[11763] in Kerberos-V5-bugs
[krbdev.mit.edu #6812] krb5_get_credentials should not fail due to
daemon@ATHENA.MIT.EDU (Jeffrey Altman via RT)
Wed Oct 27 11:07:48 2010
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Jeffrey Altman via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6812@krbdev.mit.edu>
Message-ID: <rt-6812-33396.5.41978764532217@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6812'":;"'AdminCc of krbdev.mit.edu Ticket #6812'":;@MIT.EDU
Date: Wed, 27 Oct 2010 11:07:46 -0400 (EDT)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
If the credential cache is readonly or otherwise unwritable,
krb5_get_credentials() should not fail. The use of a credential cache
is simply an optimization not a requirement.
In the 1.6 series this is handled correctly for the simple case but
fails for the cross-realm case. The fix is to remove the assignment
"retval = rv2" In the krb5_get_credentials() loop:
if (tgts) {
register int i = 0;
krb5_error_code rv2;
while (tgts[i]) {
if ((rv2 = krb5_cc_store_cred(context, ccache, tgts[i]))) {
retval = rv2;
break;
}
i++;
}
krb5_free_tgt_creds(context, tgts);
}
On the trunk this bug was introduced in all cases. Whenever
krb5_cc_store_cred() is called and fails, the error code is checked and
returned. The fix is to never check and return the error code. See
src/lib/krb5/krb/get_creds.c step_referrals(), step_get_tgt(), and
complete().
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
