oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal

Browse Source
This commit is contained in:
Luke Howard
2019-01-06 17:54:58 +11:00
parent 0141e7a497
commit 4ea5cc2eff
1 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
kdc/kerberos5.c
View File

@@ -1657,6 +1657,7 @@ _kdc_as_rep(kdc_request_t r,
int i, flags = HDB_F_FOR_AS_REQ; int i, flags = HDB_F_FOR_AS_REQ;
METHOD_DATA error_method; METHOD_DATA error_method;
const PA_DATA *pa; const PA_DATA *pa;
krb5_boolean is_tgs;
memset(&rep, 0, sizeof(rep)); memset(&rep, 0, sizeof(rep));
error_method.len = 0; error_method.len = 0;
@@ -1715,6 +1716,8 @@ _kdc_as_rep(kdc_request_t r,
kdc_log(context, config, 0, "AS-REQ %s from %s for %s", kdc_log(context, config, 0, "AS-REQ %s from %s for %s",
r->client_name, from, r->server_name); r->client_name, from, r->server_name);
is_tgs = krb5_principal_is_krbtgt(context, r->server_princ);
/* /*
* *
*/ */
@@ -1777,7 +1780,7 @@ _kdc_as_rep(kdc_request_t r,
goto out; goto out;
} }
ret = _kdc_db_fetch(context, config, r->server_princ, ret = _kdc_db_fetch(context, config, r->server_princ,
HDB_F_GET_SERVER|HDB_F_GET_KRBTGT | flags, HDB_F_GET_SERVER | flags | (is_tgs ? HDB_F_GET_KRBTGT : 0),
NULL, NULL, &r->server); NULL, NULL, &r->server);
if(ret == HDB_ERR_NOT_FOUND_HERE) { if(ret == HDB_ERR_NOT_FOUND_HERE) {
kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy",
@@ -1803,11 +1806,10 @@ _kdc_as_rep(kdc_request_t r,
*/ */
ret = _kdc_find_etype(context, ret = _kdc_find_etype(context,
krb5_principal_is_krbtgt(context, r->server_princ) ? is_tgs ? config->tgt_use_strongest_session_key
config->tgt_use_strongest_session_key : : config->svc_use_strongest_session_key,
config->svc_use_strongest_session_key, FALSE, FALSE, r->client, b->etype.val, b->etype.len,
r->client, b->etype.val, b->etype.len, &r->sessionetype, &r->sessionetype, NULL);
NULL);
if (ret) { if (ret) {
kdc_log(context, config, 0, kdc_log(context, config, 0,
"Client (%s) from %s has no common enctypes with KDC " "Client (%s) from %s has no common enctypes with KDC "