Using the server name as a hint

is inappropriate.  The server name is a security constraint.
If set, it must constrain the principals
that can be authenticated to; otherwise  applications may get behavior that breaks security policy.
It is a goal that applications need to change to take advantage of any server search.

Remove dead code

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21668 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 2 insertions, 21 deletions

diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
index f774c48..6cd34df 100644
--- a/src/lib/krb5/krb/rd_req_dec.c
+++ b/src/lib/krb5/krb/rd_req_dec.c
@@ -110,9 +110,7 @@ krb5_rd_req_decrypt_tkt_part(krb5_context context, const krb5_ap_req *req,
 
 	    (void) krb5_free_keytab_entry_contents(context, &ktent);
 	}
-    }
-
-    if (retval == KRB5_KT_NOTFOUND && keytab->ops->start_seq_get != NULL) {
+    } else { 
 	krb5_error_code code;
 	krb5_kt_cursor cursor;
 
@@ -203,24 +201,7 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
 	princ_data.realm.data = realm;
 	princ_data.realm.length = strlen(realm);
     }
-    /*
-     * The following code is commented out now that match based on
-     * key rather than name.
-     */
-#if 0
-    if (server && !krb5_principal_compare(context, server, req->ticket->server)) {
-	char *found_name = 0, *wanted_name = 0;
-	if (krb5_unparse_name(context, server, &wanted_name) == 0
-	    && krb5_unparse_name(context, req->ticket->server, &found_name) == 0)
-	    krb5_set_error_message(context, KRB5KRB_AP_WRONG_PRINC,
-				   "Wrong principal in request (found %s, wanted %s)",
-				   found_name, wanted_name);
-	krb5_free_unparsed_name(context, wanted_name);
-	krb5_free_unparsed_name(context, found_name);
-	retval =  KRB5KRB_AP_WRONG_PRINC;
-	goto cleanup;
-    }
-#endif
+
 
     /* if (req->ap_options & AP_OPTS_USE_SESSION_KEY)
        do we need special processing here ?	*/