From: Greg Hudson Date: Thu, 29 Aug 2013 22:17:29 +0000 (-0400) Subject: Tighten up referral recognition in KDC TGS code X-Git-Tag: krb5-1.12-alpha1~38 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f37634ae89f8bd13ec64120fce56ba5613c498c;p=thirdparty%2Fkrb5.git Tighten up referral recognition in KDC TGS code In do_tgs_req(), treat the search_sprinc() result as a referral only if it is a cross-TGS principal and it doesn't match the requested server principal. This change fixes two corner cases: (1) when a client requests a cross-realm TGT, we won't squash the name type in the response; and (2) if we are serving multiple realms out of the same KDB, we will properly handle aliases to any local-realm TGT, not just the one for the configured realm name. ticket: 7555 --- diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 85f07f171e..2402036386 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -217,8 +217,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, if (errcode != 0) goto cleanup; sprinc = server->princ; - is_referral = krb5_is_tgs_principal(server->princ) && - !krb5_principal_compare(kdc_context, tgs_server, server->princ); + + /* If we got a cross-realm TGS which is not the requested server, we are + * issuing a referral (or alternate TGT, which we treat similarly). */ + is_referral = is_cross_tgs_principal(server->princ) && + !krb5_principal_compare(kdc_context, request->server, server->princ); + if (is_referral) { /* * We may be issuing an alternate TGT or a referral to another realm,