Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Content-Length: 3199
Thanks for the bug report, and apologies for not having time to look
into this last week.
It looks like ksu's behavior changed in release 1.13 as a result of
this pull request:
https://github.com/krb5/krb5/pull/170
although it may have been partially broken since referrals support
was introduced in release 1.6. Pull request 170 was motivated by a
bug caused by the referrals changes. At that time, we didn't realize
that the fix we arrived at (simplifying the ksu code) created a
mismatch with the documented behavior.
I can see several possible remedies here:
1. Change the documentation to match the code (talk only about using
a cached TGT).
2. Restore the documented behavior, but only make it work if the
canonicalized local hostname matches the host principal in the ccache
service ticket and the system keytab.
3. Restore the documented behavior, and make it work for any host
principal in the system keytab.
The serverfault post contains a lot of detail about the test case,
but doesn't explain why the documented behavior is important in this
use case. Is there a reason why it's not sufficient for ksu to look
for a TGT in the ccache and make a TGS request to verify it?