Closed sokoide closed 1 year ago
SPNEGO call fails addresses listed in the TGS_REP does not match those listed in the TGS_REQ.
addresses listed in the TGS_REP does not match those listed in the TGS_REQ
... ccache, err := credentials.LoadCCache('/path/to/ccache') cl, err = client.NewFromCCache(ccache, c) err = cl.Login() r, err := http.NewRequest("GET", url, nil) spnegoCl := spnego.NewClient(cl, nil, spn) resp, err := spnegoCl.Do(r)
sage_Handling_Error: addresses listed in the TGS_REP does not match those listed in the TGS_REQ
resp
spnegoCl.Do()
When you make an SPNEGO to a KDC, it's possible that tgsReq has 2 x IPv4 + 2 x IPv6 but returned tgsRep only has 2 x IPv4. If it happens, a validation fails at https://github.com/jcmturner/gokrb5/blob/master/messages/KDCRep.go#L298.
tgsReq
tgsRep
It doesn't reproduce if you have a service ticket in the credential cache because the root cause is in the validation when talking to KDC.
Issue Summary
SPNEGO call fails
addresses listed in the TGS_REP does not match those listed in the TGS_REQ.Environment
Repro Steps
Result
Expected
respreturned successfully byspnegoCl.Do()over SPNEGORoot Cause
When you make an SPNEGO to a KDC, it's possible that
tgsReqhas 2 x IPv4 + 2 x IPv6 but returnedtgsReponly has 2 x IPv4. If it happens, a validation fails at https://github.com/jcmturner/gokrb5/blob/master/messages/KDCRep.go#L298.Note
It doesn't reproduce if you have a service ticket in the credential cache because the root cause is in the validation when talking to KDC.