svn commit: samba r25080 - in branches: SAMBA_3_2/source/libads
SAMBA_3_2_0/source/libads
gd at samba.org
gd at samba.org
Tue Sep 11 14:56:45 GMT 2007
Author: gd
Date: 2007-09-11 14:56:43 +0000 (Tue, 11 Sep 2007)
New Revision: 25080
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=25080
Log:
Once we decrypted the packet but have timing problems (closkew, tkt not yet or
no longer valid) there is no point to bother the keytab routines.
Guenther
Modified:
branches/SAMBA_3_2/source/libads/kerberos_verify.c
branches/SAMBA_3_2_0/source/libads/kerberos_verify.c
Changeset:
Modified: branches/SAMBA_3_2/source/libads/kerberos_verify.c
===================================================================
--- branches/SAMBA_3_2/source/libads/kerberos_verify.c 2007-09-11 14:31:41 UTC (rev 25079)
+++ branches/SAMBA_3_2/source/libads/kerberos_verify.c 2007-09-11 14:56:43 UTC (rev 25080)
@@ -427,9 +427,16 @@
/* Try secrets.tdb first and fallback to the krb5.keytab if
necessary */
- auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
+ auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
ticket, &tkt, &keyblock, &ret);
+ if (!auth_ok &&
+ (ret == KRB5KRB_AP_ERR_TKT_NYV ||
+ ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
+ ret == KRB5KRB_AP_ERR_SKEW)) {
+ goto auth_failed;
+ }
+
if (!auth_ok && lp_use_kerberos_keytab()) {
auth_ok = ads_keytab_verify_ticket(context, auth_context,
ticket, &tkt, &keyblock, &ret);
@@ -446,6 +453,7 @@
#endif
}
+ auth_failed:
if (!auth_ok) {
DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n",
error_message(ret)));
Modified: branches/SAMBA_3_2_0/source/libads/kerberos_verify.c
===================================================================
--- branches/SAMBA_3_2_0/source/libads/kerberos_verify.c 2007-09-11 14:31:41 UTC (rev 25079)
+++ branches/SAMBA_3_2_0/source/libads/kerberos_verify.c 2007-09-11 14:56:43 UTC (rev 25080)
@@ -427,9 +427,16 @@
/* Try secrets.tdb first and fallback to the krb5.keytab if
necessary */
- auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
+ auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
ticket, &tkt, &keyblock, &ret);
+ if (!auth_ok &&
+ (ret == KRB5KRB_AP_ERR_TKT_NYV ||
+ ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
+ ret == KRB5KRB_AP_ERR_SKEW)) {
+ goto auth_failed;
+ }
+
if (!auth_ok && lp_use_kerberos_keytab()) {
auth_ok = ads_keytab_verify_ticket(context, auth_context,
ticket, &tkt, &keyblock, &ret);
@@ -446,6 +453,7 @@
#endif
}
+ auth_failed:
if (!auth_ok) {
DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n",
error_message(ret)));
More information about the samba-cvs
mailing list