SPNEGO failure when TGS_REP only has IPv4
sokoide opened this issue · comments
So Koide commented
Issue Summary
SPNEGO call fails addresses listed in the TGS_REP does not match those listed in the TGS_REQ
.
Environment
- GoKRB5 v8.4.3
- Go 1.19.3
Repro Steps
- Do this after kinit
...
ccache, err := credentials.LoadCCache('/path/to/ccache')
cl, err = client.NewFromCCache(ccache, c)
err = cl.Login()
r, err := http.NewRequest("GET", url, nil)
spnegoCl := spnego.NewClient(cl, nil, spn)
resp, err := spnegoCl.Do(r)
Result
sage_Handling_Error: addresses listed in the TGS_REP does not match those listed in the TGS_REQ
Expected
resp
returned successfully byspnegoCl.Do()
over SPNEGO
Root Cause
When you make an SPNEGO to a KDC, it's possible that tgsReq
has 2 x IPv4 + 2 x IPv6 but returned tgsRep
only has 2 x IPv4.
If it happens, a validation fails at https://github.com/jcmturner/gokrb5/blob/master/messages/KDCRep.go#L298.
Note
It doesn't reproduce if you have a service ticket in the credential cache because the root cause is in the validation when talking to KDC.