[3564] in Kerberos-V5-bugs
[krbdev.mit.edu #1232] gic_keytab.c
daemon@ATHENA.MIT.EDU (Ben Cox via RT)
Mon Oct 28 14:27:12 2002
Message-Id: <rt-1232-3243.6.30893611795685@krbdev.mit.edu>
In-Reply-To: <rt-1232@krbdev.mit.edu>
From: "Ben Cox via RT" <rt-comment@krbdev.mit.edu>
Reply-To: rt-comment@krbdev.mit.edu
To: krb5-prs@mit.edu
Errors-To: krb5-bugs-admin@mit.edu
Date: Mon, 28 Oct 2002 14:26:57 -0500 (EST)
Hello,
I've just encountered a minor bug in krb5-1.2.6 (and 1.2.5) in
src/lib/krb5/krb/gic_keytab.c.
Lines 109-113 read:
/* if the master is unreachable, return the error from the
slave we were able to contact */
if ((ret2 == KRB5_KDC_UNREACH) || (ret == KRB5_REALM_CANT_RESOLVE))
goto cleanup;
Line 112 should almost certainly read
if ((ret2 == KRB5_KDC_UNREACH) || (ret2 == KRB5_REALM_CANT_RESOLVE))
instead.
The effect of this bug is that, when we can't find the master KDC for a
realm, other errors get masked as KRB5_REALM_CANT_RESOLVE instead of the
real error.
I found this when attempting to get a krbtgt from a realm that is served
by an Active Directory server. There's no "admin_server" entry in my
krb5.conf for that realm, and there are no DNS service entries (that I
can resolve) for it, either; just kdc and kpasswd entries for it.
Adding a (bogus) admin_server entry to the kdc.conf causes the real
error to be returned.
Thanks.
--
Ben Cox <cox-work@djehuti.com>
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
http://mailman.mit.edu/mailman/listinfo/krb5-bugs
