kdc_preauth.c (check_padata): If preauth fails because the preauth

	data from the client was of an unknown type, and the principal does
	not require preauth, then the preauth should be disregarded.
	[krb5-kdc/652]

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11130 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 14 insertions, 0 deletions

diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index 861585654..d593227df 100644
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,10 @@
+1998-12-17  Theodore Ts'o  <tytso@rsts-11.mit.edu>
+
+	* kdc_preauth.c (check_padata): If preauth fails because the
+		preauth data from the client was of an unknown type, and
+		the principal does not require preauth, then the preauth
+		should be disregarded.  [krb5-kdc/652]
+
 Mon Jan  4 23:50:45 1999  Tom Yu  <tlyu@mit.edu>
 
 	* configure.in (withval): Conditinalize ATHENA_DES3_KLUDGE on
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 0324694a2..d1b1b3637 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -301,6 +301,13 @@ check_padata (context, client, request, enc_tkt_reply)
     }
     if (pa_ok)
 	return 0;
+
+    /* pa system was not found, but principal doesn't require preauth */
+    if (!pa_found &&
+        !isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
+        !isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH))
+       return 0;
+
     if (!pa_found)
 	com_err("krb5kdc", retval, "no valid preauth type found");
     return KRB5KDC_ERR_PREAUTH_FAILED;