oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

krb5: Do not fail to rd_req if no AD-KDC-ISSUED

Browse Source 
We reject tickets that have no AD-KDC-ISSUED(!).

This was reported by Samba.  The workaround they found was to set
check_pac = true in krb5.conf, as that clobbers the ret from
krb5_ticket_get_authorization_data_type() not having found an
AD-KDC-ISSUED element.

This was introduced in 1cede09a0b.
This commit is contained in:
Nicolas Williams
2023-01-05 17:57:36 -06:00
parent b87b813fee
commit ece456b028
1 changed files with 4 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
lib/krb5/rd_req.c
View File

@@ -1037,11 +1037,10 @@ krb5_rd_req_ctx(krb5_context context,
goto out; goto out;
} }
ret = krb5_ticket_get_authorization_data_type(context, o->ticket, if (krb5_ticket_get_authorization_data_type(context, o->ticket,
KRB5_AUTHDATA_KDC_ISSUED, KRB5_AUTHDATA_KDC_ISSUED,
NULL); NULL) == 0)
if (ret == 0) o->ticket->client->nameattrs->kdc_issued_verified = 1;
o->ticket->client->nameattrs->kdc_issued_verified = 1;
/* If there is a PAC, verify its server signature */ /* If there is a PAC, verify its server signature */
if (inctx == NULL || inctx->check_pac) { if (inctx == NULL || inctx->check_pac) {