Subject: | S4U2Proxy and kvno error |
Date: | Mon, 1 Mar 2010 15:55:06 -0500 |
From: | "Arlene Berry" <aberry@likewise.com> |
To: | <krb5-bugs@mit.edu> |
I’m seeing some “Cannot find ticket for requested realm” errors when using kvno with S4U2Proxy. I tracked it down and the ultimate cause is that when krb5_server_decrypt_ticket_keytab() decrypts the encrypted part of the impersonated ticket it tries every keytab entry it finds with the right key type and the first one that works it uses. It doesn't match the principal or the key version. The problem occurs when krb5_server_decrypt_ticket_keytab() replaces the server principal in the ticket with the one in the keytab entry. Since I'm using Active Directory for the KDC and have the account set up as a computer account, I have several variations on the principal name stored as separate keytab entries and the right one may not be the first keytab entry that can decrypt the ticket. The result is that when kvno tries to use the impersonated credentials to get credentials for a service and krb5_get_credentials_for_proxy() looks for the proxy's TGT, it's looking for a TGT with the wrong principal name and ultimately returns KRB5_NO_TKT_IN_RLM. I’m not sure what the right way to fix this is. Is there a reason why krb5_server_decrypt_ticket_keytab() doesn't match the principal name? Why does krb5_server_decrypt_ticket_keytab() replace the ticket's server principal?