Restore the krb5 1.6 behavior of not retrying AS requests after

PREAUTH_FAILED errors.  Among other things, this change causes
krb5_get_init_creds_opt_set_pa to act (mostly) as a constraint rather
than simply as an optimistic set of preauth types, which is the
behavior apps had been seeing prior to 1.7.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23128 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 1 insertions, 16 deletions

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 4fd8376..15da288 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1057,21 +1057,6 @@ build_in_tkt_name(krb5_context context,
     return ret;
 }
 
-/* Decide whether to continue trying AS-REQ preauthentication. */
-static krb5_boolean
-should_continue_preauth(krb5_ui_4 error, int loopcount)
-{
-    /*
-     * Continue on PREAUTH_FAILED only on the first iteration, which
-     * would imply that we did optimistic preauth unsuccessfully.  We
-     * could continue on later iterations if the preauth framework
-     * reliably remembered what mechanisms had been tried, but
-     * currently it does not do so for built-in mechanisms.
-     */
-    return (error == KDC_ERR_PREAUTH_REQUIRED ||
-            (error == KDC_ERR_PREAUTH_FAILED && loopcount == 0));
-}
-
 krb5_error_code KRB5_CALLCONV
 krb5_get_init_creds(krb5_context context,
                     krb5_creds *creds,
@@ -1429,7 +1414,7 @@ krb5_get_init_creds(krb5_context context,
                                              &out_padata, &retry);
             if (ret !=0)
                 goto cleanup;
-            if (should_continue_preauth(err_reply->error, loopcount) && retry) {
+            if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && retry) {
                 /* reset the list of preauth types to try */
                 if (preauth_to_use) {
                     krb5_free_pa_data(context, preauth_to_use);