When FreeIPA KDC generates MS PAC, KDC starts failing verification of the tickets passed with s4u2proxy as wrong principals are extracted from MS PAC and compared to the ticket's principal.
Mar 08 22:48:23 m17.ipa.local krb5kdc[1182](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: ISSUE: authtime 1331233867, etypes {rep=18 tkt=18 ses=18}, admin@IPA.LOCAL for HTTP/m17.ipa.local@IPA.LOCAL Mar 08 22:48:23 m17.ipa.local krb5kdc[1182](info): authdata (kdb) handling failure: Wrong principal in request Mar 08 22:48:23 m17.ipa.local krb5kdc[1182](info): TGS_REQ : handle_authdata (-1765328240) Mar 08 22:48:23 m17.ipa.local krb5kdc[1182](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: HANDLE_AUTHDATA: authtime 1331233867, HTTP/m17.ipa.local@IPA.LOCAL for ldap/m17.ipa.local@IPA.LOCAL, Wrong principal in request Mar 08 22:48:23 m17.ipa.local krb5kdc[1182](info): ... CONSTRAINED-DELEGATION s4u-client=admin@IPA.LOCAL Mar 08 22:48:23 m17.ipa.local krb5kdc[1182](info): closing down fd 13 Mar 08 22:48:23 m17.ipa.local krb5kdc[1183](info): authdata (kdb) handling failure: Wrong principal in request Mar 08 22:48:23 m17.ipa.local krb5kdc[1183](info): TGS_REQ : handle_authdata (-1765328240) Mar 08 22:48:23 m17.ipa.local krb5kdc[1183](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.111.146: HANDLE_AUTHDATA: authtime 1331233867, HTTP/m17.ipa.local@IPA.LOCAL for ldap/m17.ipa.local@IPA.LOCAL, Wrong principal in request Mar 08 22:48:23 m17.ipa.local krb5kdc[1183](info): ... CONSTRAINED-DELEGATION s4u-client=admin@IPA.LOCAL Mar 08 22:48:23 m17.ipa.local krb5kdc[1183](info): closing down fd 13
Need to open ticket upstream if changes to the KDC are required to fix this.
Fixed in: c007ac0
Metadata Update from @abbra: - Issue assigned to simo - Issue set to the milestone: FreeIPA 3.0 Trust Effort - 2012/03
Login to comment on this ticket.