summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/libads/kerberos_verify.c24
1 files changed, 23 insertions, 1 deletions
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 220bf14e32..83bdb3f862 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -111,6 +111,22 @@ static BOOL ads_keytab_verify_ticket(krb5_context context, krb5_auth_context aut
DEBUG(10,("ads_keytab_verify_ticket: "
"krb5_rd_req_return_keyblock_from_keytab(%s) failed: %s\n",
entry_princ_s, error_message(ret)));
+
+ /* workaround for MIT:
+ * as krb5_ktfile_get_entry will
+ * explicitly close the
+ * krb5_keytab as soon as
+ * krb5_rd_req has sucessfully
+ * decrypted the ticket but the
+ * ticket is not valid yet (due
+ * to clockskew) there is no
+ * point in querying more
+ * keytab entries - Guenther */
+
+ if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
+ ret == KRB5KRB_AP_ERR_TKT_EXPIRED) {
+ break;
+ }
} else {
DEBUG(3,("ads_keytab_verify_ticket: "
"krb5_rd_req_return_keyblock_from_keytab succeeded for principal %s\n",
@@ -243,11 +259,17 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au
krb5_free_keyblock(context, key);
break;
}
-
+
DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
(unsigned int)enctypes[i], error_message(ret)));
+ /* successfully decrypted but ticket is just not valid at the moment */
+ if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
+ ret == KRB5KRB_AP_ERR_TKT_EXPIRED) {
+ break;
+ }
+
krb5_free_keyblock(context, key);
}