Do not return PREAUTH_FAILED on unknown preauth

If the KDC receives unknown pre-authentication data then ignore it.
Do not get into a case where PREAUTH_FAILED is returned because of
unknown pre-authentication.  The main AS loop will cause
PREAUTH_REQUIRED to be returned if the preauth_required flag is set
and no valid preauth is found.

ticket: 6480
Target_Version: 1.7
Tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22292 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 3 insertions, 9 deletions

diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index b153bbf257..63f7687560 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -1204,17 +1204,11 @@ check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
     if (pa_ok)
 	return 0;
 
-    /* pa system was not found, but principal doesn't require preauth */
-    if (!pa_found &&
-	!isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
-	!isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH))
+    /* pa system was not found; we may return PREAUTH_REQUIRED later,
+       but we did not actually fail to verify the pre-auth. */
+    if (!pa_found)
        return 0;
 
-    if (!pa_found) {
-	emsg = krb5_get_error_message(context, retval);
-	krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s", emsg);
-	krb5_free_error_message(context, emsg);
-    }
 
     /* The following switch statement allows us
      * to return some preauth system errors back to the client.