diff options
author | Isaac Boukris <iboukris@gmail.com> | 2020-02-01 16:13:30 +0100 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2020-02-10 14:32:30 -0500 |
commit | 813ef2b92dbabff0e998436eaf6e75bdc92a245a (patch) | |
tree | 9625cd6c4970a0d6dded748feeb7ababb7539bba | |
parent | 45ec4ac9a159b6be3042356ba4570e4c501b5726 (diff) | |
download | krb5-813ef2b92dbabff0e998436eaf6e75bdc92a245a.zip krb5-813ef2b92dbabff0e998436eaf6e75bdc92a245a.tar.gz krb5-813ef2b92dbabff0e998436eaf6e75bdc92a245a.tar.bz2 |
Put KDB authdata first
Windows services, as well as some versions of Samba, may refuse
tickets if the PAC is not in the first AD-IF-RELEVANT container. In
fetch_kdb_authdata(), change the merge order so that authdata from the
KDB module appears first.
[ghudson@mit.edu: added comment and clarified commit message]
(cherry picked from commit 331fa4bdd34263ea20667a0f51338cb84357fdaa)
ticket: 8872
version_fixed: 1.17.2
-rw-r--r-- | src/kdc/kdc_authdata.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index 1b067cb..616c3ea 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -383,11 +383,14 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags, if (ret) return (ret == KRB5_PLUGIN_OP_NOTSUPP) ? 0 : ret; - /* Add the KDB authdata to the ticket, without copying or filtering. */ - ret = merge_authdata(context, db_authdata, - &enc_tkt_reply->authorization_data, FALSE, FALSE); + /* Put the KDB authdata first in the ticket. A successful merge places the + * combined list in db_authdata and releases the old ticket authdata. */ + ret = merge_authdata(context, enc_tkt_reply->authorization_data, + &db_authdata, FALSE, FALSE); if (ret) krb5_free_authdata(context, db_authdata); + else + enc_tkt_reply->authorization_data = db_authdata; return ret; } |