summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-11-06 01:46:12 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:45:49 -0500
commit512f5ae8817eb378d5d3bdf6ba08c50c8dc3bf8c (patch)
tree38e1dc1183aa7f5bd7aeccdba812caa5f9633d82 /source4
parent69307693dc47cdaa931551c99914e85273037886 (diff)
downloadsamba-512f5ae8817eb378d5d3bdf6ba08c50c8dc3bf8c.tar.gz
samba-512f5ae8817eb378d5d3bdf6ba08c50c8dc3bf8c.tar.bz2
samba-512f5ae8817eb378d5d3bdf6ba08c50c8dc3bf8c.zip
r11529: Disable DNS lookups for forwarded credentials, unless really, really
wanted. There is nothing that suggests that the host we forward credentials to will not have other interfaces, unassoicated with their service name. Likewise, the name may be a netbios, not DNS name. This should avoid some nasty DNS lookups. Andrew Bartlett (This used to be commit da0ff19856a8f41eb64787990d47d2961824711d)
Diffstat (limited to 'source4')
-rw-r--r--source4/heimdal/lib/krb5/get_for_creds.c75
1 files changed, 41 insertions, 34 deletions
diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c
index adb6000cd6..7bc8942f66 100644
--- a/source4/heimdal/lib/krb5/get_for_creds.c
+++ b/source4/heimdal/lib/krb5/get_for_creds.c
@@ -162,7 +162,8 @@ krb5_get_forwarded_creds (krb5_context context,
{
krb5_error_code ret;
krb5_creds *out_creds;
- krb5_addresses addrs, *paddrs;
+ krb5_addresses *paddrs = NULL;
+ krb5_addresses addrs;
KRB_CRED cred;
KrbCredInfo *krb_cred_info;
EncKrbCredPart enc_krb_cred_part;
@@ -171,50 +172,56 @@ krb5_get_forwarded_creds (krb5_context context,
size_t buf_size;
krb5_kdc_flags kdc_flags;
krb5_crypto crypto;
- struct addrinfo *ai;
int save_errno;
krb5_creds *ticket;
char *realm;
+ krb5_boolean noaddr_ever;
+
+ addrs.len = 0;
+ addrs.val = NULL;
if (in_creds->client && in_creds->client->realm)
realm = in_creds->client->realm;
else
realm = in_creds->server->realm;
- addrs.len = 0;
- addrs.val = NULL;
- paddrs = &addrs;
-
- /*
- * If tickets are address-less, forward address-less tickets.
- */
-
- ret = _krb5_get_krbtgt (context,
- ccache,
- realm,
- &ticket);
- if(ret == 0) {
- if (ticket->addresses.len == 0)
- paddrs = NULL;
- krb5_free_creds (context, ticket);
+ krb5_appdefault_boolean(context, NULL, realm, "no-addresses-ever",
+ TRUE, &noaddr_ever);
+ if (!noaddr_ever) {
+ struct addrinfo *ai;
+ paddrs = &addrs;
+
+ /*
+ * If tickets are address-less, forward address-less tickets.
+ */
+
+ ret = _krb5_get_krbtgt (context,
+ ccache,
+ realm,
+ &ticket);
+ if(ret == 0) {
+ if (ticket->addresses.len == 0)
+ paddrs = NULL;
+ krb5_free_creds (context, ticket);
+ }
+
+ if (paddrs != NULL) {
+
+ ret = getaddrinfo (hostname, NULL, NULL, &ai);
+ if (ret) {
+ save_errno = errno;
+ krb5_set_error_string(context, "resolving %s: %s",
+ hostname, gai_strerror(ret));
+ return krb5_eai_to_heim_errno(ret, save_errno);
+ }
+
+ ret = add_addrs (context, &addrs, ai);
+ freeaddrinfo (ai);
+ if (ret)
+ return ret;
+ }
}
-
- if (paddrs != NULL) {
- ret = getaddrinfo (hostname, NULL, NULL, &ai);
- if (ret) {
- save_errno = errno;
- krb5_set_error_string(context, "resolving %s: %s",
- hostname, gai_strerror(ret));
- return krb5_eai_to_heim_errno(ret, save_errno);
- }
-
- ret = add_addrs (context, &addrs, ai);
- freeaddrinfo (ai);
- if (ret)
- return ret;
- }
-
kdc_flags.b = int2KDCOptions(flags);
ret = krb5_get_kdc_cred (context,