r25080: Once we decrypted the packet but have timing problems (closkew, tkt not yet or

no longer valid) there is no point to bother the keytab routines.

Guenther
(This used to be commit 7e4dcf8e7ecfd35668e86e22bed5a9280ae83959)

1 files changed, 9 insertions, 1 deletions

diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 99288b78e5..0edb5327d3 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -427,9 +427,16 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
 	/* Try secrets.tdb first and fallback to the krb5.keytab if
 	   necessary */
 
-        auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
+	auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
 					    ticket, &tkt, &keyblock, &ret);
 
+	if (!auth_ok &&
+	    (ret == KRB5KRB_AP_ERR_TKT_NYV ||
+	     ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
+	     ret == KRB5KRB_AP_ERR_SKEW)) {
+		goto auth_failed;
+	}
+
 	if (!auth_ok && lp_use_kerberos_keytab()) {
 		auth_ok = ads_keytab_verify_ticket(context, auth_context, 
 						   ticket, &tkt, &keyblock, &ret);
@@ -446,6 +453,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
 #endif
 	}	
 
+ auth_failed:
 	if (!auth_ok) {
 		DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n", 
 			 error_message(ret)));