diff options
| author | Isaac Boukris <iboukris@gmail.com> | 2020-02-01 16:13:30 +0100 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2020-02-10 14:51:39 -0500 |
| commit | ca0e1e9c663db20823130df5ee9d7b2d3a879fbe (patch) | |
| tree | d278c519be8701034673004799dc91b6f45adfb9 | |
| parent | cab8316e663ff42235cadf60777e5b49835008b4 (diff) | |
| download | krb5-ca0e1e9c663db20823130df5ee9d7b2d3a879fbe.zip krb5-ca0e1e9c663db20823130df5ee9d7b2d3a879fbe.tar.gz krb5-ca0e1e9c663db20823130df5ee9d7b2d3a879fbe.tar.bz2 | |
Put KDB authdata first
Windows services, as well as some versions of Samba, may refuse
tickets if the PAC is not in the first AD-IF-RELEVANT container. In
fetch_kdb_authdata(), change the merge order so that authdata from the
KDB module appears first.
[ghudson@mit.edu: added comment and clarified commit message]
(cherry picked from commit 331fa4bdd34263ea20667a0f51338cb84357fdaa)
ticket: 8872
version_fixed: 1.18
| -rw-r--r-- | src/kdc/kdc_authdata.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index a18e4b4..1ebe872 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -372,11 +372,14 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags, if (ret) return (ret == KRB5_PLUGIN_OP_NOTSUPP) ? 0 : ret; - /* Add the KDB authdata to the ticket, without copying or filtering. */ - ret = merge_authdata(context, db_authdata, - &enc_tkt_reply->authorization_data, FALSE, FALSE); + /* Put the KDB authdata first in the ticket. A successful merge places the + * combined list in db_authdata and releases the old ticket authdata. */ + ret = merge_authdata(context, enc_tkt_reply->authorization_data, + &db_authdata, FALSE, FALSE); if (ret) krb5_free_authdata(context, db_authdata); + else + enc_tkt_reply->authorization_data = db_authdata; return ret; } |