From: Andrew Boardman <amb@mit.edu>
Date: Fri, 18 Aug 2006 06:43:20 +0000 (+0000)
Subject: Disable credential checks that otherwise-valid referrals break.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8f74e8d2cc31b4361923fe7454f744eb32e208e1;p=thirdparty%2Fkrb5.git

Disable credential checks that otherwise-valid referrals break.
XXX: These need to be referral-aware, not just disabled.

git-svn-id: svn://anonsvn.mit.edu/krb5/users/amb/referrals@18469 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c
index a1ed6e90d2..f707949a90 100644
--- a/src/lib/krb5/krb/gc_via_tkt.c
+++ b/src/lib/krb5/krb/gc_via_tkt.c
@@ -50,7 +50,7 @@ krb5_kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep, krb5_address *con
         goto cleanup;
 
     if ((retval = krb5_copy_principal(context, pkdcrep->enc_part2->server,
-                                     &(*ppcreds)->server)))
+				      &(*ppcreds)->server)))
         goto cleanup;
 
     if ((retval = krb5_copy_keyblock_contents(context, 
@@ -107,6 +107,8 @@ krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt,
     krb5_response tgsrep;
     krb5_enctype *enctypes = 0;
 
+    printf("krb5_get_cred_via_tkt starting; referral flag is %s\n", kdcoptions&KDC_OPT_CANONICALIZE?"on":"off");
+
     /* tkt->client must be equal to in_cred->client */
     if (!krb5_principal_compare(context, tkt->client, in_cred->client))
 	return KRB5_PRINC_NOMATCH;
@@ -167,7 +169,7 @@ krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt,
 	else
 	    retval = KRB5KRB_AP_ERR_MSG_TYPE;
 
-	if (retval) 			/* neither proper reply nor error! */
+	if (retval)			/* neither proper reply nor error! */
 	    goto error_4;
 
 	retval = (krb5_error_code) err_reply->error + ERROR_TABLE_BASE_krb5;
@@ -218,11 +220,21 @@ krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt,
     if (!krb5_principal_compare(context, dec_rep->client, tkt->client))
 	retval = KRB5_KDCREP_MODIFIED;
 
-    if (!krb5_principal_compare(context, dec_rep->enc_part2->server, in_cred->server))
-	retval = KRB5_KDCREP_MODIFIED;
+    if (!krb5_principal_compare(context, dec_rep->enc_part2->server, in_cred->server)) {
+        retval = KRB5_KDCREP_MODIFIED;
+	printf("in_cred and encoding don't match; continuing anyway.\n");
+	amb_dump_principal("server principal from in_cred",in_cred->server);
+	amb_dump_principal("encoded server",dec_rep->enc_part2->server);
+	retval=0; /* XXX need sane check */
+    }
 
-    if (!krb5_principal_compare(context, dec_rep->ticket->server, in_cred->server))
+    if (!krb5_principal_compare(context, dec_rep->ticket->server, in_cred->server)) {
 	retval = KRB5_KDCREP_MODIFIED;
+	printf("in_cred and ticket don't match; continuing anyway\n");
+	amb_dump_principal("server principal from in_cred",in_cred->server);
+	amb_dump_principal("server principal from ticket",dec_rep->ticket->server);
+	retval=0; /* XXX need sane check */
+    }
 
     if (dec_rep->enc_part2->nonce != tgsrep.expected_nonce)
 	retval = KRB5_KDCREP_MODIFIED;
@@ -267,5 +279,6 @@ error_3:;
 
 error_4:;
     free(tgsrep.response.data);
+    printf("krb5_get_cred_via_tkt ending; retval <%s>\n",error_message(retval));
     return retval;
 }