X-RT-Incoming-Encryption: Not encrypted X-MS-Exchange-Crosstenant-Originalarrivaltime: 01 Feb 2021 23:05:42.4406 (UTC) Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8NwU9XN5XTQopTUbnoywPtA3LBJWkknH6/pcLXSfINs=; b=BatHIWTUgkYGAtddASNEwsIeBsSgBksE2kSZsaWDkO75Cx2OWNa7VGM+tbjzBq9pk943v4+SEQivIbcnEbpFtFYJfG0UFOwwdv6Sld/tHWNbS1jAXoyAPcSnj/O4KzmQEoX0yhOyLuw+oacOpkfFC6xLb4p1gZIUAu17qsCkHYl9SlQJQ4H+IcJsOcFMoR9n5/wEzSC6V+TvEEpka6rK9BCljxTF+2G12xwiWqVyFylXhu8MtiZ3UdHAaYulEuE6uITRCXtK3jmFCluGZWKo70RkwnBu7/VLW7kDLe4KTlAB4Hwffe6/42yCophDr2TF6qRBe7fIKBH2O4XcsIjyfw== Sender: krb5-bugs-incoming-bounces@PCH.mit.edu X-MS-Publictraffictype: Email From krb5-bugs-incoming-bounces@PCH.mit.edu Mon Feb 1 22:58:16 2021 X-Mailman-Approved-At: Mon, 01 Feb 2021 22:58:14 -0500 Precedence: list X-MS-Exchange-Crosstenant-Authas: Anonymous Return-Path: Subject: Unable to renew ticket after CVE-2020-17049 X-Eopattributedmessage: 0 X-MS-Exchange-Crosstenant-Authsource: BN8NAM11FT045.eop-nam11.prod.protection.outlook.com X-Microsoft-Antispam: BCL:0; X-Sa-Exim-Mail-From: m-krb@8d.no Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu X-Eoptenantattributedmessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0 Content-Disposition: inline X-MS-Office365-Filtering-Correlation-ID: fd42d53a-dcac-4ff3-b389-08d8c705e63c Received: from PCH.mit.edu (PCH.MIT.EDU [18.7.21.50]) by krbdev.mit.edu (Postfix) with ESMTPS id E9E7F40292; Mon, 1 Feb 2021 22:58:15 -0500 (EST) Received: from PCH.MIT.EDU (localhost.localdomain [127.0.0.1]) by PCH.mit.edu (8.14.7/8.12.8) with ESMTP id 1123wFxX006440; Mon, 1 Feb 2021 22:58:15 -0500 Received: from outgoing-exchange-7.mit.edu (OUTGOING-EXCHANGE-7.MIT.EDU [18.9.28.58]) by PCH.mit.edu (8.14.7/8.12.8) with ESMTP id 111N5w4w011335 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Mon, 1 Feb 2021 18:05:59 -0500 Received: from oc11exedge2.exchange.mit.edu (OC11EXEDGE2.EXCHANGE.MIT.EDU [18.9.3.18]) by outgoing-exchange-7.mit.edu (8.14.7/8.12.4) with ESMTP id 111N5r8n020500 for ; Mon, 1 Feb 2021 18:05:58 -0500 Received: from oc11expo20.exchange.mit.edu (18.9.4.51) by oc11exedge2.exchange.mit.edu (18.9.3.18) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Mon, 1 Feb 2021 18:05:28 -0500 Received: from oc11exhyb7.exchange.mit.edu (18.9.1.112) by oc11expo20.exchange.mit.edu (18.9.4.51) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Mon, 1 Feb 2021 18:05:45 -0500 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.42) by oc11exhyb7.exchange.mit.edu (18.9.1.112) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Mon, 1 Feb 2021 18:05:44 -0500 Received: from BN0PR02CA0029.namprd02.prod.outlook.com (2603:10b6:408:e4::34) by BN6PR01MB2402.prod.exchangelabs.com (2603:10b6:404:53::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3805.17; Mon, 1 Feb 2021 23:05:42 +0000 Received: from BN8NAM11FT045.eop-nam11.prod.protection.outlook.com (2603:10b6:408:e4:cafe::15) by BN0PR02CA0029.outlook.office365.com (2603:10b6:408:e4::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3805.16 via Frontend Transport; Mon, 1 Feb 2021 23:05:42 +0000 Received: from cassarossa.samfundet.no (193.35.52.29) by BN8NAM11FT045.mail.protection.outlook.com (10.13.177.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.12 via Frontend Transport; Mon, 1 Feb 2021 23:05:42 +0000 Received: from akuma.no ([2001:67c:29f4::56]) by cassarossa.samfundet.no with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1l6iGJ-0003wv-I9 for krb5-bugs@mit.edu; Tue, 02 Feb 2021 00:05:40 +0100 Received: from xim by akuma.no with local (Exim 4.92) (envelope-from ) id 1l6iGJ-0008Jc-Al for krb5-bugs@mit.edu; Tue, 02 Feb 2021 00:05:39 +0100 X-MS-Traffictypediagnostic: BN6PR01MB2402: X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr X-MS-Exchange-Transport-Crosstenantheadersstamped: BN6PR01MB2402 X-MS-Exchange-Transport-Forked: True To: krb5-bugs@mit.edu Arc-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none