diff options
author | Sumit Bose <sbose@redhat.com> | 2013-06-17 12:22:32 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-17 20:01:31 +0200 |
commit | 95332f72acf87e04be6fb70c5dc00cabd14ac97c (patch) | |
tree | 25d3c82f92bec3f4c21d4f421a21e178b17ee6a6 /src | |
parent | ee02e59e4d966f44c7a48ad04474156fc65d7006 (diff) | |
download | sssd-95332f72acf87e04be6fb70c5dc00cabd14ac97c.tar.gz sssd-95332f72acf87e04be6fb70c5dc00cabd14ac97c.tar.bz2 sssd-95332f72acf87e04be6fb70c5dc00cabd14ac97c.zip |
Use principal from the ticket to find validation entry
If canonicalization or enterprise principals are enabled the realm of
the client principal might have changed compared to the original
request. To find the most suitable keytab entry to validate the TGT is
it better to use the returned client principal.
Fixes https://fedorahosted.org/sssd/ticket/1931
Diffstat (limited to 'src')
-rw-r--r-- | src/providers/krb5/krb5_child.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 74d730aa..ac9a905f 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -931,7 +931,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) } memset(&entry, 0, sizeof(entry)); - if (krb5_realm_compare(kr->ctx, validation_princ, kr->princ)) { + if (krb5_realm_compare(kr->ctx, validation_princ, kr->creds->client)) { DEBUG(SSSDBG_TRACE_INTERNAL, ("Found keytab entry with the realm of the credential.\n")); realm_entry_found = true; |