From de4fbc95145737ad71e115e47dcb635fcd71bdab Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 18 Sep 2018 19:08:10 -0700 Subject: [PATCH] lib/krb5: Do not re-send the AS-REQ if fast was disabled Without this, in an AS-REQ that has no local key for FAST we would send the AS-REQ again, which can bump the bad password count on the KDC twice. So only try again if FAST was actually tried. Signed-off-by: Andrew Bartlett --- lib/krb5/init_creds_pw.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c index 648d8ff4b..0a9052413 100644 --- a/lib/krb5/init_creds_pw.c +++ b/lib/krb5/init_creds_pw.c @@ -2414,6 +2414,9 @@ krb5_init_creds_step(krb5_context context, if (ctx->fast_state.flags & KRB5_FAST_DISABLED) goto out; + if (!(ctx->fast_state.flags & KRB5_FAST_EXPECTED)) { + goto out; + } if (ctx->fast_state.flags & (KRB5_FAST_REQUIRED | KRB5_FAST_EXPECTED)) goto out;