diff options
-rw-r--r-- | source3/libads/kerberos_verify.c | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index 220bf14e32..83bdb3f862 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -111,6 +111,22 @@ static BOOL ads_keytab_verify_ticket(krb5_context context, krb5_auth_context aut DEBUG(10,("ads_keytab_verify_ticket: " "krb5_rd_req_return_keyblock_from_keytab(%s) failed: %s\n", entry_princ_s, error_message(ret))); + + /* workaround for MIT: + * as krb5_ktfile_get_entry will + * explicitly close the + * krb5_keytab as soon as + * krb5_rd_req has sucessfully + * decrypted the ticket but the + * ticket is not valid yet (due + * to clockskew) there is no + * point in querying more + * keytab entries - Guenther */ + + if (ret == KRB5KRB_AP_ERR_TKT_NYV || + ret == KRB5KRB_AP_ERR_TKT_EXPIRED) { + break; + } } else { DEBUG(3,("ads_keytab_verify_ticket: " "krb5_rd_req_return_keyblock_from_keytab succeeded for principal %s\n", @@ -243,11 +259,17 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au krb5_free_keyblock(context, key); break; } - + DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10, ("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n", (unsigned int)enctypes[i], error_message(ret))); + /* successfully decrypted but ticket is just not valid at the moment */ + if (ret == KRB5KRB_AP_ERR_TKT_NYV || + ret == KRB5KRB_AP_ERR_TKT_EXPIRED) { + break; + } + krb5_free_keyblock(context, key); } |