svn rev #22334: branches/krb5-1-7/src/kdc/

[tlyu@MIT.EDU]

http://src.mit.edu/fisheye/changelog/krb5/?cs=22334
Commit By: tlyu
Log Message:
ticket: 6480
version_fixed: 1.7

pull up r22292 from trunk

 ------------------------------------------------------------------------
 r22292 | hartmans | 2009-04-29 20:38:48 -0400 (Wed, 29 Apr 2009) | 10 lines
 Changed paths:
    M /trunk/src/kdc/kdc_preauth.c

 ticket: 6480
 Subject: Do not return PREAUTH_FAILED on unknown preauth
 Target_Version: 1.7
 Tags: pullup

 If the KDC receives unknown pre-authentication data then ignore it.
 Do not get into a case where PREAUTH_FAILED is returned because of
 unknown pre-authentication.  The main AS loop will cause
 PREAUTH_REQUIRED to be returned if the preauth_required flag is set
 and no valid preauth is found.


Changed Files:
U   branches/krb5-1-7/src/kdc/kdc_preauth.c
Modified: branches/krb5-1-7/src/kdc/kdc_preauth.c
===================================================================
--- branches/krb5-1-7/src/kdc/kdc_preauth.c	2009-05-11 20:55:51 UTC (rev 22333)
+++ branches/krb5-1-7/src/kdc/kdc_preauth.c	2009-05-11 20:55:54 UTC (rev 22334)
@@ -1204,17 +1204,11 @@
     if (pa_ok)
 	return 0;
 
-    /* pa system was not found, but principal doesn't require preauth */
-    if (!pa_found &&
-	!isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
-	!isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH))
+    /* pa system was not found; we may return PREAUTH_REQUIRED later,
+       but we did not actually fail to verify the pre-auth. */
+    if (!pa_found)
        return 0;
 
-    if (!pa_found) {
-	emsg = krb5_get_error_message(context, retval);
-	krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s", emsg);
-	krb5_free_error_message(context, emsg);
-    }
 
     /* The following switch statement allows us
      * to return some preauth system errors back to the client.