X-Sa-Exim-Scanned: No (on akuma.no); SAEximRunCond expanded to false X-MS-Exchange-Atpmessageproperties: SA X-MS-Exchange-Crosstenant-Fromentityheader: Internet From: "Morten Minde Neergaard" X-Sa-Exim-Connect-Ip: Authentication-Results: spf=none (sender IP is 193.35.52.29) smtp.mailfrom=8d.no; mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=8d.no; Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8NwU9XN5XTQopTUbnoywPtA3LBJWkknH6/pcLXSfINs=; b=c/84jD2ZeVfwg/PKpgnsrrnBXqWsN+CvYWSxyplGwhIynmwREkqEtMHqeCViSwMbnQxESqp8QfTKkugBh/8Pt8DI4Zpfbmy4f272xjHIVL/F8PrLFzAqvZv8/kkB8awIHvvTjrKFBRjyxeiBQeE8xpoTsEKrbUHPqxW7jl2WZcY= X-Mailman-Version: 2.1.6 X-Microsoft-Antispam-PRVS: content-type: text/plain; charset="utf-8" X-MS-Exchange-Crosstenant-Network-Message-ID: fd42d53a-dcac-4ff3-b389-08d8c705e63c X-MS-Exchange-Crosstenant-ID: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b X-Auto-Response-Suppress: DR, OOF, AutoReply MIME-Version: 1.0 Date: Tue, 2 Feb 2021 00:05:39 +0100 Arc-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cdcWtADvKaB1r3u4xY1IGrTYQY4eVA6xDKrv4v8WSuUahq6lmk/CatGOCXjksogeprpeIJjSLqVC/jSFNx3v9wer2lUhtz3TZJ1sxAGzmZbby9M1A0X9DqVowEpv+mo93RzlqYZpKcIDnzQCuwMXjcaoSFZd1oVLG3xjNX4oyjt40NIRUvJmFeVma0GZ0XakZnbJMYb2ec37u66wUOnj5dBHNW027mlq29jpaHfmGfq2Mp02x8/KSFBN2NszZ7lOrLvALyHDd7wMC049OEe/iYdRdhO7sPqR/uIGfHX+6eEnN3V/zSXDWvT2bwx6wF9IWgmilDlBeHkjnVQlPVqw0w== Received-SPF: None (protection.outlook.com: 8d.no does not designate permitted sender hosts) X-Forefront-Antispam-Report: CIP:193.35.52.29; CTRY:NO; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:cassarossa.samfundet.no; PTR:cassarossa.samfundet.no; CAT:NONE; SFS:(4636009)(346002)(136003)(396003)(39860400002)(376002)(4744005)(9746002)(1076003)(336012)(2616005)(70586007)(68406010)(9786002)(966005)(8676002)(26005)(498600001)(356005)(316002)(786003)(45080400002)(2906002)(83380400001)(7596003)(7636003)(34206002)(33656002)(5660300002)(86362001)(36756003)(2160300002); DIR:OUT; SFP:1022; X-MS-Oob-TLC-Oobclassifiers: OLM:7691; Message-ID: <20210201230539.GC2292@8d.no> X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-MS-Exchange-Senderadcheck: 2 X-Microsoft-Antispam-Message-Info: jVTK+dUpN8R9YFT13Sz8vv08s1TQ62NbqBQMpfcW0FQklTeNatou/Vchy85Pjk/rSTvtBUnE/TkhvBlZ07RCbZt+2g+6B0+hGpOxFmfWFTeC1fDD7E8wELofCswsUjXEiuhbhPB9PUS47jY4sJwlxT3sY3KS0JwNY9CaP/m4tYxip3AEWjFXLS6nrhaH3edmq613LR7PgEaUk63dc1bqb0zAYcEl9VV11ZXYoPnA3/mrXhnWIIfdBTIVNq8cJ3ai9j3Mt0ddVQ87BIqg2DtxSZI04xkthFpk2cxmdD6E86UifXqpZdKGZG33Kr8NsusjAGKY45K2u6BC0UMbjgAnre13Hv49E6Pt6xgOOJlAW+EGDML16vqfoJUjFvw5fkqPrdGJIDfEX4N6Qj6pBhC73L4yWwD1fvr94sDnb/JUT7SOsKzrhlJNkxoOhZOxCQC/e3MXnHZ+7Zk/a2xI6ju/RXmrC0+323AH4tFWhCVvI6/Bi30jxnq9uu9+T6vs2H7pEj4s0vAb6CGEmdrhB40cIq6SEhUt+pvMxRpcUEku2AHshtyv3oNgTYyCzdIJP2W0HwtLgQNvgUw+Hew6gxPLSqFpBqMBuV6WByS7yAcn8Ptw4w1YN/QcvC9lc9Tk8jWJb+dwab0ba1ksbIKczcLZbQ== X-Originatororg: mitprod.onmicrosoft.com User-Agent: Mutt/1.10.1 (2018-07-13) X-RT-Original-Encoding: utf-8 X-RT-Interface: Email Content-Length: 974 Hi, after Microsoft released their fix to CVE-2020-17049 a while back, I can't renew my tickets made against upgraded Windows servers. The details have apparently been reported to the kerberos mailing list earlier[0] but I'll show the symptoms: $ kinit Password for username@DOMAIN: $ klist -f Ticket cache: FILE:/tmp/krb5cc_1116501893 Default principal: username@DOMAIN Valid starting Expires Service principal 2021-02-01 23:57:41 2021-02-02 09:57:41 krbtgt/DOMAIN@DOMAIN renew until 2021-02-02 23:57:37, Flags: RIA $ kinit -R kinit: KDC can't fulfill requested option while renewing credentials If you need any further information, I can try to reproduce and help as I can (although James Ralston, the author of the aforementioned email, appears to know more about what he's talking about...) [0]: https://mailman.mit.edu/pipermail/kerberos/2020-November/022582.html -- Morten Minde Neergaard