diff options
Diffstat (limited to 'source4/heimdal/lib/krb5/ticket.c')
-rw-r--r-- | source4/heimdal/lib/krb5/ticket.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c index 4d8da93579..e7d4d9532d 100644 --- a/source4/heimdal/lib/krb5/ticket.c +++ b/source4/heimdal/lib/krb5/ticket.c @@ -443,9 +443,7 @@ check_server_referral(krb5_context context, return KRB5KRB_AP_ERR_MODIFIED; } - if (returned->name.name_string.len == 2 && - strcmp(returned->name.name_string.val[0], KRB5_TGS_NAME) == 0) - { + if (krb5_principal_is_krbtgt(context, returned)) { const char *realm = returned->name.name_string.val[1]; if (ref.referred_realm == NULL @@ -485,7 +483,13 @@ check_server_referral(krb5_context context, return ret; noreferral: - if (krb5_principal_compare(context, requested, returned) == FALSE) { + /* + * Expect excact match or that we got a krbtgt + */ + if (krb5_principal_compare(context, requested, returned) != TRUE && + (krb5_realm_compare(context, requested, returned) != TRUE && + krb5_principal_is_krbtgt(context, returned) != TRUE)) + { krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, N_("Not same server principal returned " "as requested", "")); |