diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/kdc/kdc_util.c | 17 | ||||
| -rw-r--r-- | src/tests/t_keytab.py | 7 |
2 files changed, 20 insertions, 4 deletions
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 3c2169e0d..48947c648 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1517,7 +1517,7 @@ validate_tgs_request(register krb5_kdc_req *request, krb5_db_entry server, } /* Return true if we believe server can support enctype as a session key. */ -krb5_boolean +static krb5_boolean dbentry_supports_enctype(krb5_context context, krb5_db_entry *server, krb5_enctype enctype) { @@ -1571,6 +1571,7 @@ select_session_keytype(krb5_context context, krb5_db_entry *server, int nktypes, krb5_enctype *ktype) { int i; + krb5_enctype first_permitted = 0; for (i = 0; i < nktypes; i++) { if (!krb5_c_valid_enctype(ktype[i])) @@ -1579,9 +1580,23 @@ select_session_keytype(krb5_context context, krb5_db_entry *server, if (!krb5_is_permitted_enctype(context, ktype[i])) continue; + if (first_permitted == 0) + first_permitted = ktype[i]; + if (dbentry_supports_enctype(context, server, ktype[i])) return ktype[i]; } + + /* + * If we didn't find a match and the server is the local TGS server, this + * could be a keytab-based AS request where the keytab enctypes don't + * overlap the TGT principal enctypes. Try to make this work by using the + * first permitted enctype in the request, even though we can't be certain + * that other KDCs in the realm support it. + */ + if (krb5_principal_compare(context, server->princ, tgs_server)) + return first_permitted; + return 0; } diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py index f56c7bba3..ef303f197 100644 --- a/src/tests/t_keytab.py +++ b/src/tests/t_keytab.py @@ -1,10 +1,11 @@ #!/usr/bin/python from k5test import * -realm = K5Realm() +for realm in multipass_realms(create_user=False): + # Test kinit with a keytab. + realm.kinit(realm.host_princ, flags=['-k']) -# Test kinit with a keytab. -realm.kinit(realm.host_princ, flags=['-k']) +realm = K5Realm(get_creds=False) # Test kinit with a partial keytab. pkeytab = realm.keytab + '.partial' |