From e53dfa1f4a1162b814ea7dc23c7c603d1c6c4908 Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Thu, 31 Aug 2006 18:32:23 +0000
Subject: r17971: Disable storing SIDs in the S-1-22-1 and S-1-22-2 domain to
 the SID<->uid/gid cache.  FIxes a bug in token creation (This used to be
 commit fa05708789654a8a34cb4a4068514a0b3d950653)

---
 source3/libads/kerberos_verify.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

(limited to 'source3/libads')

diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 3aa0860809..cff007db47 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -376,13 +376,15 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
 		goto out;
 	}
 
-	if (lp_use_kerberos_keytab()) {
+	/* always check secrets first in order to prevent hitting the 
+	   keytab until really necessary */
+
+	auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
+					    ticket, &packet, &tkt, &keyblock);
+
+	if (!auth_ok && lp_use_kerberos_keytab()) {
 		auth_ok = ads_keytab_verify_ticket(context, auth_context, ticket, &packet, &tkt, &keyblock);
 	}
-	if (!auth_ok) {
-		auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
-						    ticket, &packet, &tkt, &keyblock);
-	}
 
 	release_server_mutex();
 	got_replay_mutex = False;
-- 
cgit