[27907] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Don't treat local krbtgt principal as referral

daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Aug 29 07:36:44 2013

Date: Thu, 29 Aug 2013 07:36:37 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201308291136.r7TBabLP006298@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/22f00f6b8233fa281e5aad854789bd14abdda91b
commit 22f00f6b8233fa281e5aad854789bd14abdda91b
Author: Greg Hudson <ghudson@mit.edu>
Date:   Wed Aug 28 18:39:55 2013 -0400

    Don't treat local krbtgt principal as referral
    
    If we look up a principal and in the KDB and get back the local TGS
    principal, the KDC should treat this as an alias, not a referral, and
    should therefore issue a ticket for the requested principal rather the
    canonical name.
    
    ticket: 7698

 src/kdc/do_tgs_req.c |   15 +++++++--------
 1 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 6710912..6415e28 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -217,12 +217,14 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     if (errcode != 0)
         goto cleanup;
     sprinc = server->princ;
-    if (krb5_is_tgs_principal(server->princ)) {
+    is_referral = krb5_is_tgs_principal(server->princ) &&
+        !krb5_principal_compare(kdc_context, tgs_server, server->princ);
+    if (is_referral) {
         /*
-         * We may be issuing an alternate TGT or host referral, in which case
-         * we should use the canonical name in the reply.  XXX We should track
-         * the reply server separately instead of modifying request->server,
-         * but that requires a bunch of code changes.
+         * We may be issuing an alternate TGT or a referral to another realm,
+         * in which case we should use the canonical name in the reply.  XXX We
+         * should track the reply server separately instead of modifying
+         * request->server, but that requires a bunch of code changes.
          */
         krb5_free_principal(kdc_context, request->server);
         request->server = NULL;
@@ -251,9 +253,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     if (!is_local_principal(kdc_active_realm, header_enc_tkt->client))
         setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
 
-    is_referral = krb5_is_tgs_principal(server->princ) &&
-        !krb5_principal_compare(kdc_context, tgs_server, server->princ);
-
     /* Check for protocol transition */
     errcode = kdc_process_s4u2self_req(kdc_active_realm,
                                        request,
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5

home help back first fref pref prev next nref lref last post