diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-05-20 11:03:04 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-05-21 11:03:13 -0400 |
commit | 57acee11b5c6682a7f4f036e35d8b2fc9292875e (patch) | |
tree | 6f198386b2591b8d8495f6c8260b4f905360ddfb /src/tests/gssapi | |
parent | e818d27a372d021bc6025e7bce867ed06a8fc1ad (diff) | |
download | krb5-57acee11b5c6682a7f4f036e35d8b2fc9292875e.tar.gz krb5-57acee11b5c6682a7f4f036e35d8b2fc9292875e.tar.xz krb5-57acee11b5c6682a7f4f036e35d8b2fc9292875e.zip |
Fix transited handling for GSSAPI acceptors
The Acceptor Names project (#6855) extended krb5_rd_req so that it can
accept a "matching principal" in the server parameter. If the
matching principal has an empty realm, rd_req_decoded_opt attempted to
do transited checking with an empty server realm.
To fix this, always reset server to req->ticket->server for future
processing steps if we decrypt the ticket using a keytab.
decrypt_ticket replaces req->ticket->server with the principal name
from the keytab entry, so we know this name is correct.
Based on a bug report and patch from nalin@redhat.com.
ticket: 7639
target_version: 1.11.3
tags: pullup
Diffstat (limited to 'src/tests/gssapi')
-rwxr-xr-x | src/tests/gssapi/t_gssapi.py | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py index de778cc910..5583b0247f 100755 --- a/src/tests/gssapi/t_gssapi.py +++ b/src/tests/gssapi/t_gssapi.py @@ -110,6 +110,19 @@ if 'host/-nomatch-' not in output: realm.stop() +# Make sure a GSSAPI acceptor can handle cross-realm tickets with a +# transited field. (Regression test for #7639.) +r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)), + create_user=False, create_host=False, + args=[{'realm': 'A.X', 'create_user': True}, + {'realm': 'X'}, + {'realm': 'B.X', 'create_host': True}]) +os.rename(r3.keytab, r1.keytab) +r1.run(['./t_accname', 'p:' + r3.host_princ, 'h:host']) +r1.stop() +r2.stop() +r3.stop() + ### Test gss_inquire_cred behavior. realm = K5Realm() |