Handle TGS referrals to the same realm

krb5 1.6 through 1.8 contained a workaround for the Active Directory
behavior of returning a TGS referral to the same realm as the request.
1.9 responds to this behavior by caching the returned TGT, trying
again, and detecting a referral loop.  This is a partial regression of
ticket #4955.  Detect this case and fall back to a non-referreal
request.

ticket: 7016
target_version: 1.9.3
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25472 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 8 insertions, 1 deletions

diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
index f229ba1c34..780e6568b0 100644
--- a/src/lib/krb5/krb/get_creds.c
+++ b/src/lib/krb5/krb/get_creds.c
@@ -557,6 +557,14 @@ step_referrals(krb5_context context, krb5_tkt_creds_context ctx)
         return begin_non_referral(context, ctx);
     }
 
+    /* Active Directory may return a TGT to the local realm.  Try a
+     * non-referral query if we see this. */
+    referral_realm = &ctx->reply_creds->server->data[1];
+    if (data_eq(*referral_realm, ctx->cur_tgt->server->data[1])) {
+        TRACE_TKT_CREDS_SAME_REALM_TGT(context, referral_realm);
+        return begin_non_referral(context, ctx);
+    }
+
     if (ctx->referral_count == 1) {
         /* Cache the referral TGT only if it's from the local realm.
          * Make sure to note the associated authdata, if any. */
@@ -577,7 +585,6 @@ step_referrals(krb5_context context, krb5_tkt_creds_context ctx)
         return KRB5_KDC_UNREACH;
 
     /* Check for referral loops. */
-    referral_realm = &ctx->reply_creds->server->data[1];
     if (seen_realm_before(context, ctx, referral_realm))
         return KRB5_KDC_UNREACH;
     code = remember_realm(context, ctx, referral_realm);