summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/libads/kerberos_verify.c98
1 files changed, 49 insertions, 49 deletions
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 03e30a9ba3..72b6ac34e9 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -88,63 +88,63 @@ static BOOL ads_keytab_verify_ticket(krb5_context context, krb5_auth_context aut
goto out;
}
- while (!auth_ok && (krb5_kt_next_entry(context, keytab, &kt_entry, &kt_cursor) == 0)) {
- ret = smb_krb5_unparse_name(context, kt_entry.principal, &entry_princ_s);
- if (ret) {
- DEBUG(1, ("ads_keytab_verify_ticket: smb_krb5_unparse_name failed (%s)\n",
- error_message(ret)));
- goto out;
- }
+ while (!auth_ok && (krb5_kt_next_entry(context, keytab, &kt_entry, &kt_cursor) == 0)) {
+ ret = smb_krb5_unparse_name(context, kt_entry.principal, &entry_princ_s);
+ if (ret) {
+ DEBUG(1, ("ads_keytab_verify_ticket: smb_krb5_unparse_name failed (%s)\n",
+ error_message(ret)));
+ goto out;
+ }
- for (i = 0; i < sizeof(valid_princ_formats) / sizeof(valid_princ_formats[0]); i++) {
- if (strequal(entry_princ_s, valid_princ_formats[i])) {
- number_matched_principals++;
- p_packet->length = ticket->length;
- p_packet->data = (char *)ticket->data;
- *pp_tkt = NULL;
-
- ret = krb5_rd_req_return_keyblock_from_keytab(context, &auth_context, p_packet,
- kt_entry.principal, keytab,
- NULL, pp_tkt, keyblock);
-
- if (ret) {
- DEBUG(10,("ads_keytab_verify_ticket: "
- "krb5_rd_req_return_keyblock_from_keytab(%s) failed: %s\n",
- entry_princ_s, error_message(ret)));
-
- /* workaround for MIT:
- * as krb5_ktfile_get_entry will
- * explicitly close the
- * krb5_keytab as soon as
- * krb5_rd_req has sucessfully
- * decrypted the ticket but the
- * ticket is not valid yet (due
- * to clockskew) there is no
- * point in querying more
- * keytab entries - Guenther */
+ for (i = 0; i < sizeof(valid_princ_formats) / sizeof(valid_princ_formats[0]); i++) {
+ if (strequal(entry_princ_s, valid_princ_formats[i])) {
+ number_matched_principals++;
+ p_packet->length = ticket->length;
+ p_packet->data = (char *)ticket->data;
+ *pp_tkt = NULL;
+
+ ret = krb5_rd_req_return_keyblock_from_keytab(context, &auth_context, p_packet,
+ kt_entry.principal, keytab,
+ NULL, pp_tkt, keyblock);
+
+ if (ret) {
+ DEBUG(10,("ads_keytab_verify_ticket: "
+ "krb5_rd_req_return_keyblock_from_keytab(%s) failed: %s\n",
+ entry_princ_s, error_message(ret)));
+
+ /* workaround for MIT:
+ * as krb5_ktfile_get_entry will
+ * explicitly close the
+ * krb5_keytab as soon as
+ * krb5_rd_req has sucessfully
+ * decrypted the ticket but the
+ * ticket is not valid yet (due
+ * to clockskew) there is no
+ * point in querying more
+ * keytab entries - Guenther */
- if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
- ret == KRB5KRB_AP_ERR_TKT_EXPIRED) {
- break;
- }
- } else {
- DEBUG(3,("ads_keytab_verify_ticket: "
- "krb5_rd_req_return_keyblock_from_keytab succeeded for principal %s\n",
- entry_princ_s));
- auth_ok = True;
+ if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
+ ret == KRB5KRB_AP_ERR_TKT_EXPIRED) {
break;
}
+ } else {
+ DEBUG(3,("ads_keytab_verify_ticket: "
+ "krb5_rd_req_return_keyblock_from_keytab succeeded for principal %s\n",
+ entry_princ_s));
+ auth_ok = True;
+ break;
}
}
+ }
- /* Free the name we parsed. */
- SAFE_FREE(entry_princ_s);
+ /* Free the name we parsed. */
+ SAFE_FREE(entry_princ_s);
- /* Free the entry we just read. */
- smb_krb5_kt_free_entry(context, &kt_entry);
- ZERO_STRUCT(kt_entry);
- }
- krb5_kt_end_seq_get(context, keytab, &kt_cursor);
+ /* Free the entry we just read. */
+ smb_krb5_kt_free_entry(context, &kt_entry);
+ ZERO_STRUCT(kt_entry);
+ }
+ krb5_kt_end_seq_get(context, keytab, &kt_cursor);
ZERO_STRUCT(kt_cursor);