Skip Menu |

Subject: SVN Commit

When requesting a cross-realm TGT, use the KDC instance of the current
TGT (the second data component), not the realm which the TGT came
Commit By: ghudson
Revision: 25121
Changed Files:
U trunk/src/lib/krb5/krb/get_creds.c
Subject: SVN Commit

pull up r25121 from trunk

r25121 | ghudson | 2011-09-01 12:21:25 -0400 (Thu, 01 Sep 2011) | 9 lines

ticket: 6952
subject: Fix cross-realm traversal TGT requests
target_version: 1.9.2
tags: pullup

When requesting a cross-realm TGT, use the KDC instance of the current
TGT (the second data component), not the realm which the TGT came
Commit By: tlyu
Revision: 25380
Changed Files:
U branches/krb5-1-9/src/lib/krb5/krb/get_creds.c
Date: Thu, 14 Jun 2012 16:00:34 -0400
Subject: multi-hop cross-realm w/o capaths sends request to wrong kdc
From: Chaskiel Grundman <>
Download (untitled) / with headers
text/plain 2.6KiB
I have an environment with two AD domains (in one forest) and a
kerberos realm, recently upgraded to a recent heimdal. As part of that
migration, the trust between AD and the kerberos realm was redone.
Previously, both the root domain and the domain that all the
users/resources are in had trusts, but now only the root AD domain has
a trust. The heimdal kdcs have [capaths] configured and properly give
out realm referrals. The AD servers do not.

Lets call the kerberos realm KERBEROS.EXAMPLE.COM, and the AD domains
AD.EXAMPLE.COM and REALDOMAIN.AD.EXAMPLE.COM. These names _do_ reflect
the domain hierarchy relationship correctly. I only changed the
individual labels.

After the change, mit krb5 1.9 (1.9.1ish on ubuntu 11.10), cannot get
tickets on behalf of user@REALDOMAIN.AD.EXAMPLE.COM for services in

% aklog -d
Note: Operation is performed on cell REALDOMAIN.AD.EXAMPLE.COM
Authenticating to cell (server
Trying to authenticate to user's realm REALDOMAIN.AD.EXAMPLE.COM.
Getting tickets: afs/
We've deduced that we need to authenticate to realm KERBEROS.EXAMPLE.COM.
Getting tickets: afs/
Getting tickets: afs/
Kerberos error code returned by get_cred : -1765328316


Setting KRB5_TRACE reveals the following:
[27580] 1339700735.363748: Requesting TGT
[27580] 1339700735.363759: Generated subkey for TGS request: rc4-hmac/AB6E
[27580] 1339700735.363772: etypes requested in TGS request:
aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, des-cbc-crc, des,
[27580] 1339700735.363839: Sending request (1737 bytes) to AD.EXAMPLE.COM
[27580] 1339700735.369349: Initiating TCP connection to stream
[27580] 1339700735.371149: Sending TCP request to stream
[27580] 1339700735.372676: Received answer from stream
[27580] 1339700735.374530: Response was not from master KDC
[27580] 1339700735.374547: TGS request result: -1765328316/Realm not
local to KDC

The library seems to be mixing up the realms, asking for an

If I add some capaths to the client's krb5.conf, the problem does not
occur, but I'd really rather not have to do that everywhere. an mit
krb5 1.6 client (RHEL5) works without the capaths.
I'm pretty sure this is a bug which was fixed in krb5 1.9.2 (see issue
#6952). You may be able to convince Ubuntu to backport the fix to their
package, or upgrade their package to 1.9.3, although with 12.04 out I
don't know how easy that will be. I apologize for the inconvenience; it
was a small typo on my part which broke a whole category of cross-realm
scenarios. We now have automated cross-realm tests which would catch a
bug like this.