[SAMBA4] In Memory ccache doesn't work
Love Hörnquist Åstrand
lha at kth.se
Sun Dec 10 21:44:16 GMT 2006
> I just noticed that we always do the following before a
> krb5 authentification.
>
> AS-REQ without pre-auth krbtgt/REALM
> AS-REP error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
> AS-REQ with pre-auth krbtgt/REALM
> AS-REQ fine
The problem with sending a pre-auth is that is you guess wrong you
sometimes do not get back preauth-req but instead another error, and
that doesn't cause a retry.
> TGS-REQ for target principal
> TGS-REP fine
> TGS-REQ KDCOptions: 60000000 (Forwardable, Forwarded) for krbtgt/REALM
> TGS-REP error_code: KRB5KDC_ERR_BADOPTION (13)
I think the code tries to delegate, maybe it should check if the
ticket is forwardable
before trying. (or not try to delegate in the first place).
Love
More information about the samba-technical
mailing list