'ccache.get_tgt' doesn't select TGT depenging of target realm

[CravateRouge]

minikerberos/minikerberos/common/ccache.py

Line 659 in 45d701f

def get_tgt(self, username, domain = None, strict:bool=False):

The above function is retrieving all the TGT from the ccache and then select the first one matching the krb user name and domain but there is no selection depending of the target realm which is an issue when using referral tickets.
To provide an example using the getTGS.py script example:

$ klist jane_bloody_bloody.ccache               

Ticket cache: FILE:jane_bloody_tree.ccache
Default principal: jane@TREE2.LAB

Valid starting       Expires              Service principal
11/29/2024 19:27:02  11/30/2024 05:27:02  krbtgt/TREE2.LAB@TREE2.LAB
	renew until 11/30/2024 19:27:00
11/29/2024 19:32:11  11/30/2024 05:27:02  krbtgt/BLOODY.CORP@TREE2.LAB

$ getTGS.py -v --ccache jane_main_bloody.ccache 'kerberos+ccache://tree2.lab\jane:jane_bloody_bloody.ccache@192.168.100.3' 'ldap/MAIN.bloody.corp@bloody.corp'
Traceback (most recent call last):
  File "/home/silver/.local/lib/python3.11/site-packages/minikerberos/examples/getTGS.py", line 57, in <module>
    main()
  File "/home/silver/.local/lib/python3.11/site-packages/minikerberos/examples/getTGS.py", line 54, in main
    asyncio.run(getTGS(args.kerberos_url, args.spn, args.kirbi, args.ccache, args.cross_domain))
  File "/usr/lib/python3.11/asyncio/runners.py", line 190, in run
    return runner.run(main)
           ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/asyncio/runners.py", line 118, in run
    return self._loop.run_until_complete(task)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
    return future.result()
           ^^^^^^^^^^^^^^^
  File "/home/silver/.local/lib/python3.11/site-packages/minikerberos/examples/getTGS.py", line 22, in getTGS
    tgs, encpart, key = await client.get_TGS(spn)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/silver/.local/lib/python3.11/site-packages/minikerberos/aioclient.py", line 447, in get_TGS
    raise KerberosError(rep, 'get_TGS failed!')
minikerberos.protocol.errors.KerberosError: get_TGS failed! Error Name: KRB_AP_ERR_BAD_INTEGRITY Detail: "Integrity check on decrypted field failed" 

This happens because getTGS.py will call:

minikerberos/minikerberos/examples/getTGS.py

Line 16 in 45d701f

await client.get_TGT()

Then this function is calling:

minikerberos/minikerberos/aioclient.py

Line 261 in 45d701f

_, err = self.tgt_from_ccache()

Which calls:

minikerberos/minikerberos/common/ccache.py

Line 659 in 45d701f

def get_tgt(self, username, domain = None, strict:bool=False):

And this function will retrieve all the tgt and return the first one matching the user, no filter on the target spn is done so it will return krbtgt/TREE2.LAB@TREE2.LAB instead of krbtgt/BLOODY.CORP@TREE2.LAB:

minikerberos/minikerberos/common/ccache.py

Line 687 in 45d701f

if ticket_for.upper() == our_user.upper():

I think the target SPN could be added in the AIOKerberosClient and then provided to this function to make a better choice.
I can make the PR if interested

[skelsec]

Sure, I'm interested! Will have more time to look into this starting the new year