diff options
author | Sumit Bose <sbose@redhat.com> | 2013-06-17 12:22:32 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-17 20:01:31 +0200 |
commit | 95332f72acf87e04be6fb70c5dc00cabd14ac97c (patch) | |
tree | 25d3c82f92bec3f4c21d4f421a21e178b17ee6a6 | |
parent | ee02e59e4d966f44c7a48ad04474156fc65d7006 (diff) | |
download | sssd-95332f72acf87e04be6fb70c5dc00cabd14ac97c.tar.gz sssd-95332f72acf87e04be6fb70c5dc00cabd14ac97c.tar.xz sssd-95332f72acf87e04be6fb70c5dc00cabd14ac97c.zip |
Use principal from the ticket to find validation entry
If canonicalization or enterprise principals are enabled the realm of
the client principal might have changed compared to the original
request. To find the most suitable keytab entry to validate the TGT is
it better to use the returned client principal.
Fixes https://fedorahosted.org/sssd/ticket/1931
-rw-r--r-- | src/providers/krb5/krb5_child.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 74d730aaa..ac9a905fe 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -931,7 +931,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) } memset(&entry, 0, sizeof(entry)); - if (krb5_realm_compare(kr->ctx, validation_princ, kr->princ)) { + if (krb5_realm_compare(kr->ctx, validation_princ, kr->creds->client)) { DEBUG(SSSDBG_TRACE_INTERNAL, ("Found keytab entry with the realm of the credential.\n")); realm_entry_found = true; |