diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-11-06 01:46:12 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:45:49 -0500 |
commit | 512f5ae8817eb378d5d3bdf6ba08c50c8dc3bf8c (patch) | |
tree | 38e1dc1183aa7f5bd7aeccdba812caa5f9633d82 /source4 | |
parent | 69307693dc47cdaa931551c99914e85273037886 (diff) | |
download | samba-512f5ae8817eb378d5d3bdf6ba08c50c8dc3bf8c.tar.gz samba-512f5ae8817eb378d5d3bdf6ba08c50c8dc3bf8c.tar.bz2 samba-512f5ae8817eb378d5d3bdf6ba08c50c8dc3bf8c.zip |
r11529: Disable DNS lookups for forwarded credentials, unless really, really
wanted. There is nothing that suggests that the host we forward
credentials to will not have other interfaces, unassoicated with their
service name. Likewise, the name may be a netbios, not DNS name.
This should avoid some nasty DNS lookups.
Andrew Bartlett
(This used to be commit da0ff19856a8f41eb64787990d47d2961824711d)
Diffstat (limited to 'source4')
-rw-r--r-- | source4/heimdal/lib/krb5/get_for_creds.c | 75 |
1 files changed, 41 insertions, 34 deletions
diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c index adb6000cd6..7bc8942f66 100644 --- a/source4/heimdal/lib/krb5/get_for_creds.c +++ b/source4/heimdal/lib/krb5/get_for_creds.c @@ -162,7 +162,8 @@ krb5_get_forwarded_creds (krb5_context context, { krb5_error_code ret; krb5_creds *out_creds; - krb5_addresses addrs, *paddrs; + krb5_addresses *paddrs = NULL; + krb5_addresses addrs; KRB_CRED cred; KrbCredInfo *krb_cred_info; EncKrbCredPart enc_krb_cred_part; @@ -171,50 +172,56 @@ krb5_get_forwarded_creds (krb5_context context, size_t buf_size; krb5_kdc_flags kdc_flags; krb5_crypto crypto; - struct addrinfo *ai; int save_errno; krb5_creds *ticket; char *realm; + krb5_boolean noaddr_ever; + + addrs.len = 0; + addrs.val = NULL; if (in_creds->client && in_creds->client->realm) realm = in_creds->client->realm; else realm = in_creds->server->realm; - addrs.len = 0; - addrs.val = NULL; - paddrs = &addrs; - - /* - * If tickets are address-less, forward address-less tickets. - */ - - ret = _krb5_get_krbtgt (context, - ccache, - realm, - &ticket); - if(ret == 0) { - if (ticket->addresses.len == 0) - paddrs = NULL; - krb5_free_creds (context, ticket); + krb5_appdefault_boolean(context, NULL, realm, "no-addresses-ever", + TRUE, &noaddr_ever); + if (!noaddr_ever) { + struct addrinfo *ai; + paddrs = &addrs; + + /* + * If tickets are address-less, forward address-less tickets. + */ + + ret = _krb5_get_krbtgt (context, + ccache, + realm, + &ticket); + if(ret == 0) { + if (ticket->addresses.len == 0) + paddrs = NULL; + krb5_free_creds (context, ticket); + } + + if (paddrs != NULL) { + + ret = getaddrinfo (hostname, NULL, NULL, &ai); + if (ret) { + save_errno = errno; + krb5_set_error_string(context, "resolving %s: %s", + hostname, gai_strerror(ret)); + return krb5_eai_to_heim_errno(ret, save_errno); + } + + ret = add_addrs (context, &addrs, ai); + freeaddrinfo (ai); + if (ret) + return ret; + } } - - if (paddrs != NULL) { - ret = getaddrinfo (hostname, NULL, NULL, &ai); - if (ret) { - save_errno = errno; - krb5_set_error_string(context, "resolving %s: %s", - hostname, gai_strerror(ret)); - return krb5_eai_to_heim_errno(ret, save_errno); - } - - ret = add_addrs (context, &addrs, ai); - freeaddrinfo (ai); - if (ret) - return ret; - } - kdc_flags.b = int2KDCOptions(flags); ret = krb5_get_kdc_cred (context, |