Download (untitled) / with headers
Fix transited handling for GSSAPI acceptors
The Acceptor Names project (#6855) extended krb5_rd_req so that it can
accept a "matching principal" in the server parameter. If the
matching principal has an empty realm, rd_req_decoded_opt attempted to
do transited checking with an empty server realm.
To fix this, always reset server to req->ticket->server for future
processing steps if we decrypt the ticket using a keytab.
decrypt_ticket replaces req->ticket->server with the principal name
from the keytab entry, so we know this name is correct.
Based on a bug report and patch from email@example.com.
(cherry picked from commit 57acee11b5c6682a7f4f036e35d8b2fc9292875e)
[firstname.lastname@example.org: removed test due to k5test.py incompatibility]
Author: Tom Yu <email@example.com>
src/lib/krb5/krb/rd_req_dec.c | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)