Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) From: tlyu@mit.edu Subject: SVN Commit RT-Send-CC: X-RT-Original-Encoding: iso-8859-1 Content-Length: 1233 Fix S4U user identification in preauth case In 1.10, encrypted timestamp became a built-in module instead of a hardcoded padata handler. This changed the behavior of krb5_get_init_creds as invoked by s4u_identify_user such that KRB5_PREAUTH_FAILED is returned instead of the gak function's error. (Module failures are not treated as hard errors, while hardcoded padata handler errors are.) Accordingly, we should look for KRB5_PREAUTH_FAILED in s4u_identify_user. On a less harmful note, the gak function was returning a protocol error code instead of a com_err code, and the caller was testing for a different protocol error code (KDC_ERR_PREAUTH_REQUIRED) which could never be returned by krb5_get_init_creds. Clean up both of those by returning KRB5_PREAUTH_FAILED from the gak function and testing for that alone. Reported by Michael Morony. (cherry picked from commit 33a64a7f9dc7342880f7a477a8b3447891d20af5) https://github.com/krb5/krb5/commit/e934d973eb7e43792062ee1a6b4396ca41d0f862 Author: Greg Hudson Committer: Tom Yu Commit: e934d973eb7e43792062ee1a6b4396ca41d0f862 Branch: krb5-1.10 src/lib/krb5/krb/s4u_creds.c | 6 ++---- 1 files changed, 2 insertions(+), 4 deletions(-)