[30730] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit [krb5-1.18]: Put KDB authdata first

daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Feb 10 17:15:12 2020

Date: Mon, 10 Feb 2020 17:14:49 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202002102214.01AMEnqN032063@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/ca0e1e9c663db20823130df5ee9d7b2d3a879fbe
commit ca0e1e9c663db20823130df5ee9d7b2d3a879fbe
Author: Isaac Boukris <iboukris@gmail.com>
Date:   Sat Feb 1 16:13:30 2020 +0100

    Put KDB authdata first
    
    Windows services, as well as some versions of Samba, may refuse
    tickets if the PAC is not in the first AD-IF-RELEVANT container.  In
    fetch_kdb_authdata(), change the merge order so that authdata from the
    KDB module appears first.
    
    [ghudson@mit.edu: added comment and clarified commit message]
    
    (cherry picked from commit 331fa4bdd34263ea20667a0f51338cb84357fdaa)
    
    ticket: 8872
    version_fixed: 1.18

 src/kdc/kdc_authdata.c |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index a18e4b4..1ebe872 100644
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -372,11 +372,14 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags,
     if (ret)
         return (ret == KRB5_PLUGIN_OP_NOTSUPP) ? 0 : ret;
 
-    /* Add the KDB authdata to the ticket, without copying or filtering. */
-    ret = merge_authdata(context, db_authdata,
-                         &enc_tkt_reply->authorization_data, FALSE, FALSE);
+    /* Put the KDB authdata first in the ticket.  A successful merge places the
+     * combined list in db_authdata and releases the old ticket authdata. */
+    ret = merge_authdata(context, enc_tkt_reply->authorization_data,
+                         &db_authdata, FALSE, FALSE);
     if (ret)
         krb5_free_authdata(context, db_authdata);
+    else
+        enc_tkt_reply->authorization_data = db_authdata;
     return ret;
 }
 
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post