From 4ea5cc2eff10a0750bfb6ed8424eaee08a528039 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Sun, 6 Jan 2019 17:54:58 +1100 Subject: [PATCH] kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal --- kdc/kerberos5.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 3c05c8033..1b4b00ee2 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -1657,6 +1657,7 @@ _kdc_as_rep(kdc_request_t r, int i, flags = HDB_F_FOR_AS_REQ; METHOD_DATA error_method; const PA_DATA *pa; + krb5_boolean is_tgs; memset(&rep, 0, sizeof(rep)); error_method.len = 0; @@ -1715,6 +1716,8 @@ _kdc_as_rep(kdc_request_t r, kdc_log(context, config, 0, "AS-REQ %s from %s for %s", r->client_name, from, r->server_name); + is_tgs = krb5_principal_is_krbtgt(context, r->server_princ); + /* * */ @@ -1777,7 +1780,7 @@ _kdc_as_rep(kdc_request_t r, goto out; } ret = _kdc_db_fetch(context, config, r->server_princ, - HDB_F_GET_SERVER|HDB_F_GET_KRBTGT | flags, + HDB_F_GET_SERVER | flags | (is_tgs ? HDB_F_GET_KRBTGT : 0), NULL, NULL, &r->server); if(ret == HDB_ERR_NOT_FOUND_HERE) { kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", @@ -1803,11 +1806,10 @@ _kdc_as_rep(kdc_request_t r, */ ret = _kdc_find_etype(context, - krb5_principal_is_krbtgt(context, r->server_princ) ? - config->tgt_use_strongest_session_key : - config->svc_use_strongest_session_key, FALSE, - r->client, b->etype.val, b->etype.len, &r->sessionetype, - NULL); + is_tgs ? config->tgt_use_strongest_session_key + : config->svc_use_strongest_session_key, + FALSE, r->client, b->etype.val, b->etype.len, + &r->sessionetype, NULL); if (ret) { kdc_log(context, config, 0, "Client (%s) from %s has no common enctypes with KDC "