Looks fine to me.
Xuelei
On 7/9/2019 6:03 AM, Weijun Wang wrote:
Please take a review at
http://cr.openjdk.java.net/~weijun/8227381/webrev.00/
When the client is talking to an old KDC that does not support referrals and
only knows DES, it fails like this:
c: PA_REQ_ENC_PA_REP
s: KDC_ERR_PREAUTH_FAILED
c: PA_REQ_ENC_PA_REP + PA_ENC_TIMESTAMP
s: KDC_ERR_PREAUTH_FAILED
c: <fallback to no referrals> PA_ENC_TIMESTAMP using aes256-cts
s: KDC_ERR_PREAUTH_FAILED
c: <fail because too many KDC_ERR_PREAUTH_FAILED>
With this fix, whenever there is a referrals state change (fallback to no
referrals, change realm), the preauth state (pakey and preAuthFailedOnce) is
reset, so it will be
c: PA_REQ_ENC_PA_REP
s: KDC_ERR_PREAUTH_FAILED
c: PA_REQ_ENC_PA_REP + PA_ENC_TIMESTAMP
s: KDC_ERR_PREAUTH_FAILED
c: <fallback to no referrals with no PAData>
s: KDC_ERR_PREAUTH_REQUIRED suggesting des-cbc-md5
c: PA_ENC_TIMESTAMP using des-cbc-md5
s: AS-REP
c: <Hooray!>
Thanks,
Max
