[krbdev.mit.edu #7136] SVN Commit
Tom Yu via RT
rt-comment at krbdev.mit.edu
Tue May 29 19:19:00 EDT 2012
Fix S4U user identification in preauth case
In 1.10, encrypted timestamp became a built-in module instead of a
hardcoded padata handler. This changed the behavior of
krb5_get_init_creds as invoked by s4u_identify_user such that
KRB5_PREAUTH_FAILED is returned instead of the gak function's error.
(Module failures are not treated as hard errors, while hardcoded
padata handler errors are.) Accordingly, we should look for
KRB5_PREAUTH_FAILED in s4u_identify_user.
On a less harmful note, the gak function was returning a protocol
error code instead of a com_err code, and the caller was testing for a
different protocol error code (KDC_ERR_PREAUTH_REQUIRED) which could
never be returned by krb5_get_init_creds. Clean up both of those by
returning KRB5_PREAUTH_FAILED from the gak function and testing for
that alone.
Reported by Michael Morony.
(cherry picked from commit 33a64a7f9dc7342880f7a477a8b3447891d20af5)
https://github.com/krb5/krb5/commit/e934d973eb7e43792062ee1a6b4396ca41d0f862
Author: Greg Hudson <ghudson at mit.edu>
Committer: Tom Yu <tlyu at mit.edu>
Commit: e934d973eb7e43792062ee1a6b4396ca41d0f862
Branch: krb5-1.10
src/lib/krb5/krb/s4u_creds.c | 6 ++----
1 files changed, 2 insertions(+), 4 deletions(-)
More information about the krb5-bugs
mailing list