summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorNate Rosenblum <nater@maginatics.com>2013-12-23 13:21:44 -0800
committerTom Yu <tlyu@mit.edu>2014-02-18 15:20:15 -0500
commit3093b92734adfe2deb9ad6bad5a221acc967fd8b (patch)
tree03fc06d402a5b8e85cb07021ddaa3b9dc5d48aa2 /src
parentbfc8f194ae431fc4fadaa431a2a636b4e9b025dd (diff)
downloadkrb5-3093b92734adfe2deb9ad6bad5a221acc967fd8b.tar.gz
krb5-3093b92734adfe2deb9ad6bad5a221acc967fd8b.tar.xz
krb5-3093b92734adfe2deb9ad6bad5a221acc967fd8b.zip
Support referrals from Windows Server 2003
Although RFC 6806 Section 7 requires servers to indicate a client referral in a WRONG_REALM message, Microsoft Windows Server 2003 returns this information in a message with error code PRINCIPAL_UNKNOWN. Failure to follow the referral in these messages prevents referral chasing in Windows Server 2003 forests. Detect referral messages of this type by checking for a non-empty client.realm field in the response, and activate the referral logic in these cases. [tlyu@mit.edu: style, comments, and commit message] ticket: 7856 (new) target_version: 1.12.2 tags: pullup
Diffstat (limited to 'src')
-rw-r--r--src/lib/krb5/krb/get_in_tkt.c35
1 files changed, 32 insertions, 3 deletions
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index f8f38014b6..d7b2bd9ebd 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1396,6 +1396,35 @@ note_req_timestamp(krb5_context context, krb5_init_creds_context ctx,
AUTH_OFFSET : UNAUTH_OFFSET;
}
+/* Determine whether the client realm in a KRB-ERROR is empty. */
+static krb5_boolean
+is_empty_crealm(krb5_error *err)
+{
+
+ return (err->client == NULL || err->client->realm.length == 0);
+}
+
+/*
+ * Determine whether a KRB-ERROR is a referral to another realm.
+ *
+ * RFC 6806 Section 7 requires that KDCs return the referral realm in
+ * an error type WRONG_REALM, but Microsoft Windows Server 2003 (and
+ * possibly others) return the realm in a PRINCIPAL_UNKNOWN message.
+ * Detect this case by looking for a non-empty client.realm field in
+ * such responses.
+ */
+static krb5_boolean
+is_referral(krb5_init_creds_context ctx)
+{
+ krb5_error *err = ctx->err_reply;
+
+ if (err->error == KDC_ERR_WRONG_REALM)
+ return TRUE;
+ if (err->error != KDC_ERR_C_PRINCIPAL_UNKNOWN)
+ return FALSE;
+ return !is_empty_crealm(err);
+}
+
static krb5_error_code
init_creds_step_reply(krb5_context context,
krb5_init_creds_context ctx,
@@ -1454,9 +1483,9 @@ init_creds_step_reply(krb5_context context,
ctx->preauth_to_use);
ctx->preauth_required = TRUE;
- } else if (canon_flag && ctx->err_reply->error == KDC_ERR_WRONG_REALM) {
- if (ctx->err_reply->client == NULL ||
- !ctx->err_reply->client->realm.length) {
+ } else if (canon_flag && is_referral(ctx)) {
+ if (is_empty_crealm(ctx->err_reply)) {
+ /* Only WRONG_REALM referral types can reach this. */
code = KRB5KDC_ERR_WRONG_REALM;
goto cleanup;
}