r14576: Skip remaining keytab entries when we have a clear indication that

krb5_rd_req could decrypt the ticket but that ticket is just not valid
at the moment (either not yet valid or already expired). (This also
prevents an MIT kerberos related crash)

Guenther
(This used to be commit 8a0c1933d3f354a8aff67482b8c7d0d1083e0c8f)

1 files changed, 23 insertions, 1 deletions

diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 220bf14e32..83bdb3f862 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -111,6 +111,22 @@ static BOOL ads_keytab_verify_ticket(krb5_context context, krb5_auth_context aut
 						DEBUG(10,("ads_keytab_verify_ticket: "
 							"krb5_rd_req_return_keyblock_from_keytab(%s) failed: %s\n",
 							entry_princ_s, error_message(ret)));
+
+						/* workaround for MIT: 
+						 * as krb5_ktfile_get_entry will
+						 * explicitly close the
+						 * krb5_keytab as soon as
+						 * krb5_rd_req has sucessfully
+						 * decrypted the ticket but the
+						 * ticket is not valid yet (due
+						 * to clockskew) there is no
+						 * point in querying more
+						 * keytab entries - Guenther */
+						
+						if (ret == KRB5KRB_AP_ERR_TKT_NYV || 
+						    ret == KRB5KRB_AP_ERR_TKT_EXPIRED) {
+							break;
+						}
 					} else {
 						DEBUG(3,("ads_keytab_verify_ticket: "
 							"krb5_rd_req_return_keyblock_from_keytab succeeded for principal %s\n",
@@ -243,11 +259,17 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au
 			krb5_free_keyblock(context, key);
 			break;
 		}
-	
+
 		DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
 				("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
 				(unsigned int)enctypes[i], error_message(ret)));
 
+		/* successfully decrypted but ticket is just not valid at the moment */
+		if (ret == KRB5KRB_AP_ERR_TKT_NYV || 
+		    ret == KRB5KRB_AP_ERR_TKT_EXPIRED) {
+			break;
+		}
+
 		krb5_free_keyblock(context, key);
 
 	}