Subject: | Unable to get a TGT cross-realm referral |
When requesting a TGT for cross-realm, a KDC is permitted to return a
TGT for other than the reqeusted realm (see RFC 1510 section 3.3.1).
But if this actually happens, the library code will fail with
KRB5_KDCREP_MODIFIED.
This is due to the code at the end of krb5_get_cred_via_tkt() (which is
called is by krb5_get_credentials() to get the cross-realm TGT) which
verifies that none of the fields in the response from the KDC has
changes. Obviously, the referral case, the TGS service name has
changed, and it triggers this code.
I'm not sure if the right answer is that this check should be removed,
or the API should be changed to not check to see if the service
principal has been changed in the TGS case.
TGT for other than the reqeusted realm (see RFC 1510 section 3.3.1).
But if this actually happens, the library code will fail with
KRB5_KDCREP_MODIFIED.
This is due to the code at the end of krb5_get_cred_via_tkt() (which is
called is by krb5_get_credentials() to get the cross-realm TGT) which
verifies that none of the fields in the response from the KDC has
changes. Obviously, the referral case, the TGS service name has
changed, and it triggers this code.
I'm not sure if the right answer is that this check should be removed,
or the API should be changed to not check to see if the service
principal has been changed in the TGS case.