From: Tom Yu <tlyu@mit.edu>
Date: Tue, 12 Jan 2010 03:21:35 +0000 (+0000)
Subject: backport r22890 from trunk
X-Git-Tag: krb5-1.7.1-beta1~14
X-Git-Url: http://git.tremily.us/gitweb.cgi?a=commitdiff_plain;h=d5e2d1224596ce578093e037f54149ddb922bf10;p=krb5.git

backport r22890 from trunk

 ------------------------------------------------------------------------
 r22890 | ghudson | 2009-10-13 15:43:17 -0400 (Tue, 13 Oct 2009) | 11 lines

 ticket: 6573
 subject: Fix preauth looping in krb5_get_init_creds
 tags: pullup
 target_version: 1.7.1

 In 1.7, krb5_get_init_creds will continue attempting the same built-in
 preauth mechanism (e.g. encrypted timestamp) until the loop counter
 maxes out.  Until the preauth framework can remember not to retry
 built-in mechanisms, only continue with preauth after a PREAUTH_FAILED
 error resulting from optimistic preauth.

ticket: 6573
version_fixed: 1.7.1
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23640 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 532ee2883..094814524 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1331,8 +1331,7 @@ krb5_get_init_creds(krb5_context context,
 					   &out_padata, &retry);
 	  if (ret !=0)
 	    goto cleanup;
-	  if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED ||err_reply->error == KDC_ERR_PREAUTH_FAILED)
-&& retry) {
+	  if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && retry) {
 		/* reset the list of preauth types to try */
 		if (preauth_to_use) {
 		    krb5_free_pa_data(context, preauth_to_use);