Don't return a host referral to the service realm

A host referral to the same realm we just looked up the principal in
is useless at best and confusing to the client at worst.  Don't
respond with one in the KDC.

ticket: 7483
target_version: 1.11
tags: pullup

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index b77c9eb54623c0c3911ff5fa21566b34a2fe45fe..d41bc5d4eed848f702c98efaaa1bc3cff975a4ca 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1148,7 +1148,9 @@ find_referral_tgs(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request,
         kdc_err(kdc_context, retval, "unable to find realm of host");
         goto cleanup;
     }
-    if (realms == NULL || realms[0] == '\0') {
+    /* Don't return a referral to the empty realm or the service realm. */
+    if (realms == NULL || realms[0] == '\0' ||
+        data_eq_string(srealm, realms[0])) {
         retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
         goto cleanup;
     }

diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 8886959473a3ccf49ff7ca7bbb2f7e3c19ad345a..1eac9e66d1c9f3c6f0d76882d76a51f12df8d99f 100644 (file)
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -82,6 +82,7 @@ check-pytests:: hist kdbtest
        $(RUNPYTEST) $(srcdir)/t_stringattr.py $(PYTESTFLAGS)
        $(RUNPYTEST) $(srcdir)/t_sesskeynego.py $(PYTESTFLAGS)
        $(RUNPYTEST) $(srcdir)/t_crossrealm.py $(PYTESTFLAGS)
+       $(RUNPYTEST) $(srcdir)/t_referral.py $(PYTESTFLAGS)
        $(RUNPYTEST) $(srcdir)/t_skew.py $(PYTESTFLAGS)
        $(RUNPYTEST) $(srcdir)/t_keytab.py $(PYTESTFLAGS)
        $(RUNPYTEST) $(srcdir)/t_pwhist.py $(PYTESTFLAGS)

diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py
new file mode 100644 (file)
index 0000000..6654d71
--- /dev/null
+++ b/src/tests/t_referral.py
@@ -0,0 +1,21 @@
+#!/usr/bin/python
+from k5test import *
+
+# We should have a comprehensive suite of KDC host referral tests
+# here, based on the tests in the kdc_realm subdir.  For now, we just
+# have a regression test for #7483.
+
+# A KDC should not return a host referral to its own realm.
+krb5_conf = {'master': {'domain_realm': {'y': 'KRBTEST.COM'}}}
+kdc_conf = {'master': {'realms': {'$realm': {'host_based_services': 'x'}}}}
+realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf, create_host=False)
+tracefile = os.path.join(realm.testdir, 'trace')
+realm.run_as_client(['env', 'KRB5_TRACE=' + tracefile, kvno, '-u', 'x/z.y@'],
+                    expected_code=1)
+f = open(tracefile, 'r')
+trace = f.read()
+f.close()
+if 'back to same realm' in trace:
+    fail('KDC returned referral to service realm')
+
+success('KDC host referral tests')