[19957] in Kerberos_V5_Development
Re: Spurious tickets when using DNS realm configuration
daemon@ATHENA.MIT.EDU (david@crossfamilyweb.com)
Sun Jul 28 15:22:04 2019
MIME-Version: 1.0
Date: Sun, 28 Jul 2019 15:21:36 -0400
From: <david@crossfamilyweb.com>
To: Russ Allbery <eagle@eyrie.org>
In-Reply-To: <87ef2fmlaz.fsf@hope.eyrie.org>
Message-ID: <f4764b6384784614e89f07dc130338af@crossfamilyweb.com>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 2019-07-24 12:47, Russ Allbery wrote:
> Greg Hudson <ghudson@mit.edu> writes:
>> On 7/24/19 2:13 AM, David Cross wrote:
>
>>> Additionally on the kdc i see that it additionally requests the tgt
>>> again.
>
>> The TGT or the service ticket? Regardless, I don't have a good
>> explanation for that; I wouldn't expect there to be multiple TGS
>> requests in a simple referral scenario. Getting KRB5_TRACE output
>> might
>> help determine what's going on.
>
> Maybe David is seeing multiple AS_REQs from pre-auth? That usually
> gets
> logged as two requests, one without the challenge (which will result in
> "Additional pre-authentication required") and one with it.
Sorry to dissapear... and as I was typing my reply, I figured out what
was going on; I have it set to request forwardable tickets....so the
'second' TGT is the forwardable one; I just validated this by disabling
the forwardable ticket and I now see this in the logs instead of a new
TGT:
Jul 28 19:16:05 kerberos krb5kdc[####]: TGS_REQ (1 etypes {19})
10.1.7.155: TGT NOT FORWARDABLE: authtime 0, david@EXAMPLE.COM for
krbtgt/EXAMPLE.COM@EXAMPLE.COM, KDC can't fulfill requested option
So that's one mystery down.
(replying to the other thread separately)
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
