rpms/krb5
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Pull a fix for kinit going on an only-masters path

Browse Source 
- pull in proposed fix for attempts to get initial creds, which end up
  following referrals, incorrectly trying to always use master KDCs if
  they talked to a master at any point (should fix RT#7650)
This commit is contained in:
Nalin Dahyabhai 2013-05-30 12:32:10 -04:00
parent dc293b3d84
commit 202006a85f
2 changed files with 52 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
krb5-master-init_referral.patch Normal file
View File

@ -0,0 +1,47 @@
commit 7265334161620af3797c4431eeb5c7a2a9aeba89
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu May 30 11:39:54 2013 -0400
Properly handle use_master in k5_init_creds_get
If we make multiple requests in an initial creds exchange, the
krb5_sendto_kdc call in k5_init_creds_get may flip the use_master
value from 0 to 1 if it detects that the response was from a master
KDC. Don't turn this into a requirement for future requests during
the same exchange, or we may have trouble following AS referrals.
Reported by Sumit Bose.
ticket: 7650
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 20bc689..ff455d3 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -521,7 +521,7 @@ k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx,
krb5_data reply;
krb5_data realm;
unsigned int flags = 0;
- int tcp_only = 0;
+ int tcp_only = 0, master = *use_master;
request.length = 0;
request.data = NULL;
@@ -545,8 +545,9 @@ k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx,
krb5_free_data_contents(context, &reply);
+ master = *use_master;
code = krb5_sendto_kdc(context, &request, &realm,
- &reply, use_master, tcp_only);
+ &reply, &master, tcp_only);
if (code != 0)
break;
@@ -558,6 +559,7 @@ k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx,
krb5_free_data_contents(context, &reply);
krb5_free_data_contents(context, &realm);
+ *use_master = master;
return code;
}

5
krb5.spec
View File

@ -86,6 +86,7 @@ Patch126: krb5-1.11.2-skew2.patch
Patch127: krb5-master-test_gss_no_udp.patch Patch127: krb5-master-test_gss_no_udp.patch
Patch128: krb5-master-test_no_pmap.patch Patch128: krb5-master-test_no_pmap.patch
Patch129: krb5-1.11-run_user_0.patch Patch129: krb5-1.11-run_user_0.patch
Patch130: krb5-master-init_referral.patch
# Patches for otp plugin backport # Patches for otp plugin backport
Patch201: krb5-1.11.2-keycheck.patch Patch201: krb5-1.11.2-keycheck.patch
@ -314,6 +315,7 @@ ln -s NOTICE LICENSE
%patch127 -p1 -b .test_gss_no_udp %patch127 -p1 -b .test_gss_no_udp
%patch128 -p1 -b .test_no_pmap %patch128 -p1 -b .test_no_pmap
%patch129 -p1 -b .run_user_0 %patch129 -p1 -b .run_user_0
%patch130 -p1 -b .init_referral
%patch201 -p1 -b .keycheck %patch201 -p1 -b .keycheck
%patch202 -p1 -b .otp %patch202 -p1 -b .otp
@ -846,6 +848,9 @@ exit 0
directory cache below it fails due to ENOENT and we find that it doesn't directory cache below it fails due to ENOENT and we find that it doesn't
already exist, either, before attempting to create the directory cache already exist, either, before attempting to create the directory cache
(maybe helping, maybe just making things more confusing for #961235) (maybe helping, maybe just making things more confusing for #961235)
- pull in proposed fix for attempts to get initial creds, which end up
following referrals, incorrectly trying to always use master KDCs if
they talked to a master at any point (should fix RT#7650)
* Thu May 30 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-8 * Thu May 30 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-8
- pull in patches from master to not test GSSRPC-over-UDP and to not - pull in patches from master to not test GSSRPC-over-UDP and to not