summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2014-02-28 21:07:19 +0100
committerSumit Bose <sbose@redhat.com>2014-02-28 21:07:19 +0100
commit1e67afe8c5a290a015805da7b41322d62ef0901a (patch)
tree68cc0e5601200c690c775a9723fb2b771755658e
parent42108d1c0dc552e5dbc249507bfe59a1ef1d4c8e (diff)
downloadfreeipa-ipa-3-3.tar.gz
freeipa-ipa-3-3.tar.xz
freeipa-ipa-3-3.zip
-rw-r--r--daemons/ipa-kdb/ipa_kdb_mspac.c20
1 files changed, 13 insertions, 7 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 9137cd5ad..c1e0b9b73 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1731,6 +1731,12 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
}
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
+ if (proxy == NULL) {
+ *pac = NULL;
+ kerr = 0;
+ goto done;
+ }
+
kerr = ipadb_add_transited_service(context, proxy, server,
old_pac, new_pac);
if (kerr) {
@@ -1986,13 +1992,6 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
krb5_db_entry *client_entry = NULL;
- /* When client is NULL, authdata flag on the service principal was cleared
- * by an admin. We don't generate MS-PAC in this case */
- if (client == NULL) {
- *signed_auth_data = NULL;
- return 0;
- }
-
/* When using s4u2proxy client_princ actually refers to the proxied user
* while client->princ to the proxy service asking for the TGS on behalf
* of the proxied user. So always use client_princ in preference */
@@ -2000,6 +1999,13 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
ks_client_princ = client_princ;
kerr = ipadb_get_principal(context, client_princ, flags, &client_entry);
} else {
+ /* When client is NULL, authdata flag on the service principal was cleared
+ * by an admin. We don't generate MS-PAC in this case */
+ if (client == NULL) {
+ *signed_auth_data = NULL;
+ return 0;
+ }
+
ks_client_princ = client->princ;
}