Bug#528514: On closer inspection

Thu, 14 May 2009 13:30:08 -0700 

>>>>> "Russ" == Russ Allbery <[email protected]> writes:

    Russ> Sam Hartman <[email protected]> writes:
    >> We do believe the patch is correct--or at least is a step
    >> forward.  It's definitely worth trying.

    Russ> I'm not sure if this is related, but last night when I
    Russ> upgraded to the pre2 Kerberos libraries from pre1 on my
    Russ> laptop, Negotiate-Auth / SPNEGO to Windows Active Directory
    Russ> servers via a cross-realm trust stopped working.  I got the
    Russ> correct cross-realm tickets but Firefox failed to
    Russ> authenticate and fell back on Basic-Auth.
I suspect this is unrelated
and has to do with 

commit 9f58f613af914e6a59c3850b05d79f6cb05edd13
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date:   Mon May 11 20:55:19 2009 +0000

    ticket: 6473
    version_fixed: 1.7
    
    pull up r22272 from trunk
    
     ------------------------------------------------------------------------
     r22272 | ghudson | 2009-04-23 04:42:40 -0400 (Thu, 23 Apr 2009) | 7 lines
     Changed paths:
        M /trunk/src/lib/krb5/krb/gc_via_tkt.c
    
     ticket: 6473
     tags: pullup
    
     In krb5_get_cred_via_tkt, strip the ok-as-delegate flag from
     credentials obtained using a foreign TGT, unless the TGT also has
     ok-as-delegate set.
    
    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@22327 
dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c
index 059da82..e8dbd97 100644
--- a/src/lib/krb5/krb/gc_via_tkt.c
+++ b/src/lib/krb5/krb/gc_via_tkt.c
@@ -144,6 +144,16 @@ check_reply_server(krb5_context context, krb5_flags 
kdcoptions,
     return 0;
 }
 
+/* Return true if a TGS credential is for the client's local realm. */
+static inline int
+tgt_is_local_realm(krb5_creds *tgt)
+{
+    return (tgt->server->length == 2
+           && data_eq_string(tgt->server->data[0], KRB5_TGS_NAME)
+           && data_eq(tgt->server->data[1], tgt->client->realm)
+           && data_eq(tgt->server->realm, tgt->client->realm));
+}
+
 krb5_error_code
 krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt,
                       krb5_flags kdcoptions, krb5_address *const *address,
@@ -289,6 +299,14 @@ krb5_get_cred_via_tkt (krb5_context context, krb5_creds 
*tkt,
        goto error_3;
     }
    
+    /*
+     * Don't trust the ok-as-delegate flag from foreign KDCs unless the
+     * cross-realm TGT also had the ok-as-delegate flag set.
+     */
+    if (!tgt_is_local_realm(tkt)
+       && !(tkt->ticket_flags & TKT_FLG_OK_AS_DELEGATE))
+       dec_rep->enc_part2->flags &= ~TKT_FLG_OK_AS_DELEGATE;
+
     /* make sure the response hasn't been tampered with..... */
     retval = 0;
 



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to