Subject: | gic_keytab.c |
From: | Ben Cox <cox-work@djehuti.com> |
To: | krb5-bugs@mit.edu |
Date: | 28 Oct 2002 14:29:31 -0500 |
Hello,
I've just encountered a minor bug in krb5-1.2.6 (and 1.2.5) in
src/lib/krb5/krb/gic_keytab.c.
Lines 109-113 read:
/* if the master is unreachable, return the error from the
slave we were able to contact */
if ((ret2 == KRB5_KDC_UNREACH) || (ret == KRB5_REALM_CANT_RESOLVE))
goto cleanup;
Line 112 should almost certainly read
if ((ret2 == KRB5_KDC_UNREACH) || (ret2 == KRB5_REALM_CANT_RESOLVE))
instead.
The effect of this bug is that, when we can't find the master KDC for a
realm, other errors get masked as KRB5_REALM_CANT_RESOLVE instead of the
real error.
I found this when attempting to get a krbtgt from a realm that is served
by an Active Directory server. There's no "admin_server" entry in my
krb5.conf for that realm, and there are no DNS service entries (that I
can resolve) for it, either; just kdc and kpasswd entries for it.
Adding a (bogus) admin_server entry to the kdc.conf causes the real
error to be returned.
Thanks.
--
Ben Cox <cox-work@djehuti.com>
I've just encountered a minor bug in krb5-1.2.6 (and 1.2.5) in
src/lib/krb5/krb/gic_keytab.c.
Lines 109-113 read:
/* if the master is unreachable, return the error from the
slave we were able to contact */
if ((ret2 == KRB5_KDC_UNREACH) || (ret == KRB5_REALM_CANT_RESOLVE))
goto cleanup;
Line 112 should almost certainly read
if ((ret2 == KRB5_KDC_UNREACH) || (ret2 == KRB5_REALM_CANT_RESOLVE))
instead.
The effect of this bug is that, when we can't find the master KDC for a
realm, other errors get masked as KRB5_REALM_CANT_RESOLVE instead of the
real error.
I found this when attempting to get a krbtgt from a realm that is served
by an Active Directory server. There's no "admin_server" entry in my
krb5.conf for that realm, and there are no DNS service entries (that I
can resolve) for it, either; just kdc and kpasswd entries for it.
Adding a (bogus) admin_server entry to the kdc.conf causes the real
error to be returned.
Thanks.
--
Ben Cox <cox-work@djehuti.com>