summaryrefslogtreecommitdiff
path: root/core/krb5/krb5-1.9.1-canonicalize-fallback.patch
blob: e5a38498fe19f4937cec33cca26b02aca0b91304 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
diff -Naur krb5-1.9.1.ori/src/lib/krb5/krb/get_creds.c krb5-1.9.1/src/lib/krb5/krb/get_creds.c
--- krb5-1.9.1.ori/src/lib/krb5/krb/get_creds.c	2011-02-09 16:55:36.000000000 -0500
+++ krb5-1.9.1/src/lib/krb5/krb/get_creds.c	2011-09-26 18:42:01.465190278 -0400
@@ -470,13 +470,10 @@
 
 /***** STATE_REFERRALS *****/
 
-/*
- * Possibly retry a request in the fallback realm after a referral request
- * failure in the local realm.  Expects ctx->reply_code to be set to the error
- * from a referral request.
- */
+/* Possibly try a non-referral request after a referral request failure.
+ * Expects ctx->reply_code to be set to the error from a referral request. */
 static krb5_error_code
-try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx)
+try_fallback(krb5_context context, krb5_tkt_creds_context ctx)
 {
     krb5_error_code code;
     char **hrealms;
@@ -485,9 +482,10 @@
     if (ctx->referral_count > 1)
         return ctx->reply_code;
 
-    /* Only fall back if the original request used the referral realm. */
+    /* If the request used a specified realm, make a non-referral request to
+     * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */
     if (!krb5_is_referral_realm(&ctx->req_server->realm))
-        return ctx->reply_code;
+        return begin_non_referral(context, ctx);
 
     if (ctx->server->length < 2) {
         /* We need a type/host format principal to find a fallback realm. */
@@ -500,10 +498,10 @@
     if (code != 0)
         return code;
 
-    /* Give up if the fallback realm isn't any different. */
+    /* If the fallback realm isn't any different, use the existing TGT. */
     if (data_eq_string(ctx->server->realm, hrealms[0])) {
         krb5_free_host_realm(context, hrealms);
-        return ctx->reply_code;
+        return begin_non_referral(context, ctx);
     }
 
     /* Rewrite server->realm to be the fallback realm. */
@@ -540,9 +538,9 @@
     krb5_error_code code;
     const krb5_data *referral_realm;
 
-    /* Possibly retry with the fallback realm on error. */
+    /* Possibly try a non-referral fallback request on error. */
     if (ctx->reply_code != 0)
-        return try_fallback_realm(context, ctx);
+        return try_fallback(context, ctx);
 
     if (krb5_principal_compare(context, ctx->reply_creds->server,
                                ctx->server)) {