Do not loop on principal unknown errors
If the canonicalize flag is set, the MIT KDC always return the client
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.
Check that this is really a referral by testing that the returned
client realm differs from the requested one.
[email@example.com: simplified and narrowed is_referral() contract.
Note that a WRONG_REALM response with e-data or FAST error padata
could now be passed through k5_preauth_tryagain() if it has an empty
crealm or a crealm equal to the requested client realm. Such a
response is unexpected in practice and there is nothing dangerous
about handling it this way.]
(cherry picked from commit d5755694b620570defeecee772def90a2733c6cc)
Author: Simo Sorce <firstname.lastname@example.org>
Committer: Tom Yu <email@example.com>
src/lib/krb5/krb/get_in_tkt.c | 40 +++++++++++++---------------------------
1 files changed, 13 insertions(+), 27 deletions(-)