[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

KRB5KRB_ERR_RESPONSE_TOO_BIG + cross realm = logic error?



I have a web app with login form that uses the user supplied creds to
get a TGT and then a ticket for an ldap_sasl_bind. The user is getting
a GSS_S_DEFECTIVE_TOKEN error and I'm trying to pinpoint why.


C: AS-REQ for krbtgt/EXAMPLE.COM for user
S: KRB5KRB_ERR_RESPONSE_TOO_BIG
<switch to tcp>
C: AS-REQ for ... wireshark choking
S: AS-REP with krbtgt/EXAMPLE.COM for user
C: TGS-REQ for ldap/s1.sub.example.com
S: KRB5KRB_ERR_RESPONSE_TOO_BIG
<switch to tcp>
C: TGS-REQ for ... wireshark choking
S: TGS-REP with krbtgt/SUB.EXAMPLE.COM
C: ldap_sasl_bind with krbtgt/SUB.EXAMPLE.COM
S: KRB5KRB_AP_ERR_MODIFIED -> GSS_S_DEFECTIVE_TOKEN

I'm no kerberos expert but there are two things that seem very odd to me:

1) After the TGS-REQ for ldap/s1.sub.example.com fails with
KRB5KRB_ERR_RESPONSE_TO_BIG it looks like the subsequent TGS-REQ is for
a TGT (and it succeeds).

2) When doing gss_init_sec_context (in ldap_sasl_bind) the token has a
TGT in it and not a ticket for LDAP. I assume this is why the server is
returning KRB5KRB_AP_ERR_MODIFIED.

I'm using 0.7.2 modified in ways that I don't think should affect the
code in question. Can someone speculate as to why this would happen?

Any advice would be appreciated.

Mike

-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/