Don't return a host referral to the service realm

A host referral to the same realm we just looked up the principal in is useless at best and confusing to the client at worst. Don't respond with one in the KDC. ticket: 7483 target_version: 1.11 tags: pullup
author: Greg Hudson <ghudson@mit.edu> 2012-12-06 21:40:05 -0500
committer: Greg Hudson <ghudson@mit.edu> 2012-12-06 21:40:53 -0500
commit: ee0d5eac353a13a194759b72cb44203fda1bf0fa (patch)
tree: 78a94f29d1e3baae8184d5c7dda48c8ad3d44d8f /src/kdc/do_tgs_req.c
parent: de80646215b623b1ce16fe8a2c2db85bba531532 (diff)
download: krb5-ee0d5eac353a13a194759b72cb44203fda1bf0fa.tar.gz
krb5-ee0d5eac353a13a194759b72cb44203fda1bf0fa.tar.xz
krb5-ee0d5eac353a13a194759b72cb44203fda1bf0fa.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index b77c9eb546..d41bc5d4ee 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1148,7 +1148,9 @@ find_referral_tgs(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request,
         kdc_err(kdc_context, retval, "unable to find realm of host");
         goto cleanup;
     }
-    if (realms == NULL || realms[0] == '\0') {
+    /* Don't return a referral to the empty realm or the service realm. */
+    if (realms == NULL || realms[0] == '\0' ||
+        data_eq_string(srealm, realms[0])) {
         retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
         goto cleanup;
     }
author	Greg Hudson <ghudson@mit.edu>	2012-12-06 21:40:05 -0500
committer	Greg Hudson <ghudson@mit.edu>	2012-12-06 21:40:53 -0500
commit	ee0d5eac353a13a194759b72cb44203fda1bf0fa (patch)
tree	78a94f29d1e3baae8184d5c7dda48c8ad3d44d8f /src/kdc/do_tgs_req.c
parent	de80646215b623b1ce16fe8a2c2db85bba531532 (diff)
download	krb5-ee0d5eac353a13a194759b72cb44203fda1bf0fa.tar.gz krb5-ee0d5eac353a13a194759b72cb44203fda1bf0fa.tar.xz krb5-ee0d5eac353a13a194759b72cb44203fda1bf0fa.zip