[krb5] Pull a fix for kinit going on an only-masters path
Nalin Dahyabhai
nalin at fedoraproject.org
Thu May 30 19:12:06 UTC 2013
commit 202006a85fbd286ec51195dcce344562486314f8
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Thu May 30 12:32:10 2013 -0400
Pull a fix for kinit going on an only-masters path
- pull in proposed fix for attempts to get initial creds, which end up
following referrals, incorrectly trying to always use master KDCs if
they talked to a master at any point (should fix RT#7650)
krb5-master-init_referral.patch | 47 +++++++++++++++++++++++++++++++++++++++
krb5.spec | 5 ++++
2 files changed, 52 insertions(+), 0 deletions(-)
---
diff --git a/krb5-master-init_referral.patch b/krb5-master-init_referral.patch
new file mode 100644
index 0000000..32660b2
--- /dev/null
+++ b/krb5-master-init_referral.patch
@@ -0,0 +1,47 @@
+commit 7265334161620af3797c4431eeb5c7a2a9aeba89
+Author: Greg Hudson <ghudson at mit.edu>
+Date: Thu May 30 11:39:54 2013 -0400
+
+ Properly handle use_master in k5_init_creds_get
+
+ If we make multiple requests in an initial creds exchange, the
+ krb5_sendto_kdc call in k5_init_creds_get may flip the use_master
+ value from 0 to 1 if it detects that the response was from a master
+ KDC. Don't turn this into a requirement for future requests during
+ the same exchange, or we may have trouble following AS referrals.
+ Reported by Sumit Bose.
+
+ ticket: 7650
+
+diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
+index 20bc689..ff455d3 100644
+--- a/src/lib/krb5/krb/get_in_tkt.c
++++ b/src/lib/krb5/krb/get_in_tkt.c
+@@ -521,7 +521,7 @@ k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx,
+ krb5_data reply;
+ krb5_data realm;
+ unsigned int flags = 0;
+- int tcp_only = 0;
++ int tcp_only = 0, master = *use_master;
+
+ request.length = 0;
+ request.data = NULL;
+@@ -545,8 +545,9 @@ k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx,
+
+ krb5_free_data_contents(context, &reply);
+
++ master = *use_master;
+ code = krb5_sendto_kdc(context, &request, &realm,
+- &reply, use_master, tcp_only);
++ &reply, &master, tcp_only);
+ if (code != 0)
+ break;
+
+@@ -558,6 +559,7 @@ k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx,
+ krb5_free_data_contents(context, &reply);
+ krb5_free_data_contents(context, &realm);
+
++ *use_master = master;
+ return code;
+ }
+
diff --git a/krb5.spec b/krb5.spec
index 9405d2a..b059fa1 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -86,6 +86,7 @@ Patch126: krb5-1.11.2-skew2.patch
Patch127: krb5-master-test_gss_no_udp.patch
Patch128: krb5-master-test_no_pmap.patch
Patch129: krb5-1.11-run_user_0.patch
+Patch130: krb5-master-init_referral.patch
# Patches for otp plugin backport
Patch201: krb5-1.11.2-keycheck.patch
@@ -314,6 +315,7 @@ ln -s NOTICE LICENSE
%patch127 -p1 -b .test_gss_no_udp
%patch128 -p1 -b .test_no_pmap
%patch129 -p1 -b .run_user_0
+%patch130 -p1 -b .init_referral
%patch201 -p1 -b .keycheck
%patch202 -p1 -b .otp
@@ -846,6 +848,9 @@ exit 0
directory cache below it fails due to ENOENT and we find that it doesn't
already exist, either, before attempting to create the directory cache
(maybe helping, maybe just making things more confusing for #961235)
+- pull in proposed fix for attempts to get initial creds, which end up
+ following referrals, incorrectly trying to always use master KDCs if
+ they talked to a master at any point (should fix RT#7650)
* Thu May 30 2013 Nalin Dahyabhai <nalin at redhat.com> 1.11.2-8
- pull in patches from master to not test GSSRPC-over-UDP and to not
More information about the scm-commits
mailing list