Don't reject AP-REQs based on PACs
authorGreg Hudson <ghudson@mit.edu>
Wed, 16 Feb 2011 23:34:37 +0000 (23:34 +0000)
committerGreg Hudson <ghudson@mit.edu>
Wed, 16 Feb 2011 23:34:37 +0000 (23:34 +0000)
commit76ebe5d07c1002b674eb1c4e3ab35f6001eec91c
treed35c0e3155a3f71a9b9d814663754974b4108933
parent6d931b7ce12ea2082b0f2fdb53c6b43fed93cfb2
Don't reject AP-REQs based on PACs

Experience has shown that it was a mistake to fail AP-REQ verification
based on failure to verify the signature of PAC authdata contained in
the ticket.  We've had two rounds of interoperability issues with the
hmac-md5 checksum code, an interoperability issue OSX generating
unsigned PACs, and another problem where PACs are copied by older KDCs
from a cross-realm TGT into the service ticket.  If a PAC signature
cannot be verified, just don't mark it as verified and continue on
with the AP exchange.

ticket: 6870
target_version: 1.9.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24640 dc483132-0cff-0310-8789-dd5450dbe970
src/include/k5-trace.h
src/lib/krb5/krb/pac.c