krb5 commit: Fix S4U user identification in preauth case

Greg Hudson ghudson at MIT.EDU
Thu May 24 13:07:20 EDT 2012 

https://github.com/krb5/krb5/commit/33a64a7f9dc7342880f7a477a8b3447891d20af5
commit 33a64a7f9dc7342880f7a477a8b3447891d20af5
Author: Greg Hudson <ghudson at mit.edu>
Date:   Thu May 24 13:03:26 2012 -0400

    Fix S4U user identification in preauth case
    
    In 1.10, encrypted timestamp became a built-in module instead of a
    hardcoded padata handler.  This changed the behavior of
    krb5_get_init_creds as invoked by s4u_identify_user such that
    KRB5_PREAUTH_FAILED is returned instead of the gak function's error.
    (Module failures are not treated as hard errors, while hardcoded
    padata handler errors are.)  Accordingly, we should look for
    KRB5_PREAUTH_FAILED in s4u_identify_user.
    
    On a less harmful note, the gak function was returning a protocol
    error code instead of a com_err code, and the caller was testing for a
    different protocol error code (KDC_ERR_PREAUTH_REQUIRED) which could
    never be returned by krb5_get_init_creds.  Clean up both of those by
    returning KRB5_PREAUTH_FAILED from the gak function and testing for
    that alone.
    
    Reported by Michael Morony.
    
    ticket: 7136
    target_version: 1.10.2
    tags: pullup

 src/lib/krb5/krb/s4u_creds.c |    6 ++----
 1 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index e4cc8a1..6a1bcc3 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -48,7 +48,7 @@ krb5_get_as_key_noop(
     void *gak_data)
 {
     /* force a hard error, we don't actually have the key */
-    return KDC_ERR_PREAUTH_FAILED;
+    return KRB5_PREAUTH_FAILED;
 }
 
 static krb5_error_code
@@ -118,9 +118,7 @@ s4u_identify_user(krb5_context context,
                                   NULL, NULL, 0, NULL, opts,
                                   krb5_get_as_key_noop, &userid,
                                   &use_master, NULL);
-    if (code == 0 ||
-        code == KDC_ERR_PREAUTH_REQUIRED ||
-        code == KDC_ERR_PREAUTH_FAILED) {
+    if (code == 0 || code == KRB5_PREAUTH_FAILED) {
         *canon_user = userid.user;
         userid.user = NULL;
         code = 0;

More information about the cvs-krb5 mailing list