From bbff216dc659954a76bb395ee36aa1a1c8571941 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 10 Feb 2015 13:27:57 +0100 Subject: [PATCH] lib/krb5: correctly follow KRB5_KDC_ERR_WRONG_REALM client referrals An AS-REQ with an enterprise principal will always directed to a kdc of the local (default) realm. The KDC directs the client into the direction of the final realm. See rfc6806.txt. Signed-off-by: Stefan Metzmacher --- lib/krb5/init_creds_pw.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c index 5b1fdc548..753add41a 100644 --- a/lib/krb5/init_creds_pw.c +++ b/lib/krb5/init_creds_pw.c @@ -2330,6 +2330,17 @@ krb5_init_creds_step(krb5_context context, ret = krb5_principal_set_realm(context, ctx->cred.client, *ctx->error.crealm); + if (ret) + goto out; + + if (krb5_principal_is_krbtgt(context, ctx->cred.server)) { + ret = krb5_init_creds_set_service(context, ctx, NULL); + if (ret) + goto out; + } + + free_AS_REQ(&ctx->as_req); + memset(&ctx->as_req, 0, sizeof(ctx->as_req)); ctx->used_pa_types = 0; } else if (ret == KRB5KDC_ERR_KEY_EXP && ctx->runflags.change_password == 0 && ctx->prompter) { @@ -2379,6 +2390,15 @@ krb5_init_creds_step(krb5_context context, } } + if (ctx->as_req.req_body.cname == NULL) { + ret = init_as_req(context, ctx->flags, &ctx->cred, + ctx->addrs, ctx->etypes, &ctx->as_req); + if (ret) { + free_init_creds_ctx(context, ctx); + return ret; + } + } + if (ctx->as_req.padata) { free_METHOD_DATA(ctx->as_req.padata); free(ctx->as_req.padata); -- 2.11.4.GIT