pull up r22292 from trunk

 ------------------------------------------------------------------------
 r22292 | hartmans | 2009-04-29 20:38:48 -0400 (Wed, 29 Apr 2009) | 10 lines
 Changed paths:
    M /trunk/src/kdc/kdc_preauth.c

 ticket: 6480
 Subject: Do not return PREAUTH_FAILED on unknown preauth
 Target_Version: 1.7
 Tags: pullup

 If the KDC receives unknown pre-authentication data then ignore it.
 Do not get into a case where PREAUTH_FAILED is returned because of
 unknown pre-authentication.  The main AS loop will cause
 PREAUTH_REQUIRED to be returned if the preauth_required flag is set
 and no valid preauth is found.

ticket: 6480
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22334 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index b153bbf25761fceffab1559964677a9259280214..63f76875607d5dbfadfd74d0f942beb646e240a5 100644 (file)
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -1204,17 +1204,11 @@ check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
     if (pa_ok)
        return 0;
 
-    /* pa system was not found, but principal doesn't require preauth */
-    if (!pa_found &&
-       !isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
-       !isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH))
+    /* pa system was not found; we may return PREAUTH_REQUIRED later,
+       but we did not actually fail to verify the pre-auth. */
+    if (!pa_found)
        return 0;
 
-    if (!pa_found) {
-       emsg = krb5_get_error_message(context, retval);
-       krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s", emsg);
-       krb5_free_error_message(context, emsg);
-    }
 
     /* The following switch statement allows us
      * to return some preauth system errors back to the client.