krb5 commit: Don't fail krb5_cc_select() for no default realm
Greg Hudson
ghudson at mit.edu
Sat Jan 1 20:53:58 EST 2022
https://github.com/krb5/krb5/commit/4b479814747b69ec386d0e092f71678e6e193a75
commit 4b479814747b69ec386d0e092f71678e6e193a75
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sun Dec 26 03:28:41 2021 +0200
Don't fail krb5_cc_select() for no default realm
If the target server principal is a host-based service without
multiple dotted components and no default realm is configured,
krb5_cc_select() can fail, and therefore gss_init_sec_context().
Continue without filling in the realm in this case.
[ghudson at mit.edu: edited commit message and comment; slightly adjusted
flow control]
ticket: 9042 (new)
src/lib/krb5/ccache/ccselect.c | 23 ++++++++++++-----------
src/tests/gssapi/t_gssapi.py | 9 +++++++++
2 files changed, 21 insertions(+), 11 deletions(-)
diff --git a/src/lib/krb5/ccache/ccselect.c b/src/lib/krb5/ccache/ccselect.c
index 6c360e1..dee4c46 100644
--- a/src/lib/krb5/ccache/ccselect.c
+++ b/src/lib/krb5/ccache/ccselect.c
@@ -147,18 +147,19 @@ krb5_cc_select(krb5_context context, krb5_principal server,
server->type == KRB5_NT_SRV_HST && server->length == 2) {
ret = krb5_get_fallback_host_realm(context, &server->data[1],
&fbrealms);
- if (ret)
- goto cleanup;
-
- /* Make a copy with the first fallback realm. */
- ret = krb5_copy_principal(context, server, &srvcp);
- if (ret)
- goto cleanup;
- ret = krb5_set_principal_realm(context, srvcp, fbrealms[0]);
- if (ret)
+ /* Continue without realm if we failed due to no default realm. */
+ if (ret && ret != KRB5_CONFIG_NODEFREALM)
goto cleanup;
-
- server = srvcp;
+ if (!ret) {
+ /* Make a copy with the first fallback realm. */
+ ret = krb5_copy_principal(context, server, &srvcp);
+ if (ret)
+ goto cleanup;
+ ret = krb5_set_principal_realm(context, srvcp, fbrealms[0]);
+ if (ret)
+ goto cleanup;
+ server = srvcp;
+ }
}
/* Consult authoritative modules first, then heuristic ones. */
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index 1740a61..5f093a1 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -23,11 +23,20 @@ realm.run([kadminl, 'addprinc', '-randkey', 'service1/barack'])
realm.run([kadminl, 'addprinc', '-randkey', 'service2/calvin'])
realm.run([kadminl, 'addprinc', '-randkey', 'service2/dwight'])
realm.run([kadminl, 'addprinc', '-randkey', 'host/-nomatch-'])
+realm.run([kadminl, 'addprinc', '-randkey', 'http/localhost'])
realm.run([kadminl, 'xst', 'service1/abraham'])
realm.run([kadminl, 'xst', 'service1/barack'])
realm.run([kadminl, 'xst', 'service2/calvin'])
+realm.run([kadminl, 'xst', 'http/localhost'])
realm.run([kadminl, 'renprinc', 'service1/abraham', 'service1/andrew'])
+# Test with no default realm and no dots in the server name.
+realm.run(['./t_accname', 'h:http at localhost'], expected_msg='http/localhost')
+remove_default = {'libdefaults': {'default_realm': None}}
+no_default = realm.special_env('no_default', False, krb5_conf=remove_default)
+realm.run(['./t_accname', 'h:http at localhost'], expected_msg='http/localhost',
+ env=no_default)
+
# Test with no acceptor name, including client/keytab principal
# mismatch (non-fatal) and missing keytab entry (fatal).
realm.run(['./t_accname', 'p:service1/andrew'],
More information about the cvs-krb5
mailing list