Ticket History #7555: Don't squash name type for cross TGT requests

# Thu Jan 31 01:32:05 2013 ghudson@mit.edu (Greg Hudson) - Ticket created

From:	ghudson@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 554B

Fix is_referral flag in KDC TGS code

A server response which is a cross-realm TGT is not a referral if it
was directly requested by the client. Misclassifying such a response
as a referral means we don't mirror the request's name type, which has
been observed to break older Java clients.

https://github.com/krb5/krb5/commit/c072b059ecff257e7600be0e86869decd135d422
Author: Greg Hudson <ghudson@mit.edu>
Commit: c072b059ecff257e7600be0e86869decd135d422
Branch: master
src/kdc/do_tgs_req.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

# Thu Jan 31 01:32:07 2013 ghudson@mit.edu (Greg Hudson) - Requestor ghudson@mit.edu (Greg Hudson) added

# Thu Jan 31 01:32:07 2013 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'review'

# Thu Jan 31 02:16:46 2013 ghudson@mit.edu (Greg Hudson) - Status changed from 'review' to 'open'

# Thu Jan 31 02:16:46 2013 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 503B

Revert previous change to process_tgs_req

Commit c072b059ecff257e7600be0e86869decd135d422 did not have the
intended effect because, at the point where is_referral is set,
request->server has already been modified to contain server->princ.

https://github.com/krb5/krb5/commit/cba077afd0a3c133c52cc25c84da62205ba61013
Author: Greg Hudson <ghudson@mit.edu>
Commit: cba077afd0a3c133c52cc25c84da62205ba61013
Branch: master
src/kdc/do_tgs_req.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

# Thu Aug 29 18:07:46 2013 ghudson@mit.edu (Greg Hudson) - Subject changed from 'Fix is_referral flag in KDC TGS code' to 'Don't squash name type for cross TGT requests'

# Tue Sep 03 23:30:28 2013 ghudson@mit.edu (Greg Hudson) - Status changed from 'open' to 'review'

# Tue Sep 03 23:30:28 2013 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 768B

Tighten up referral recognition in KDC TGS code

In do_tgs_req(), treat the search_sprinc() result as a referral only
if it is a cross-TGS principal and it doesn't match the requested
server principal. This change fixes two corner cases: (1) when a
client requests a cross-realm TGT, we won't squash the name type in
the response; and (2) if we are serving multiple realms out of the
same KDB, we will properly handle aliases to any local-realm TGT, not
just the one for the configured realm name.

https://github.com/krb5/krb5/commit/2f37634ae89f8bd13ec64120fce56ba5613c498c
Author: Greg Hudson <ghudson@mit.edu>
Commit: 2f37634ae89f8bd13ec64120fce56ba5613c498c
Branch: master
src/kdc/do_tgs_req.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)

# Fri Oct 11 13:37:51 2013 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'

# Fri Oct 11 13:37:51 2013 tlyu (Taylor Yu) - Version_Fixed 1.12 added