Skip Menu |

Subject: git commit

Do not loop on principal unknown errors

If the canonicalize flag is set, the MIT KDC always return the client
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.

Check that this is really a referral by testing that the returned
client realm differs from the requested one.

[ simplified and narrowed is_referral() contract.
Note that a WRONG_REALM response with e-data or FAST error padata
could now be passed through k5_preauth_tryagain() if it has an empty
crealm or a crealm equal to the requested client realm. Such a
response is unexpected in practice and there is nothing dangerous
about handling it this way.]

(cherry picked from commit d5755694b620570defeecee772def90a2733c6cc)
Author: Simo Sorce <>
Committer: Tom Yu <>
Commit: 262eb56da6af3c674feaa8e48e8a8ed52d1eea1b
Branch: krb5-1.12
src/lib/krb5/krb/get_in_tkt.c | 40 +++++++++++++---------------------------
1 files changed, 13 insertions(+), 27 deletions(-)
Subject: git commit

Add test for kinit -C WRONG_REALM response

(cherry picked from commit c0778ab2252ece4c3510788d9b72f7f5e3bb05dd)
Author: Greg Hudson <>
Committer: Tom Yu <>
Commit: 8b61c2c06b61ede1134f4623ec558ea2a0b3901a
Branch: krb5-1.12
src/tests/ | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)