Skip Menu |
 

From: tlyu@mit.edu
Subject: git commit

Do not loop on principal unknown errors

If the canonicalize flag is set, the MIT KDC always return the client
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.

Check that this is really a referral by testing that the returned
client realm differs from the requested one.

[ghudson@mit.edu: simplified and narrowed is_referral() contract.
Note that a WRONG_REALM response with e-data or FAST error padata
could now be passed through k5_preauth_tryagain() if it has an empty
crealm or a crealm equal to the requested client realm. Such a
response is unexpected in practice and there is nothing dangerous
about handling it this way.]

(cherry picked from commit d5755694b620570defeecee772def90a2733c6cc)

https://github.com/krb5/krb5/commit/262eb56da6af3c674feaa8e48e8a8ed52d1eea1b
Author: Simo Sorce <simo@redhat.com>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 262eb56da6af3c674feaa8e48e8a8ed52d1eea1b
Branch: krb5-1.12
src/lib/krb5/krb/get_in_tkt.c | 40 +++++++++++++---------------------------
1 files changed, 13 insertions(+), 27 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Add test for kinit -C WRONG_REALM response

(cherry picked from commit c0778ab2252ece4c3510788d9b72f7f5e3bb05dd)

https://github.com/krb5/krb5/commit/8b61c2c06b61ede1134f4623ec558ea2a0b3901a
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 8b61c2c06b61ede1134f4623ec558ea2a0b3901a
Branch: krb5-1.12
src/tests/t_general.py | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)