diff options
author | Isaac Boukris <iboukris@gmail.com> | 2021-12-26 03:28:41 +0200 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2022-01-01 20:29:08 -0500 |
commit | 4b479814747b69ec386d0e092f71678e6e193a75 (patch) | |
tree | 4bc99a3c3cd75ae0ecd6b38c9f3f59210f4b5792 | |
parent | 7f84f66e1a0c3877dd20fcf705182480cf00de0a (diff) | |
download | krb5-4b479814747b69ec386d0e092f71678e6e193a75.tar.gz |
Don't fail krb5_cc_select() for no default realm
If the target server principal is a host-based service without
multiple dotted components and no default realm is configured,
krb5_cc_select() can fail, and therefore gss_init_sec_context().
Continue without filling in the realm in this case.
[ghudson@mit.edu: edited commit message and comment; slightly adjusted
flow control]
ticket: 9042 (new)
-rw-r--r-- | src/lib/krb5/ccache/ccselect.c | 23 | ||||
-rwxr-xr-x | src/tests/gssapi/t_gssapi.py | 9 |
2 files changed, 21 insertions, 11 deletions
diff --git a/src/lib/krb5/ccache/ccselect.c b/src/lib/krb5/ccache/ccselect.c index 6c360e100..dee4c4616 100644 --- a/src/lib/krb5/ccache/ccselect.c +++ b/src/lib/krb5/ccache/ccselect.c @@ -147,18 +147,19 @@ krb5_cc_select(krb5_context context, krb5_principal server, server->type == KRB5_NT_SRV_HST && server->length == 2) { ret = krb5_get_fallback_host_realm(context, &server->data[1], &fbrealms); - if (ret) - goto cleanup; - - /* Make a copy with the first fallback realm. */ - ret = krb5_copy_principal(context, server, &srvcp); - if (ret) - goto cleanup; - ret = krb5_set_principal_realm(context, srvcp, fbrealms[0]); - if (ret) + /* Continue without realm if we failed due to no default realm. */ + if (ret && ret != KRB5_CONFIG_NODEFREALM) goto cleanup; - - server = srvcp; + if (!ret) { + /* Make a copy with the first fallback realm. */ + ret = krb5_copy_principal(context, server, &srvcp); + if (ret) + goto cleanup; + ret = krb5_set_principal_realm(context, srvcp, fbrealms[0]); + if (ret) + goto cleanup; + server = srvcp; + } } /* Consult authoritative modules first, then heuristic ones. */ diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py index 1740a6177..5f093a198 100755 --- a/src/tests/gssapi/t_gssapi.py +++ b/src/tests/gssapi/t_gssapi.py @@ -23,11 +23,20 @@ realm.run([kadminl, 'addprinc', '-randkey', 'service1/barack']) realm.run([kadminl, 'addprinc', '-randkey', 'service2/calvin']) realm.run([kadminl, 'addprinc', '-randkey', 'service2/dwight']) realm.run([kadminl, 'addprinc', '-randkey', 'host/-nomatch-']) +realm.run([kadminl, 'addprinc', '-randkey', 'http/localhost']) realm.run([kadminl, 'xst', 'service1/abraham']) realm.run([kadminl, 'xst', 'service1/barack']) realm.run([kadminl, 'xst', 'service2/calvin']) +realm.run([kadminl, 'xst', 'http/localhost']) realm.run([kadminl, 'renprinc', 'service1/abraham', 'service1/andrew']) +# Test with no default realm and no dots in the server name. +realm.run(['./t_accname', 'h:http@localhost'], expected_msg='http/localhost') +remove_default = {'libdefaults': {'default_realm': None}} +no_default = realm.special_env('no_default', False, krb5_conf=remove_default) +realm.run(['./t_accname', 'h:http@localhost'], expected_msg='http/localhost', + env=no_default) + # Test with no acceptor name, including client/keytab principal # mismatch (non-fatal) and missing keytab entry (fatal). realm.run(['./t_accname', 'p:service1/andrew'], |