required, but it then goes and does a TGS REQ S4U style as required. For 1.10.1 you just see two AS-REQ/AS-REP asking for preauth, then it just fails. The fix below works for me, is there a better way or should it be fixed elsewhere ? diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c index e4cc8a1..dd2c7d0 100644 --- a/src/lib/krb5/krb/s4u_creds.c +++ b/src/lib/krb5/krb/s4u_creds.c @@ -120,7 +120,8 @@ s4u_identify_user(krb5_context context, &use_master, NULL); if (code == 0 || code == KDC_ERR_PREAUTH_REQUIRED || - code == KDC_ERR_PREAUTH_FAILED) { + code == KDC_ERR_PREAUTH_FAILED || + code == KRB5_PREAUTH_FAILED) { *canon_user = userid.user; userid.user = NULL; code = 0;