diff options
author | Günther Deschner <gd@samba.org> | 2006-03-20 10:05:51 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:15:37 -0500 |
commit | 492af5e91857fa27f68758354a3e35afcc84c238 (patch) | |
tree | 0e546ece09fc853e9a9716163ce01c3cc8480e61 | |
parent | 1af229a8f822e3595e3282fc3187c2e7d705aac0 (diff) | |
download | samba-492af5e91857fa27f68758354a3e35afcc84c238.tar.gz samba-492af5e91857fa27f68758354a3e35afcc84c238.tar.bz2 samba-492af5e91857fa27f68758354a3e35afcc84c238.zip |
r14576: Skip remaining keytab entries when we have a clear indication that
krb5_rd_req could decrypt the ticket but that ticket is just not valid
at the moment (either not yet valid or already expired). (This also
prevents an MIT kerberos related crash)
Guenther
(This used to be commit 8a0c1933d3f354a8aff67482b8c7d0d1083e0c8f)
-rw-r--r-- | source3/libads/kerberos_verify.c | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index 220bf14e32..83bdb3f862 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -111,6 +111,22 @@ static BOOL ads_keytab_verify_ticket(krb5_context context, krb5_auth_context aut DEBUG(10,("ads_keytab_verify_ticket: " "krb5_rd_req_return_keyblock_from_keytab(%s) failed: %s\n", entry_princ_s, error_message(ret))); + + /* workaround for MIT: + * as krb5_ktfile_get_entry will + * explicitly close the + * krb5_keytab as soon as + * krb5_rd_req has sucessfully + * decrypted the ticket but the + * ticket is not valid yet (due + * to clockskew) there is no + * point in querying more + * keytab entries - Guenther */ + + if (ret == KRB5KRB_AP_ERR_TKT_NYV || + ret == KRB5KRB_AP_ERR_TKT_EXPIRED) { + break; + } } else { DEBUG(3,("ads_keytab_verify_ticket: " "krb5_rd_req_return_keyblock_from_keytab succeeded for principal %s\n", @@ -243,11 +259,17 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au krb5_free_keyblock(context, key); break; } - + DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10, ("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n", (unsigned int)enctypes[i], error_message(ret))); + /* successfully decrypted but ticket is just not valid at the moment */ + if (ret == KRB5KRB_AP_ERR_TKT_NYV || + ret == KRB5KRB_AP_ERR_TKT_EXPIRED) { + break; + } + krb5_free_keyblock(context, key); } |