summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2007-09-11 14:56:43 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:30:38 -0500
commitcd45a258a7b66bd4919ac02a7f4bfbce9e4a195b (patch)
tree021005d1771d7cd4f9eaf6d16ed84307a9f02980
parent35a616e82c56e474d00eb4db21429abb97339894 (diff)
downloadsamba-cd45a258a7b66bd4919ac02a7f4bfbce9e4a195b.tar.gz
samba-cd45a258a7b66bd4919ac02a7f4bfbce9e4a195b.tar.bz2
samba-cd45a258a7b66bd4919ac02a7f4bfbce9e4a195b.zip
r25080: Once we decrypted the packet but have timing problems (closkew, tkt not yet or
no longer valid) there is no point to bother the keytab routines. Guenther (This used to be commit 7e4dcf8e7ecfd35668e86e22bed5a9280ae83959)
-rw-r--r--source3/libads/kerberos_verify.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 99288b78e5..0edb5327d3 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -427,9 +427,16 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
/* Try secrets.tdb first and fallback to the krb5.keytab if
necessary */
- auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
+ auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
ticket, &tkt, &keyblock, &ret);
+ if (!auth_ok &&
+ (ret == KRB5KRB_AP_ERR_TKT_NYV ||
+ ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
+ ret == KRB5KRB_AP_ERR_SKEW)) {
+ goto auth_failed;
+ }
+
if (!auth_ok && lp_use_kerberos_keytab()) {
auth_ok = ads_keytab_verify_ticket(context, auth_context,
ticket, &tkt, &keyblock, &ret);
@@ -446,6 +453,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
#endif
}
+ auth_failed:
if (!auth_ok) {
DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n",
error_message(ret)));