diff options
author | Stefan Metzmacher <metze@samba.org> | 2015-02-10 13:27:57 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2015-07-08 18:38:20 +0200 |
commit | fca11edc0b476f5b87b3301da32fd0409d9590c7 (patch) | |
tree | baee64439d3a67066804981f36c3837a2f75b665 | |
parent | 3a14835d18905b162929d65175f7ee24a99d522a (diff) | |
download | samba-fca11edc0b476f5b87b3301da32fd0409d9590c7.tar.gz |
heimdal:lib/krb5: correctly follow KRB5_KDC_ERR_WRONG_REALM client referrals
An AS-REQ with an enterprise principal will always directed to a kdc of the local
(default) realm. The KDC directs the client into the direction of the
final realm. See rfc6806.txt.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | source4/heimdal/lib/krb5/init_creds_pw.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c index 6c874126ab5..b6c0a643e95 100644 --- a/source4/heimdal/lib/krb5/init_creds_pw.c +++ b/source4/heimdal/lib/krb5/init_creds_pw.c @@ -1798,6 +1798,18 @@ krb5_init_creds_step(krb5_context context, ctx->cred.client, *ctx->error.crealm); + if (ret) + goto out; + + if (krb5_principal_is_krbtgt(context, ctx->cred.server)) { + ret = krb5_init_creds_set_service(context, ctx, NULL); + if (ret) + goto out; + } + + free_AS_REQ(&ctx->as_req); + memset(&ctx->as_req, 0, sizeof(ctx->as_req)); + ctx->used_pa_types = 0; } if (ret) @@ -1805,6 +1817,15 @@ krb5_init_creds_step(krb5_context context, } } + if (ctx->as_req.req_body.cname == NULL) { + ret = init_as_req(context, ctx->flags, &ctx->cred, + ctx->addrs, ctx->etypes, &ctx->as_req); + if (ret) { + free_init_creds_ctx(context, ctx); + return ret; + } + } + if (ctx->as_req.padata) { free_METHOD_DATA(ctx->as_req.padata); free(ctx->as_req.padata); |