Don't return a host referral to the service realm

A host referral to the same realm we just looked up the principal in
is useless at best and confusing to the client at worst.  Don't
respond with one in the KDC.

(back ported from commit ee0d5eac353a13a194759b72cb44203fda1bf0fa)

ticket: 7536 (new)
version_fixed: 1.10.4
status: resolved

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 56d9869c160d9608497640855b86b3a886c0be50..9ff80cfd0eca1de4af8b31614e688215b6bf35ce 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1176,7 +1176,11 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
                 retval = KRB5KRB_AP_ERR_BADMATCH;
                 goto cleanup;
             }
-            if (realms[0] == 0) {
+            /* Don't return a referral to the null realm or the service
+             * realm. */
+            if (realms[0] == 0 ||
+                data_eq_string(request->server->realm, realms[0])) {
+                free(realms[0]);
                 free(realms);
                 retval = KRB5KRB_AP_ERR_BADMATCH;
                 goto cleanup;

diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index a8ca4641d9e57fe64d9edca6223d133ea39b032c..793f312c8a844def275f01a9278bcd563187721f 100644 (file)
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -73,6 +73,7 @@ check-pytests:: hist
        $(RUNPYTEST) $(srcdir)/t_renprinc.py $(PYTESTFLAGS)
        $(RUNPYTEST) $(srcdir)/t_cccol.py $(PYTESTFLAGS)
        $(RUNPYTEST) $(srcdir)/t_stringattr.py $(PYTESTFLAGS)
+       $(RUNPYTEST) $(srcdir)/t_referral.py $(PYTESTFLAGS)
        $(RUNPYTEST) $(srcdir)/t_pwhist.py $(PYTESTFLAGS)
 #      $(RUNPYTEST) $(srcdir)/kdc_realm/kdcref.py $(PYTESTFLAGS)
        $(RUNPYTEST) $(srcdir)/t_cve-2012-1014.py $(PYTESTFLAGS)

diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py
new file mode 100644 (file)
index 0000000..6654d71
--- /dev/null
+++ b/src/tests/t_referral.py
@@ -0,0 +1,21 @@
+#!/usr/bin/python
+from k5test import *
+
+# We should have a comprehensive suite of KDC host referral tests
+# here, based on the tests in the kdc_realm subdir.  For now, we just
+# have a regression test for #7483.
+
+# A KDC should not return a host referral to its own realm.
+krb5_conf = {'master': {'domain_realm': {'y': 'KRBTEST.COM'}}}
+kdc_conf = {'master': {'realms': {'$realm': {'host_based_services': 'x'}}}}
+realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf, create_host=False)
+tracefile = os.path.join(realm.testdir, 'trace')
+realm.run_as_client(['env', 'KRB5_TRACE=' + tracefile, kvno, '-u', 'x/z.y@'],
+                    expected_code=1)
+f = open(tracefile, 'r')
+trace = f.read()
+f.close()
+if 'back to same realm' in trace:
+    fail('KDC returned referral to service realm')
+
+success('KDC host referral tests')