On 11/17/2020 12:16 PM, Robbie Harwood (rharw...@redhat.com) wrote: > Luke Hebert <lheb...@cloudera.com> writes: > >> Hi, >> Disabling service >> ticket and tgt renewability is not great and it obviously breaks long >> running processes that rely on renewability of these items.
Just to set the record straight, Kerberos service tickets have never been renewable unless they were obtained as initial tickets. Only TGTs are renewable. This is true for MIT and Heimdal as well as Active Directory. >>>> *How does this patch affect third-party Kerberos clients?* >> >>>> When the registry key is set to 1, patched domain controllers will issue >> service tickets and Ticket-Granting Tickets (TGT)s that are not renewable >> and will refuse to renew existing service tickets and TGTs. Windows clients >> are not impacted by this since they never renew service tickets or TGTs. >> Third-party Kerberos clients may fail to renew service tickets or TGTs >> acquired from unpatched DCs. If all DCs are patched with the registry set >> to 1, third-party clients will no longer receive renewable tickets. > > You're correct that Microsoft has not released details on this issue. > > They have indicated that some failures are a known issue, and claim to > be working on a fix: > https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-20h2#1522msgdesc It used to be the case that "kinit -r" would fail if the requested principal was "disallow-renewable". I don't remember if it was because the KDC refused to issue any ticket when renewable was requested or if it was the client library rejecting the ticket because it didn't satisfy the request. If the problem is the latter, the Microsoft change has an immediate impact that cannot easily be worked around without patching the client systems. It would be useful if someone could test and report the actual symptoms as observed on the non-Windows client. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
