diff options
author | Günther Deschner <gd@samba.org> | 2007-09-11 14:56:43 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:30:38 -0500 |
commit | cd45a258a7b66bd4919ac02a7f4bfbce9e4a195b (patch) | |
tree | 021005d1771d7cd4f9eaf6d16ed84307a9f02980 | |
parent | 35a616e82c56e474d00eb4db21429abb97339894 (diff) | |
download | samba-cd45a258a7b66bd4919ac02a7f4bfbce9e4a195b.tar.gz samba-cd45a258a7b66bd4919ac02a7f4bfbce9e4a195b.tar.bz2 samba-cd45a258a7b66bd4919ac02a7f4bfbce9e4a195b.zip |
r25080: Once we decrypted the packet but have timing problems (closkew, tkt not yet or
no longer valid) there is no point to bother the keytab routines.
Guenther
(This used to be commit 7e4dcf8e7ecfd35668e86e22bed5a9280ae83959)
-rw-r--r-- | source3/libads/kerberos_verify.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index 99288b78e5..0edb5327d3 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -427,9 +427,16 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, /* Try secrets.tdb first and fallback to the krb5.keytab if necessary */ - auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ, + auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ, ticket, &tkt, &keyblock, &ret); + if (!auth_ok && + (ret == KRB5KRB_AP_ERR_TKT_NYV || + ret == KRB5KRB_AP_ERR_TKT_EXPIRED || + ret == KRB5KRB_AP_ERR_SKEW)) { + goto auth_failed; + } + if (!auth_ok && lp_use_kerberos_keytab()) { auth_ok = ads_keytab_verify_ticket(context, auth_context, ticket, &tkt, &keyblock, &ret); @@ -446,6 +453,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, #endif } + auth_failed: if (!auth_ok) { DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n", error_message(ret))); |