svn rev #25506: branches/krb5-1-9/src/ include/ lib/krb5/krb/

Mon Dec 5 13:52:44 EST 2011

http://src.mit.edu/fisheye/changelog/krb5/?cs=25506
Commit By: tlyu
Log Message:
ticket: 7016
version_fixed: 1.9.3
status: resolved

pull up r25472 from trunk

 ------------------------------------------------------------------------
 r25472 | ghudson | 2011-11-14 13:02:52 -0500 (Mon, 14 Nov 2011) | 12 lines

 ticket: 7016
 subject: Handle TGS referrals to the same realm
 target_version: 1.9.3
 tags: pullup

 krb5 1.6 through 1.8 contained a workaround for the Active Directory
 behavior of returning a TGS referral to the same realm as the request.
 1.9 responds to this behavior by caching the returned TGT, trying
 again, and detecting a referral loop.  This is a partial regression of
 ticket #4955.  Detect this case and fall back to a non-referreal
 request.


Changed Files:
U   branches/krb5-1-9/src/include/k5-trace.h
U   branches/krb5-1-9/src/lib/krb5/krb/get_creds.c
Modified: branches/krb5-1-9/src/include/k5-trace.h
===================================================================

--- branches/krb5-1-9/src/include/k5-trace.h	2011-12-05 00:38:19 UTC (rev 25505)
+++ branches/krb5-1-9/src/include/k5-trace.h	2011-12-05 18:52:44 UTC (rev 25506)
@@ -330,6 +330,9 @@
     TRACE(c, (c, "TGS request result: {kerr}", code))
 #define TRACE_TKT_CREDS_RETRY_TCP(c) \
     TRACE(c, (c, "Request or response is too big for UDP; retrying with TCP"))
+#define TRACE_TKT_CREDS_SAME_REALM_TGT(c, realm)                        \
+    TRACE(c, (c, "Received TGT referral back to same realm ({data}); trying " \
+              "again without referrals", realm))
 #define TRACE_TKT_CREDS_SERVICE_REQ(c, princ, referral) \
     TRACE(c, (c, "Requesting tickets for {princ}, referrals {str}", princ, \
               (referral) ? "on" : "off"))

Modified: branches/krb5-1-9/src/lib/krb5/krb/get_creds.c
===================================================================
--- branches/krb5-1-9/src/lib/krb5/krb/get_creds.c	2011-12-05 00:38:19 UTC (rev 25505)
+++ branches/krb5-1-9/src/lib/krb5/krb/get_creds.c	2011-12-05 18:52:44 UTC (rev 25506)
@@ -566,6 +566,14 @@
         return begin_non_referral(context, ctx);
     }
 
+    /* Active Directory may return a TGT to the local realm.  Try a
+     * non-referral query if we see this. */
+    referral_realm = &ctx->reply_creds->server->data[1];
+    if (data_eq(*referral_realm, ctx->cur_tgt->server->data[1])) {
+        TRACE_TKT_CREDS_SAME_REALM_TGT(context, referral_realm);
+        return begin_non_referral(context, ctx);
+    }
+
     if (ctx->referral_count == 1) {
         /* Cache the referral TGT only if it's from the local realm.
          * Make sure to note the associated authdata, if any. */
@@ -586,7 +594,6 @@
         return KRB5_KDC_UNREACH;
 
     /* Check for referral loops. */
-    referral_realm = &ctx->reply_creds->server->data[1];
     if (seen_realm_before(context, ctx, referral_realm))
         return KRB5_KDC_UNREACH;
     code = remember_realm(context, ctx, referral_realm);


