From: Greg Hudson Date: Thu, 29 Aug 2013 15:15:02 +0000 (-0400) Subject: Make it possible to renew aliased service tickets X-Git-Tag: krb5-1.12-alpha1~41 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=81ceb5352dd3bc11a546d818107d0c4a896cee44;p=thirdparty%2Fkrb5.git Make it possible to renew aliased service tickets We always allow aliases in the service principal when processing AS-REQs and TGS-REQs. If the ticket we issued is presented back to us in a TGS-REQ as a header ticket for renewal or similar, we should allow aliases when looking up its key to decode the AP-REQ. ticket: 7699 (new) --- diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index e61a867d60..bc638c19bf 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -389,9 +389,9 @@ kdc_rd_ap_req(kdc_realm_t *kdc_active_realm, match_enctype = 0; } - retval = kdc_get_server_key(kdc_context, - apreq->ticket, 0, match_enctype, server, NULL, - NULL); + retval = kdc_get_server_key(kdc_context, apreq->ticket, + KRB5_KDB_FLAG_ALIAS_OK, match_enctype, server, + NULL, NULL); if (retval) return retval; diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py index 7a9471f8a1..70fe58a840 100644 --- a/src/tests/t_kdb.py +++ b/src/tests/t_kdb.py @@ -286,6 +286,14 @@ out = realm.run([klist]) if 'tgtalias@KRBTEST.COM\n' not in out: fail('After fetching tgtalias, klist is missing it') +# Make sure aliases work in header tickets. +realm.run_kadminl('modprinc -maxrenewlife "3 hours" user') +realm.run_kadminl('modprinc -maxrenewlife "3 hours" krbtgt/KRBTEST.COM') +realm.kinit(realm.user_princ, password('user'), ['-l', '1h', '-r', '2h']) +realm.run([kvno, 'alias']) +realm.kinit(realm.user_princ, flags=['-R', '-S', 'alias']) +realm.klist(realm.user_princ, 'alias@KRBTEST.COM') + realm.stop() # Briefly test dump and load.