Handle TGS referrals to the same realm

krb5 1.6 through 1.8 contained a workaround for the Active Directory
behavior of returning a TGS referral to the same realm as the request.
1.9 responds to this behavior by caching the returned TGT, trying
again, and detecting a referral loop.  This is a partial regression of
ticket #4955.  Detect this case and fall back to a non-referreal
request.

ticket: 7016
target_version: 1.9.3
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25472 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 3 insertions, 0 deletions

diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h
index 2d34574..926c523 100644
--- a/src/include/k5-trace.h
+++ b/src/include/k5-trace.h
@@ -357,6 +357,9 @@
     TRACE(c, (c, "TGS request result: {kerr}", code))
 #define TRACE_TKT_CREDS_RETRY_TCP(c)                                    \
     TRACE(c, (c, "Request or response is too big for UDP; retrying with TCP"))
+#define TRACE_TKT_CREDS_SAME_REALM_TGT(c, realm)                        \
+    TRACE(c, (c, "Received TGT referral back to same realm ({data}); trying " \
+              "again without referrals", realm))
 #define TRACE_TKT_CREDS_SERVICE_REQ(c, princ, referral)                 \
     TRACE(c, (c, "Requesting tickets for {princ}, referrals {str}", princ, \
               (referral) ? "on" : "off"))