svn rev #23862: branches/iakerb/src/lib/krb5/krb/

Mon Apr 5 11:54:48 EDT 2010

http://src.mit.edu/fisheye/changelog/krb5/?cs=23862
Commit By: ghudson
Log Message:
Move a little bit of logic out of step_referrals into
try_fallback_realm.  If try_fallback_realm gives up because the
fallback realm is the same as the initial referral realm, return the
code from the TGS reply instead of KRB5_ERR_HOST_REALM_UNKNOWN.



Changed Files:
U   branches/iakerb/src/lib/krb5/krb/gc_frm_kdc_step.c
Modified: branches/iakerb/src/lib/krb5/krb/gc_frm_kdc_step.c
===================================================================

--- branches/iakerb/src/lib/krb5/krb/gc_frm_kdc_step.c	2010-04-05 03:24:54 UTC (rev 23861)
+++ branches/iakerb/src/lib/krb5/krb/gc_frm_kdc_step.c	2010-04-05 15:54:48 UTC (rev 23862)
@@ -385,9 +385,9 @@
 /***** STATE_REFERRALS *****/
 
 /*
- * Retry a request in the fallback realm after a referral request failure in
- * the local realm.  We only do this if the originally requested service
- * principal was in the referral realm.
+ * Possibly retry a request in the fallback realm after a referral request
+ * failure in the local realm.  Expects ctx->reply_code to be set to the error
+ * from a referral request.
  */
 static krb5_error_code
 try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx)
@@ -395,6 +395,14 @@
     krb5_error_code code;
     char **hrealms;
 
+    /* Only fall back if our error was from the first referral request. */
+    if (ctx->referral_count > 1)
+        return ctx->reply_code;
+
+    /* Only fall back if the original request used the referral realm. */
+    if (!krb5_is_referral_realm(&ctx->req_server->realm))
+        return ctx->reply_code;
+
     if (ctx->server->length < 2) {
         /* We need a type/host format principal to find a fallback realm. */
         return KRB5_ERR_HOST_REALM_UNKNOWN;
@@ -406,10 +414,9 @@
     if (code != 0)
         return code;
 
-    if (data_eq_string(ctx->server->realm, hrealms[0])) {
-        /* Fallback realm isn't any different, so just give up. */
-        return KRB5_ERR_HOST_REALM_UNKNOWN;
-    }
+    /* Give up if the fallback realm isn't any different. */
+    if (data_eq_string(ctx->server->realm, hrealms[0]))
+        return ctx->reply_code;
 
     /* Rewrite server->realm to be the fallback realm. */
     krb5_free_data_contents(context, &ctx->server->realm);
@@ -444,15 +451,9 @@
     krb5_error_code code;
     const krb5_data *referral_realm;
 
-    if (ctx->reply_code != 0) {
-        /* If we had an unknown realm, and we tried the local realm and failed,
-         * try the fallback realm before giving up. */
-        if (ctx->referral_count == 1 &&
-            krb5_is_referral_realm(&ctx->req_server->realm))
-            return try_fallback_realm(context, ctx);
-        else
-            return ctx->reply_code;
-    }
+    /* Possibly retry with the fallback realm on error. */
+    if (ctx->reply_code != 0)
+        return try_fallback_realm(context, ctx);
 
     if (krb5_principal_compare(context, ctx->reply_creds->server,
                                ctx->server)) {


