Don't return a host referral to the service realm

A host referral to the same realm we just looked up the principal in
is useless at best and confusing to the client at worst.  Don't
respond with one in the KDC.

(back ported from commit ee0d5eac353a13a194759b72cb44203fda1bf0fa)

(cherry picked from commit 745c0194ee93318cf4d44f6f8ccb7739523d448e)

ticket: 7609 (new)
version_fixed: 1.9.5
status: resolved

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 840a2ef5a7d65286bd497dc9e34493e13baedf98..d5f34b63d17e4c685907c0bd50e15517319de257 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1172,7 +1172,11 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
                 retval = KRB5KRB_AP_ERR_BADMATCH;
                 goto cleanup;
             }
-            if (realms[0] == 0) {
+            /* Don't return a referral to the null realm or the service
+             * realm. */
+            if (realms[0] == 0 ||
+                data_eq_string(request->server->realm, realms[0])) {
+                free(realms[0]);
                 free(realms);
                 retval = KRB5KRB_AP_ERR_BADMATCH;
                 goto cleanup;

diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index edbfc1c08774452bed23fc651d39fbc19f8dddc6..b1ba99758369a027bc44c4d14038a6784f81c1c5 100644 (file)
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -70,6 +70,7 @@ check-pytests:: hist
        $(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS)
        $(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS)
        $(RUNPYTEST) $(srcdir)/t_renew.py $(PYTESTFLAGS)
+       $(RUNPYTEST) $(srcdir)/t_referral.py $(PYTESTFLAGS)
        $(RUNPYTEST) $(srcdir)/t_pwhist.py $(PYTESTFLAGS)
 
 clean::

diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py
new file mode 100644 (file)
index 0000000..6654d71
--- /dev/null
+++ b/src/tests/t_referral.py
@@ -0,0 +1,21 @@
+#!/usr/bin/python
+from k5test import *
+
+# We should have a comprehensive suite of KDC host referral tests
+# here, based on the tests in the kdc_realm subdir.  For now, we just
+# have a regression test for #7483.
+
+# A KDC should not return a host referral to its own realm.
+krb5_conf = {'master': {'domain_realm': {'y': 'KRBTEST.COM'}}}
+kdc_conf = {'master': {'realms': {'$realm': {'host_based_services': 'x'}}}}
+realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf, create_host=False)
+tracefile = os.path.join(realm.testdir, 'trace')
+realm.run_as_client(['env', 'KRB5_TRACE=' + tracefile, kvno, '-u', 'x/z.y@'],
+                    expected_code=1)
+f = open(tracefile, 'r')
+trace = f.read()
+f.close()
+if 'back to same realm' in trace:
+    fail('KDC returned referral to service realm')
+
+success('KDC host referral tests')