Skip Menu |
 

Subject: gic_keytab.c
From: Ben Cox <cox-work@djehuti.com>
To: krb5-bugs@mit.edu
Date: 28 Oct 2002 14:29:31 -0500
Hello,

I've just encountered a minor bug in krb5-1.2.6 (and 1.2.5) in
src/lib/krb5/krb/gic_keytab.c.

Lines 109-113 read:

/* if the master is unreachable, return the error from the
slave we were able to contact */

if ((ret2 == KRB5_KDC_UNREACH) || (ret == KRB5_REALM_CANT_RESOLVE))
goto cleanup;

Line 112 should almost certainly read

if ((ret2 == KRB5_KDC_UNREACH) || (ret2 == KRB5_REALM_CANT_RESOLVE))

instead.

The effect of this bug is that, when we can't find the master KDC for a
realm, other errors get masked as KRB5_REALM_CANT_RESOLVE instead of the
real error.

I found this when attempting to get a krbtgt from a realm that is served
by an Active Directory server. There's no "admin_server" entry in my
krb5.conf for that realm, and there are no DNS service entries (that I
can resolve) for it, either; just kdc and kpasswd entries for it.
Adding a (bogus) admin_server entry to the kdc.conf causes the real
error to be returned.

Thanks.


--
Ben Cox <cox-work@djehuti.com>
From: hartmans@mit.edu
Subject: CVS Commit
If we get cannot resolve KDC for master but find a slave
return the real error from the slave rather than the resolution error.


To generate a diff of this commit:



cvs diff -r5.352 -r5.353 krb5/src/lib/krb5/krb/ChangeLog
cvs diff -r5.8 -r5.9 krb5/src/lib/krb5/krb/gic_keytab.c