[PATCH] making ads_verify_ticket with a keytab not crash

Jeremy Allison jra at samba.org
Sun Mar 19 23:36:25 GMT 2006


On Fri, Mar 17, 2006 at 04:09:48PM +0100, Guenther Deschner wrote:
> Hi,
> 
> as the MIT krb5's krb5_rd_req does an explicit close on the keytab when it
> was able to decrypt the ticket (but the ticket is not yet or no longer
> valid), we crash on calling krb5_ktfile_get_entry the next time as the
> krb5_keytab has become invalid. (to reproduce set your clock to a wrong
> time and use "use kerberos keytab = yes).
> 
> Shouldn't we just stop to iterate over the reamining keytab entries then
> anyway as it was decrypted but couldn't be used, why continuing ? 

Guenther, this looks good to me - makes sense. Can you check it in please ?

Thanks,

	Jeremy


More information about the samba-technical mailing list