diff options
| author | Greg Hudson <ghudson@mit.edu> | 2013-08-29 18:17:29 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2013-09-03 21:38:31 -0400 |
| commit | 2f37634ae89f8bd13ec64120fce56ba5613c498c (patch) | |
| tree | e2eec8eaccbc921adacacbdf964139303f0a410c /src | |
| parent | 95b03a6fef4b86d1f8fac0a6ef92e86d836e261f (diff) | |
| download | krb5-2f37634ae89f8bd13ec64120fce56ba5613c498c.tar.gz krb5-2f37634ae89f8bd13ec64120fce56ba5613c498c.tar.xz krb5-2f37634ae89f8bd13ec64120fce56ba5613c498c.zip | |
Tighten up referral recognition in KDC TGS code
In do_tgs_req(), treat the search_sprinc() result as a referral only
if it is a cross-TGS principal and it doesn't match the requested
server principal. This change fixes two corner cases: (1) when a
client requests a cross-realm TGT, we won't squash the name type in
the response; and (2) if we are serving multiple realms out of the
same KDB, we will properly handle aliases to any local-realm TGT, not
just the one for the configured realm name.
ticket: 7555
Diffstat (limited to 'src')
| -rw-r--r-- | src/kdc/do_tgs_req.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 85f07f171..240203638 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -217,8 +217,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, if (errcode != 0) goto cleanup; sprinc = server->princ; - is_referral = krb5_is_tgs_principal(server->princ) && - !krb5_principal_compare(kdc_context, tgs_server, server->princ); + + /* If we got a cross-realm TGS which is not the requested server, we are + * issuing a referral (or alternate TGT, which we treat similarly). */ + is_referral = is_cross_tgs_principal(server->princ) && + !krb5_principal_compare(kdc_context, request->server, server->princ); + if (is_referral) { /* * We may be issuing an alternate TGT or a referral to another realm, |