summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2013-06-17 12:22:32 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-06-17 20:01:31 +0200
commit95332f72acf87e04be6fb70c5dc00cabd14ac97c (patch)
tree25d3c82f92bec3f4c21d4f421a21e178b17ee6a6 /src
parentee02e59e4d966f44c7a48ad04474156fc65d7006 (diff)
downloadsssd-95332f72acf87e04be6fb70c5dc00cabd14ac97c.tar.gz
sssd-95332f72acf87e04be6fb70c5dc00cabd14ac97c.tar.bz2
sssd-95332f72acf87e04be6fb70c5dc00cabd14ac97c.zip
Use principal from the ticket to find validation entry
If canonicalization or enterprise principals are enabled the realm of the client principal might have changed compared to the original request. To find the most suitable keytab entry to validate the TGT is it better to use the returned client principal. Fixes https://fedorahosted.org/sssd/ticket/1931
Diffstat (limited to 'src')
-rw-r--r--src/providers/krb5/krb5_child.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 74d730aa..ac9a905f 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -931,7 +931,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
}
memset(&entry, 0, sizeof(entry));
- if (krb5_realm_compare(kr->ctx, validation_princ, kr->princ)) {
+ if (krb5_realm_compare(kr->ctx, validation_princ, kr->creds->client)) {
DEBUG(SSSDBG_TRACE_INTERNAL,
("Found keytab entry with the realm of the credential.\n"));
realm_entry_found = true;