svn commit: samba r25080 - in branches: SAMBA_3_2/source/libads SAMBA_3_2_0/source/libads

gd at samba.org gd at samba.org
Tue Sep 11 14:56:45 GMT 2007


Author: gd
Date: 2007-09-11 14:56:43 +0000 (Tue, 11 Sep 2007)
New Revision: 25080

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=25080

Log:
Once we decrypted the packet but have timing problems (closkew, tkt not yet or
no longer valid) there is no point to bother the keytab routines.

Guenther

Modified:
   branches/SAMBA_3_2/source/libads/kerberos_verify.c
   branches/SAMBA_3_2_0/source/libads/kerberos_verify.c


Changeset:
Modified: branches/SAMBA_3_2/source/libads/kerberos_verify.c
===================================================================
--- branches/SAMBA_3_2/source/libads/kerberos_verify.c	2007-09-11 14:31:41 UTC (rev 25079)
+++ branches/SAMBA_3_2/source/libads/kerberos_verify.c	2007-09-11 14:56:43 UTC (rev 25080)
@@ -427,9 +427,16 @@
 	/* Try secrets.tdb first and fallback to the krb5.keytab if
 	   necessary */
 
-        auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
+	auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
 					    ticket, &tkt, &keyblock, &ret);
 
+	if (!auth_ok &&
+	    (ret == KRB5KRB_AP_ERR_TKT_NYV ||
+	     ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
+	     ret == KRB5KRB_AP_ERR_SKEW)) {
+		goto auth_failed;
+	}
+
 	if (!auth_ok && lp_use_kerberos_keytab()) {
 		auth_ok = ads_keytab_verify_ticket(context, auth_context, 
 						   ticket, &tkt, &keyblock, &ret);
@@ -446,6 +453,7 @@
 #endif
 	}	
 
+ auth_failed:
 	if (!auth_ok) {
 		DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n", 
 			 error_message(ret)));

Modified: branches/SAMBA_3_2_0/source/libads/kerberos_verify.c
===================================================================
--- branches/SAMBA_3_2_0/source/libads/kerberos_verify.c	2007-09-11 14:31:41 UTC (rev 25079)
+++ branches/SAMBA_3_2_0/source/libads/kerberos_verify.c	2007-09-11 14:56:43 UTC (rev 25080)
@@ -427,9 +427,16 @@
 	/* Try secrets.tdb first and fallback to the krb5.keytab if
 	   necessary */
 
-        auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
+	auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
 					    ticket, &tkt, &keyblock, &ret);
 
+	if (!auth_ok &&
+	    (ret == KRB5KRB_AP_ERR_TKT_NYV ||
+	     ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
+	     ret == KRB5KRB_AP_ERR_SKEW)) {
+		goto auth_failed;
+	}
+
 	if (!auth_ok && lp_use_kerberos_keytab()) {
 		auth_ok = ads_keytab_verify_ticket(context, auth_context, 
 						   ticket, &tkt, &keyblock, &ret);
@@ -446,6 +453,7 @@
 #endif
 	}	
 
+ auth_failed:
 	if (!auth_ok) {
 		DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n", 
 			 error_message(ret)));



More information about the samba-cvs mailing list