[csw-devel] SF.net SVN: gar:[16198] csw/mgar/pkg/krb5-lib/trunk

wahwah at users.sourceforge.net wahwah at users.sourceforge.net
Wed Nov 16 10:09:54 CET 2011 

Revision: 16198
          http://gar.svn.sourceforge.net/gar/?rev=16198&view=rev
Author:   wahwah
Date:     2011-11-16 09:09:54 +0000 (Wed, 16 Nov 2011)
Log Message:
-----------
krb5-lib/trunk: A patch attempting to fix krb5_set_password_using_ccache() failure on Windows 2003 R2

Revision Links:
--------------
    http://gar.svn.sourceforge.net/gar/?rev=2&view=rev

Modified Paths:
--------------
    csw/mgar/pkg/krb5-lib/trunk/Makefile

Added Paths:
-----------
    csw/mgar/pkg/krb5-lib/trunk/files/krb5-1.9.2-krb5_set_password_using_ccache.patch

Modified: csw/mgar/pkg/krb5-lib/trunk/Makefile
===================================================================
--- csw/mgar/pkg/krb5-lib/trunk/Makefile	2011-11-15 16:49:36 UTC (rev 16197)
+++ csw/mgar/pkg/krb5-lib/trunk/Makefile	2011-11-16 09:09:54 UTC (rev 16198)
@@ -25,6 +25,7 @@
 # PATCHFILES += 0003-local-libraries-first-when-linking.patch
 PATCHFILES += 0004-libkdb_ldap-isblank-define.patch
 PATCHFILES += 0005-Add-strings.h-to-setenv.c-for-strlen-and-other-stuff.patch
+PATCHFILES += krb5-1.9.2-krb5_set_password_using_ccache.patch
 
 BUILD_DEP_PKGS = CSWtcl
 

Added: csw/mgar/pkg/krb5-lib/trunk/files/krb5-1.9.2-krb5_set_password_using_ccache.patch
===================================================================
--- csw/mgar/pkg/krb5-lib/trunk/files/krb5-1.9.2-krb5_set_password_using_ccache.patch	                        (rev 0)
+++ csw/mgar/pkg/krb5-lib/trunk/files/krb5-1.9.2-krb5_set_password_using_ccache.patch	2011-11-16 09:09:54 UTC (rev 16198)
@@ -0,0 +1,59 @@
+commit 908a2602acb0ea75690141d730ef0aee4f13b018
+Author: ghudson <ghudson at dc483132-0cff-0310-8789-dd5450dbe970>
+Date:   Mon Nov 14 18:02:52 2011 +0000
+
+    ticket: 7016
+    subject: Handle TGS referrals to the same realm
+    target_version: 1.9.3
+    tags: pullup
+    
+    krb5 1.6 through 1.8 contained a workaround for the Active Directory
+    behavior of returning a TGS referral to the same realm as the request.
+    1.9 responds to this behavior by caching the returned TGT, trying
+    again, and detecting a referral loop.  This is a partial regression of
+    ticket #4955.  Detect this case and fall back to a non-referreal
+    request.
+    
+    git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25472 dc483132-0cff-0310-8789-dd5450dbe970
+
+diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h
+index 2d34574..926c523 100644
+--- a/src/include/k5-trace.h
++++ b/src/include/k5-trace.h
+@@ -357,6 +357,9 @@
+     TRACE(c, (c, "TGS request result: {kerr}", code))
+ #define TRACE_TKT_CREDS_RETRY_TCP(c)                                    \
+     TRACE(c, (c, "Request or response is too big for UDP; retrying with TCP"))
++#define TRACE_TKT_CREDS_SAME_REALM_TGT(c, realm)                        \
++    TRACE(c, (c, "Received TGT referral back to same realm ({data}); trying " \
++              "again without referrals", realm))
+ #define TRACE_TKT_CREDS_SERVICE_REQ(c, princ, referral)                 \
+     TRACE(c, (c, "Requesting tickets for {princ}, referrals {str}", princ, \
+               (referral) ? "on" : "off"))
+diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
+index f229ba1..780e656 100644
+--- a/src/lib/krb5/krb/get_creds.c
++++ b/src/lib/krb5/krb/get_creds.c
+@@ -557,6 +557,14 @@ step_referrals(krb5_context context, krb5_tkt_creds_context ctx)
+         return begin_non_referral(context, ctx);
+     }
+ 
++    /* Active Directory may return a TGT to the local realm.  Try a
++     * non-referral query if we see this. */
++    referral_realm = &ctx->reply_creds->server->data[1];
++    if (data_eq(*referral_realm, ctx->cur_tgt->server->data[1])) {
++        TRACE_TKT_CREDS_SAME_REALM_TGT(context, referral_realm);
++        return begin_non_referral(context, ctx);
++    }
++
+     if (ctx->referral_count == 1) {
+         /* Cache the referral TGT only if it's from the local realm.
+          * Make sure to note the associated authdata, if any. */
+@@ -577,7 +585,6 @@ step_referrals(krb5_context context, krb5_tkt_creds_context ctx)
+         return KRB5_KDC_UNREACH;
+ 
+     /* Check for referral loops. */
+-    referral_realm = &ctx->reply_creds->server->data[1];
+     if (seen_realm_before(context, ctx, referral_realm))
+         return KRB5_KDC_UNREACH;
+     code = remember_realm(context, ctx, referral_realm);

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

More information about the devel mailing list