From Luke: fix the post-canonicalization cache check logic in
authorGreg Hudson <ghudson@mit.edu>
Thu, 22 Apr 2010 23:29:40 +0000 (23:29 +0000)
committerGreg Hudson <ghudson@mit.edu>
Thu, 22 Apr 2010 23:29:40 +0000 (23:29 +0000)
krb5_get_credentials_for_user().

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23927 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/krb5/krb/s4u_creds.c

index 02485e851e65734df58c7cf3120d0e2e83f9582b..da6dd0c99045fd114cd942d5b85816f58e61d6ea 100644 (file)
@@ -685,11 +685,17 @@ krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
     if (code != 0)
         goto cleanup;
 
-    code = krb5_get_credentials(context, options | KRB5_GC_CACHED,
-                                ccache, in_creds, out_creds);
-    if ((code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE)
-        || options & KRB5_GC_CACHED)
-        goto cleanup;
+    if (in_creds->client != NULL &&
+        in_creds->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+       /* Post-canonicalisation check for enterprise principals */
+       krb5_creds mcreds = *in_creds;
+       mcreds.client = realm;
+       code = krb5_get_credentials(context, options | KRB5_GC_CACHED,
+                                   ccache, &mcreds, out_creds);
+       if ((code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE)
+           || (options & KRB5_GC_CACHED))
+           goto cleanup;
+    }
 
     code = krb5_get_self_cred_from_kdc(context, options, ccache,
                                        in_creds, subject_cert,