From cd45a258a7b66bd4919ac02a7f4bfbce9e4a195b Mon Sep 17 00:00:00 2001
From: Günther Deschner <gd@samba.org>
Date: Tue, 11 Sep 2007 14:56:43 +0000
Subject: r25080: Once we decrypted the packet but have timing problems
 (closkew, tkt not yet or no longer valid) there is no point to bother the
 keytab routines.

Guenther
(This used to be commit 7e4dcf8e7ecfd35668e86e22bed5a9280ae83959)
---
 source3/libads/kerberos_verify.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'source3')

diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 99288b78e5..0edb5327d3 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -427,9 +427,16 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
 	/* Try secrets.tdb first and fallback to the krb5.keytab if
 	   necessary */
 
-        auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
+	auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
 					    ticket, &tkt, &keyblock, &ret);
 
+	if (!auth_ok &&
+	    (ret == KRB5KRB_AP_ERR_TKT_NYV ||
+	     ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
+	     ret == KRB5KRB_AP_ERR_SKEW)) {
+		goto auth_failed;
+	}
+
 	if (!auth_ok && lp_use_kerberos_keytab()) {
 		auth_ok = ads_keytab_verify_ticket(context, auth_context, 
 						   ticket, &tkt, &keyblock, &ret);
@@ -446,6 +453,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
 #endif
 	}	
 
+ auth_failed:
 	if (!auth_ok) {
 		DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n", 
 			 error_message(ret)));
-- 
cgit