backport r22890 from trunk

 ------------------------------------------------------------------------
 r22890 | ghudson | 2009-10-13 15:43:17 -0400 (Tue, 13 Oct 2009) | 11 lines

 ticket: 6573
 subject: Fix preauth looping in krb5_get_init_creds
 tags: pullup
 target_version: 1.7.1

 In 1.7, krb5_get_init_creds will continue attempting the same built-in
 preauth mechanism (e.g. encrypted timestamp) until the loop counter
 maxes out.  Until the preauth framework can remember not to retry
 built-in mechanisms, only continue with preauth after a PREAUTH_FAILED
 error resulting from optimistic preauth.

ticket: 6573
version_fixed: 1.7.1
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23640 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 532ee2883448c25e7b92a62903a1cb7e3da9ff47..094814524677c2381db858b8767a685d790e6fb9 100644 (file)
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1331,8 +1331,7 @@ krb5_get_init_creds(krb5_context context,
                                           &out_padata, &retry);
          if (ret !=0)
            goto cleanup;
-         if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED ||err_reply->error == KDC_ERR_PREAUTH_FAILED)
-&& retry) {
+         if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && retry) {
                /* reset the list of preauth types to try */
                if (preauth_to_use) {
                    krb5_free_pa_data(context, preauth_to_use);