- apply upstream patch by way of Burt Holzman to fall back to a non-referral
method in cases where we might be derailed by a KDC that rejects the canonicalize option (for example, those from the RHEL 2.1 or 3 era) (#713518)
This commit is contained in:
parent
e1fdb93038
commit
092982212a
59
krb5-1.9-canonicalize-fallback.patch
Normal file
59
krb5-1.9-canonicalize-fallback.patch
Normal file
@ -0,0 +1,59 @@
|
||||
From RT#6917.
|
||||
|
||||
--- a/src/lib/krb5/krb/get_creds.c
|
||||
+++ b/src/lib/krb5/krb/get_creds.c
|
||||
@@ -466,13 +466,10 @@ begin_non_referral(krb5_context context, krb5_tkt_creds_context ctx)
|
||||
|
||||
/***** STATE_REFERRALS *****/
|
||||
|
||||
-/*
|
||||
- * Possibly retry a request in the fallback realm after a referral request
|
||||
- * failure in the local realm. Expects ctx->reply_code to be set to the error
|
||||
- * from a referral request.
|
||||
- */
|
||||
+/* Possibly try a non-referral request after a referral request failure.
|
||||
+ * Expects ctx->reply_code to be set to the error from a referral request. */
|
||||
static krb5_error_code
|
||||
-try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx)
|
||||
+try_fallback(krb5_context context, krb5_tkt_creds_context ctx)
|
||||
{
|
||||
krb5_error_code code;
|
||||
char **hrealms;
|
||||
@@ -481,9 +478,10 @@ try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx)
|
||||
if (ctx->referral_count > 1)
|
||||
return ctx->reply_code;
|
||||
|
||||
- /* Only fall back if the original request used the referral realm. */
|
||||
+ /* If the request used a specified realm, make a non-referral request to
|
||||
+ * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */
|
||||
if (!krb5_is_referral_realm(&ctx->req_server->realm))
|
||||
- return ctx->reply_code;
|
||||
+ return begin_non_referral(context, ctx);
|
||||
|
||||
if (ctx->server->length < 2) {
|
||||
/* We need a type/host format principal to find a fallback realm. */
|
||||
@@ -496,10 +494,10 @@ try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx)
|
||||
if (code != 0)
|
||||
return code;
|
||||
|
||||
- /* Give up if the fallback realm isn't any different. */
|
||||
+ /* If the fallback realm isn't any different, use the existing TGT. */
|
||||
if (data_eq_string(ctx->server->realm, hrealms[0])) {
|
||||
krb5_free_host_realm(context, hrealms);
|
||||
- return ctx->reply_code;
|
||||
+ return begin_non_referral(context, ctx);
|
||||
}
|
||||
|
||||
/* Rewrite server->realm to be the fallback realm. */
|
||||
@@ -536,9 +534,9 @@ step_referrals(krb5_context context, krb5_tkt_creds_context ctx)
|
||||
krb5_error_code code;
|
||||
const krb5_data *referral_realm;
|
||||
|
||||
- /* Possibly retry with the fallback realm on error. */
|
||||
+ /* Possibly try a non-referral fallback request on error. */
|
||||
if (ctx->reply_code != 0)
|
||||
- return try_fallback_realm(context, ctx);
|
||||
+ return try_fallback(context, ctx);
|
||||
|
||||
if (krb5_principal_compare(context, ctx->reply_creds->server,
|
||||
ctx->server)) {
|
@ -6,7 +6,7 @@
|
||||
Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.9.1
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||
# http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar
|
||||
Source0: krb5-%{version}.tar.gz
|
||||
@ -54,6 +54,7 @@ Patch77: krb5-1.9-paren.patch
|
||||
Patch78: krb5-trunk-chpw-err.patch
|
||||
Patch79: krb5-klist_s.patch
|
||||
Patch80: krb5-trunk-kadmin-oldproto.patch
|
||||
Patch81: krb5-1.9-canonicalize-fallback.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -199,6 +200,7 @@ ln -s NOTICE LICENSE
|
||||
%patch78 -p0 -b .chpw-err
|
||||
%patch79 -p1 -b .klist_s
|
||||
%patch80 -p0 -b .kadmin-oldproto
|
||||
%patch81 -p1 -b .canonicalize-fallback
|
||||
gzip doc/*.ps
|
||||
|
||||
sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
|
||||
@ -658,6 +660,11 @@ exit 0
|
||||
%{_sbindir}/uuserver
|
||||
|
||||
%changelog
|
||||
* Mon Jun 20 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-4
|
||||
- apply upstream patch by way of Burt Holzman to fall back to a non-referral
|
||||
method in cases where we might be derailed by a KDC that rejects the
|
||||
canonicalize option (for example, those from the RHEL 2.1 or 3 era) (#713518)
|
||||
|
||||
* Tue Jun 14 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-3
|
||||
- pull a fix from SVN to get libgssrpc clients (e.g. kadmin) authenticating
|
||||
using the old protocol over IPv4 again (RT#6920)
|
||||
|
Loading…
Reference in New Issue
Block a user