Try capaths first, then referrals
When looking for a ticket, use the capath codepath first when we know the service's realm: because we might have local policy as to how to get there. Then, if that doesn't work, try referrals. (For now unconditionally.)
This commit is contained in:
@@ -1152,28 +1152,31 @@ _krb5_get_cred_kdc_any(krb5_context context,
|
||||
context->kdc_usec_offset = 0;
|
||||
}
|
||||
|
||||
/* Try referrals */
|
||||
ret = get_cred_kdc_referral(context,
|
||||
flags,
|
||||
ccache,
|
||||
in_creds,
|
||||
impersonate_principal,
|
||||
second_ticket,
|
||||
out_creds);
|
||||
if (strcmp(in_creds->server->realm, "") != 0) {
|
||||
/*
|
||||
* Non-empty realm? Try capaths first. We might have local
|
||||
* policy (capaths) to honor.
|
||||
*/
|
||||
ret = get_cred_kdc_capath(context,
|
||||
flags,
|
||||
ccache,
|
||||
in_creds,
|
||||
impersonate_principal,
|
||||
second_ticket,
|
||||
out_creds,
|
||||
ret_tgts);
|
||||
if (ret == 0)
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* "Empty realm" -> only do referrals */
|
||||
if (ret == 0 || strcmp(in_creds->server->realm, "") == 0)
|
||||
return ret;
|
||||
|
||||
/* Try capaths */
|
||||
return get_cred_kdc_capath(context,
|
||||
flags,
|
||||
ccache,
|
||||
in_creds,
|
||||
impersonate_principal,
|
||||
second_ticket,
|
||||
out_creds,
|
||||
ret_tgts);
|
||||
/* Otherwise try referrals */
|
||||
return get_cred_kdc_referral(context,
|
||||
flags,
|
||||
ccache,
|
||||
in_creds,
|
||||
impersonate_principal,
|
||||
second_ticket,
|
||||
out_creds);
|
||||
}
|
||||
|
||||
static krb5_error_code
|
||||
|
Reference in New Issue
Block a user