Hi Viktor,

On Wed, 2017-07-12 at 05:14 +0000, Viktor Dukhovni wrote:
> On Tue, Jul 11, 2017 at 10:19:48PM -0400, Greg Hudson wrote:
> I think the bug was introduced by commit
> > 4b4036c9a6697f0101c60845e19664f64fdd0810 and is that the value of ret is
> > squashed by the call to _krb5_find_capath() in tgs_build_reply().  In
> > this scenario, I believe the call succeeds, but doesn't find any
> > capaths, so we don't goto server_lookup, instead dropping down and going
> > to out with ret still 0.  _kdc_tgs_rep() doesn't create an error reply
> > if ret is 0, so the KDC sends no reply.
> That looks plausible, does the below look like the right fix to you?

Yes! Already had a similar patch ready and this indeed cures the KDC's
response behaviour to the client!

| Andreas Haupt            | E-Mail: andreas.ha...@desy.de
|  DESY Zeuthen            | WWW:    http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6         | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen         | Fax:    +49/33762/7-7216

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to