[krbdev.mit.edu #8122] git commit
Tom Yu via RT
rt-comment at krbdev.mit.edu
Fri Feb 6 22:20:32 EST 2015
Do not loop on principal unknown errors
If the canonicalize flag is set, the MIT KDC always return the client
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.
Check that this is really a referral by testing that the returned
client realm differs from the requested one.
[ghudson at mit.edu: simplified and narrowed is_referral() contract.
Note that a WRONG_REALM response with e-data or FAST error padata
could now be passed through k5_preauth_tryagain() if it has an empty
crealm or a crealm equal to the requested client realm. Such a
response is unexpected in practice and there is nothing dangerous
about handling it this way.]
(cherry picked from commit d5755694b620570defeecee772def90a2733c6cc)
https://github.com/krb5/krb5/commit/caf779261b782ca59fa4f6f2914ea43ffc1987bd
Author: Simo Sorce <simo at redhat.com>
Committer: Tom Yu <tlyu at mit.edu>
Commit: caf779261b782ca59fa4f6f2914ea43ffc1987bd
Branch: krb5-1.11
src/lib/krb5/krb/get_in_tkt.c | 40 +++++++++++++---------------------------
1 files changed, 13 insertions(+), 27 deletions(-)
More information about the krb5-bugs
mailing list