oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Split up the reverse cross krbtgt check and local clien must exists test.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17603 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2006-06-01 17:43:03 +00:00
parent 23478bc157
commit e030c0d5e1
1 changed files with 29 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
kdc/krb5tgs.c
View File

@@ -959,27 +959,40 @@ server_lookup:
} }
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, &client); ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, &client);
if(ret) if(ret) {
kdc_log(context, config, 1, "Client not found in database: %s: %s", const char *krbtgt_realm;
cpn, krb5_get_err_text(context, ret));
/* /*
* If the client belongs to the same realm as our krbtgt, it * If the client belongs to the same realm as our krbtgt, it
* should exist in the local database. * should exist in the local database.
* *
* If its not the same, check the "direction" on the krbtgt, */
* so its not a backward uni-directional trust.
*/
if(strcmp(krb5_principal_get_realm(context, sp), krbtgt_realm = krb5_principal_get_realm(context,
krb5_principal_get_comp_string(context, krbtgt->entry.principal);
krbtgt->entry.principal, 1)) == 0) {
if(ret) { if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
if (ret == HDB_ERR_NOENTRY) if (ret == HDB_ERR_NOENTRY)
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
kdc_log(context, config, 1, "Client no longer in database: %s",
cpn);
goto out; goto out;
} }
} else {
kdc_log(context, config, 1, "Client not found in database: %s: %s",
cpn, krb5_get_err_text(context, ret));
}
/*
* Check that service is in the same realm as the krbtgt. If its
* not the same, its someone that is using a uni-directional trust
* backward.
*/
if (strcmp(krb5_principal_get_realm(context, sp),
krb5_principal_get_comp_string(context,
krbtgt->entry.principal,
1)) != 0) {
char *tpn; char *tpn;
ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn); ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
kdc_log(context, config, 0, kdc_log(context, config, 0,
@@ -1111,7 +1124,7 @@ _kdc_tgs_rep(krb5_context context,
from_addr); from_addr);
if (ret) { if (ret) {
kdc_log(context, config, 0, kdc_log(context, config, 0,
"Failed building TGS-REP to from %s", from); "Failed building TGS-REP to %s", from);
goto out; goto out;
} }