Skip Menu |
 

Subject: Referrals code breaks krb5_set_password_using_ccache to Active Directory
Using the set change password API involves getting a kadmin/changepw service ticket via
krb5_get_credentials(). This doesn't work against MIT's Active Directory server and prevents
the set change password from succeeding.


lxs@ra-tilt.mit.edu: klist
Kerberos 5 ticket cache: 'API:1'
Default principal: lxs@WIN.MIT.EDU

Valid Starting Expires Service Principal
11/29/06 17:00:06 11/30/06 03:00:07 krbtgt/WIN.MIT.EDU@WIN.MIT.EDU
renew until 12/06/06 17:00:06

lxs@ra-tilt.mit.edu: kvno kadmin/changepw@WIN.MIT.EDU
krb5_get_cred_from_kdc_opt: referral routing loop afer 0 hops
kvno: Cannot contact any KDC for requested realm while getting credentials for 'kadmin/
changepw@WIN.MIT.EDU'


Also we might want to fix the typo in the warning message (s/afer/after).
From: tlyu@mit.edu
Subject: SVN Commit
* src/lib/krb5/krb/gc_frm_kdc.c: Also do style cleanup.
(krb5_get_cred_from_kdc_opt): If server principal was rewritten,
fall back unless it was rewritten to a TGS principal. This fixes
a bug when a MS AD rewrites the service principal into a
single-component NETBIOS-style name. If we get a referral back to
the immediately preceding realm, fall back to non-referral
handling. This fixes the changepw failure. To prevent memory
leaks, when falling back to non-referral handling, free any tgts
previously obtained by the initial non-referral do_traversal()
call.

Commit By: tlyu



Revision: 18878
Changed Files:
U trunk/src/lib/krb5/krb/gc_frm_kdc.c
From: tlyu@mit.edu
Subject: SVN Commit
pull up r18878 from trunk

r18878@cathode-dark-space: tlyu | 2006-11-30 15:46:32 -0500
ticket: 4955
tags: pullup

* src/lib/krb5/krb/gc_frm_kdc.c: Also do style cleanup.
(krb5_get_cred_from_kdc_opt): If server principal was rewritten,
fall back unless it was rewritten to a TGS principal. This fixes
a bug when a MS AD rewrites the service principal into a
single-component NETBIOS-style name. If we get a referral back to
the immediately preceding realm, fall back to non-referral
handling. This fixes the changepw failure. To prevent memory
leaks, when falling back to non-referral handling, free any tgts
previously obtained by the initial non-referral do_traversal()
call.



Commit By: tlyu



Revision: 18880
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/lib/krb5/krb/gc_frm_kdc.c