oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Fix never valid error condition in KDC

Browse Source 
The TGS was incorrectly using authtime to compute renew_till for new
tickets, which was in turn leading to endtime potentially being equal to
starttime, which caused the TGS to return KRB5KDC_ERR_NEVER_VALID.

This happens when the TGT renewal lifetime is longer than the max renew
lifetime of any other services, after that much time (target services'
max renew life) passes.  The TGT is still good but TGS-REQs fail.
This commit is contained in:
Nicolas Williams
2013-11-26 16:51:45 -06:00
parent 91a2802779
commit b20bb509bd
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
kdc/krb5tgs.c
View File

@@ -837,12 +837,12 @@ tgs_make_reply(krb5_context context,
}
if(et.renew_till){
time_t renew;
renew = *et.renew_till - et.authtime;
renew = *et.renew_till - *et.starttime;
if(client && client->entry.max_renew)
renew = min(renew, *client->entry.max_renew);
if(server->entry.max_renew)
renew = min(renew, *server->entry.max_renew);
*et.renew_till = et.authtime + renew;
*et.renew_till = *et.starttime + renew;
}
if(et.renew_till){