svn commit: samba r14576 - branches/SAMBA_3_0/source/libads
trunk/source/libads
gd at samba.org
gd at samba.org
Mon Mar 20 10:05:52 GMT 2006
Author: gd
Date: 2006-03-20 10:05:51 +0000 (Mon, 20 Mar 2006)
New Revision: 14576
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=14576
Log:
Skip remaining keytab entries when we have a clear indication that
krb5_rd_req could decrypt the ticket but that ticket is just not valid
at the moment (either not yet valid or already expired). (This also
prevents an MIT kerberos related crash)
Guenther
Modified:
branches/SAMBA_3_0/source/libads/kerberos_verify.c
trunk/source/libads/kerberos_verify.c
Changeset:
Modified: branches/SAMBA_3_0/source/libads/kerberos_verify.c
===================================================================
--- branches/SAMBA_3_0/source/libads/kerberos_verify.c 2006-03-20 00:28:12 UTC (rev 14575)
+++ branches/SAMBA_3_0/source/libads/kerberos_verify.c 2006-03-20 10:05:51 UTC (rev 14576)
@@ -111,6 +111,22 @@
DEBUG(10,("ads_keytab_verify_ticket: "
"krb5_rd_req_return_keyblock_from_keytab(%s) failed: %s\n",
entry_princ_s, error_message(ret)));
+
+ /* workaround for MIT:
+ * as krb5_ktfile_get_entry will
+ * explicitly close the
+ * krb5_keytab as soon as
+ * krb5_rd_req has sucessfully
+ * decrypted the ticket but the
+ * ticket is not valid yet (due
+ * to clockskew) there is no
+ * point in querying more
+ * keytab entries - Guenther */
+
+ if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
+ ret == KRB5KRB_AP_ERR_TKT_EXPIRED) {
+ break;
+ }
} else {
DEBUG(3,("ads_keytab_verify_ticket: "
"krb5_rd_req_return_keyblock_from_keytab succeeded for principal %s\n",
@@ -243,11 +259,17 @@
krb5_free_keyblock(context, key);
break;
}
-
+
DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
(unsigned int)enctypes[i], error_message(ret)));
+ /* successfully decrypted but ticket is just not valid at the moment */
+ if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
+ ret == KRB5KRB_AP_ERR_TKT_EXPIRED) {
+ break;
+ }
+
krb5_free_keyblock(context, key);
}
Modified: trunk/source/libads/kerberos_verify.c
===================================================================
--- trunk/source/libads/kerberos_verify.c 2006-03-20 00:28:12 UTC (rev 14575)
+++ trunk/source/libads/kerberos_verify.c 2006-03-20 10:05:51 UTC (rev 14576)
@@ -111,6 +111,22 @@
DEBUG(10,("ads_keytab_verify_ticket: "
"krb5_rd_req_return_keyblock_from_keytab(%s) failed: %s\n",
entry_princ_s, error_message(ret)));
+
+ /* workaround for MIT:
+ * as krb5_ktfile_get_entry will
+ * explicitly close the
+ * krb5_keytab as soon as
+ * krb5_rd_req has sucessfully
+ * decrypted the ticket but the
+ * ticket is not valid yet (due
+ * to clockskew) there is no
+ * point in querying more
+ * keytab entries - Guenther */
+
+ if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
+ ret == KRB5KRB_AP_ERR_TKT_EXPIRED) {
+ break;
+ }
} else {
DEBUG(3,("ads_keytab_verify_ticket: "
"krb5_rd_req_return_keyblock_from_keytab succeeded for principal %s\n",
@@ -243,11 +259,17 @@
krb5_free_keyblock(context, key);
break;
}
-
+
DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
(unsigned int)enctypes[i], error_message(ret)));
+ /* successfully decrypted but ticket is just not valid at the moment */
+ if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
+ ret == KRB5KRB_AP_ERR_TKT_EXPIRED) {
+ break;
+ }
+
krb5_free_keyblock(context, key);
}
More information about the samba-cvs
mailing list