diff options
| author | rbasch <probe@tardis.internal.bright-prospects.com> | 2013-12-16 10:54:41 -0500 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2013-12-30 18:58:03 -0500 |
| commit | f37067776f9431879769f3874fdab6120ba3f155 (patch) | |
| tree | e2b25d3b6dfab47656dac9d546aa1eef08023255 | |
| parent | 815565f918f2c64c59561dbe37efc251ddb67c22 (diff) | |
| download | krb5-f37067776f9431879769f3874fdab6120ba3f155.tar.gz krb5-f37067776f9431879769f3874fdab6120ba3f155.tar.xz krb5-f37067776f9431879769f3874fdab6120ba3f155.zip | |
Log service princ in KDC more reliably
Under some error conditions, the KDC would log "<unknown server>" for
the service principal because service principal information is not yet
available to the logging functions. Set the appropriate variables
earlier.
do_as_req.c: After unparsing the client, immediately unparse the
server before searching for the client principal in the KDB.
do_tgs_req.c: Save a pointer to the client-requested service
principal, to make sure it gets logged if an error happens before
search_sprinc() successfully completes.
[tlyu@mit.edu: commit message; fix TGS to catch more error cases]
ticket: 7802
target_version: 1.12.1
tags: pullup
| -rw-r--r-- | src/kdc/do_as_req.c | 25 | ||||
| -rw-r--r-- | src/kdc/do_tgs_req.c | 5 |
2 files changed, 18 insertions, 12 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 268d4f452b..95c3e23620 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -555,6 +555,19 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } limit_string(state->cname); + if (!state->request->server) { + state->status = "NULL_SERVER"; + errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; + goto errout; + } + if ((errcode = krb5_unparse_name(kdc_context, + state->request->server, + &state->sname))) { + state->status = "UNPARSING_SERVER"; + goto errout; + } + limit_string(state->sname); + /* * We set KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY as a hint * to the backend to return naming information in lieu @@ -604,18 +617,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, au_state->stage = SRVC_PRINC; - if (!state->request->server) { - state->status = "NULL_SERVER"; - errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - goto errout; - } - if ((errcode = krb5_unparse_name(kdc_context, - state->request->server, - &state->sname))) { - state->status = "UNPARSING_SERVER"; - goto errout; - } - limit_string(state->sname); s_flags = 0; setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK); if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) { diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index c12de2b3e6..5cfe0b64b1 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -145,6 +145,9 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, session_key.contents = NULL; retval = decode_krb5_tgs_req(pkt, &request); + /* Save pointer to client-requested service principal, in case of errors + * before a successful call to search_sprinc(). */ + sprinc = request->server; if (retval) return retval; if (request->msg_type != KRB5_TGS_REQ) { @@ -202,6 +205,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, scratch.data = (char *) pa_tgs_req->contents; errcode = kdc_find_fast(&request, &scratch, subkey, header_ticket->enc_part2->session, state, NULL); + /* Reset sprinc because kdc_find_fast() can replace request. */ + sprinc = request->server; if (errcode !=0) { status = "kdc_find_fast"; goto cleanup; |