From: Greg Hudson Date: Thu, 24 May 2012 17:03:26 +0000 (-0400) Subject: Fix S4U user identification in preauth case X-Git-Tag: krb5-1.11-alpha1~532 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=33a64a7f9dc7342880f7a477a8b3447891d20af5;p=thirdparty%2Fkrb5.git Fix S4U user identification in preauth case In 1.10, encrypted timestamp became a built-in module instead of a hardcoded padata handler. This changed the behavior of krb5_get_init_creds as invoked by s4u_identify_user such that KRB5_PREAUTH_FAILED is returned instead of the gak function's error. (Module failures are not treated as hard errors, while hardcoded padata handler errors are.) Accordingly, we should look for KRB5_PREAUTH_FAILED in s4u_identify_user. On a less harmful note, the gak function was returning a protocol error code instead of a com_err code, and the caller was testing for a different protocol error code (KDC_ERR_PREAUTH_REQUIRED) which could never be returned by krb5_get_init_creds. Clean up both of those by returning KRB5_PREAUTH_FAILED from the gak function and testing for that alone. Reported by Michael Morony. ticket: 7136 target_version: 1.10.2 tags: pullup --- diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c index e4cc8a14be..6a1bcc3e84 100644 --- a/src/lib/krb5/krb/s4u_creds.c +++ b/src/lib/krb5/krb/s4u_creds.c @@ -48,7 +48,7 @@ krb5_get_as_key_noop( void *gak_data) { /* force a hard error, we don't actually have the key */ - return KDC_ERR_PREAUTH_FAILED; + return KRB5_PREAUTH_FAILED; } static krb5_error_code @@ -118,9 +118,7 @@ s4u_identify_user(krb5_context context, NULL, NULL, 0, NULL, opts, krb5_get_as_key_noop, &userid, &use_master, NULL); - if (code == 0 || - code == KDC_ERR_PREAUTH_REQUIRED || - code == KDC_ERR_PREAUTH_FAILED) { + if (code == 0 || code == KRB5_PREAUTH_FAILED) { *canon_user = userid.user; userid.user = NULL; code = 0;