Make it possible to renew aliased service tickets

We always allow aliases in the service principal when processing AS-REQs and TGS-REQs. If the ticket we issued is presented back to us in a TGS-REQ as a header ticket for renewal or similar, we should allow aliases when looking up its key to decode the AP-REQ. ticket: 7699 (new)
krb5 · Aug 29, 2013 · 81ceb53 · 81ceb53
1 parent ba31a93
commit 81ceb53
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
@@ -389,9 +389,9 @@ kdc_rd_ap_req(kdc_realm_t *kdc_active_realm,
         match_enctype = 0;
     }
 
-    retval = kdc_get_server_key(kdc_context,
-                                apreq->ticket, 0, match_enctype, server, NULL,
-                                NULL);
+    retval = kdc_get_server_key(kdc_context, apreq->ticket,
+                                KRB5_KDB_FLAG_ALIAS_OK, match_enctype, server,
+                                NULL, NULL);
     if (retval)
         return retval;
 

diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
@@ -286,6 +286,14 @@ def ldap_add(dn, objectclass, attrs=[]):
 if 'tgtalias@KRBTEST.COM\n' not in out:
     fail('After fetching tgtalias, klist is missing it')
 
+# Make sure aliases work in header tickets.
+realm.run_kadminl('modprinc -maxrenewlife "3 hours" user')
+realm.run_kadminl('modprinc -maxrenewlife "3 hours" krbtgt/KRBTEST.COM')
+realm.kinit(realm.user_princ, password('user'), ['-l', '1h', '-r', '2h'])
+realm.run([kvno, 'alias'])
+realm.kinit(realm.user_princ, flags=['-R', '-S', 'alias'])
+realm.klist(realm.user_princ, 'alias@KRBTEST.COM')
+
 realm.stop()
 
 # Briefly test dump and load.