#

# This patch changes the default behavior of MIT to that of Solaris, in which

# during initial authentication the KDC is verified by fetching a service

# ticket of the system.

#

# Note: MIT is unlikely to take this as a patch as they have a less strict

# position on validating a KDC during initial authentication.

# Patch source: in-house

#

diff -pur old/src/lib/krb5/krb/t_vfy_increds.c new/src/lib/krb5/krb/t_vfy_increds.c

--- old/src/lib/krb5/krb/t_vfy_increds.c	2015-05-28 14:42:17.094623052 -0600

+++ new/src/lib/krb5/krb/t_vfy_increds.c	2015-05-28 15:53:08.651207899 -0600

@@ -59,6 +59,9 @@ main(int argc, char **argv)

     if (*argv != NULL && strcmp(*argv, "-n") == 0) {

         argv++;

         krb5_verify_init_creds_opt_set_ap_req_nofail(&opt, TRUE);

+    } else if (*argv != NULL && strcmp(*argv, "-f") == 0) {

+        argv++;

+        krb5_verify_init_creds_opt_set_ap_req_nofail(&opt, FALSE);

     }

     if (*argv != NULL)

         check(krb5_parse_name(context, *argv, &princ));

diff -pur old/src/lib/krb5/krb/t_vfy_increds.py new/src/lib/krb5/krb/t_vfy_increds.py

@@ -53,29 +53,31 @@ realm.run(['./t_vfy_increds'])

 realm.run(['./t_vfy_increds', '-n'])

 # Remove the keytab and verify again.  This should succeed if nofail

-# is not set, and fail if it is set.

+# is set to false and fail otherwise.

 os.remove(realm.keytab)

-realm.run(['./t_vfy_increds'])

+realm.run(['./t_vfy_increds'], expected_code=1)

 realm.run(['./t_vfy_increds', '-n'], expected_code=1)

+realm.run(['./t_vfy_increds', '-f'])

 # Create an empty keytab file and verify again.  This simulates a

 # system where an admin ran "touch krb5.keytab" to work around a

 # Solaris Kerberos bug where krb5_kt_default() fails if the keytab

-# file doesn't exist.  Verification should succeed in nofail is not

-# set.  (An empty keytab file appears as corrupt to keytab calls,

+# file doesn't exist.  Verification should succeed if nofail is

+# set to false.  (An empty keytab file appears as corrupt to keytab calls,

 # causing a KRB5_KEYTAB_BADVNO error, so any tightening of the

 # krb5_verify_init_creds semantics needs to take this into account.)

 open(realm.keytab, 'w').close()

-realm.run(['./t_vfy_increds'])

+realm.run(['./t_vfy_increds'], expected_code=1)

 realm.run(['./t_vfy_increds', '-n'], expected_code=1)

+realm.run(['./t_vfy_increds', '-f'])

 os.remove(realm.keytab)

 # Add an NFS service principal to keytab.  Verify should ignore it by

-# default (succeeding unless nofail is set), but should verify with it

+# default (succeeding only when nofail is unset), but should verify with it

 # when it is specifically requested.

-realm.run(['./t_vfy_increds'])

+realm.run(['./t_vfy_increds'], expected_code=1)

 realm.run(['./t_vfy_increds', '-n'], expected_code=1)

 realm.run(['./t_vfy_increds', realm.nfs_princ])

 realm.run(['./t_vfy_increds', '-n', realm.nfs_princ])

@@ -84,7 +86,7 @@ realm.run(['./t_vfy_increds', '-n', real

 # results with the default principal argument, but verification should

 # now fail if we request it specifically.

-realm.run(['./t_vfy_increds'])

+realm.run(['./t_vfy_increds'], expected_code=1)

 realm.run(['./t_vfy_increds', '-n'], expected_code=1)

 realm.run(['./t_vfy_increds', realm.nfs_princ], expected_code=1)

 realm.run(['./t_vfy_increds', '-n', realm.nfs_princ], expected_code=1)

diff -pur old/src/lib/krb5/krb/vfy_increds.c new/src/lib/krb5/krb/vfy_increds.c

--- old/src/lib/krb5/krb/vfy_increds.c	2015-05-28 14:42:17.092454308 -0600

+++ new/src/lib/krb5/krb/vfy_increds.c	2015-05-28 15:45:14.121515053 -0600

@@ -33,8 +33,8 @@

 #include "k5-int.h"

 #include "int-proto.h"

-/* Return true if configuration demands that a keytab be present.  (By default

- * verification will be skipped if no keytab exists.) */

+/* Return true if configuration demands that a keytab be present.  (Verification

+ * will only be skipped IFF verify_ap_req_nofail has been set to false.) */

 static krb5_boolean

 nofail(krb5_context context, krb5_verify_init_creds_opt *options,

        krb5_creds *creds)

@@ -48,7 +48,7 @@ nofail(krb5_context context, krb5_verify

                                    KRB5_CONF_VERIFY_AP_REQ_NOFAIL,

                                    &val) == 0)

         return (val != 0);

-    return FALSE;

+    return TRUE;

 }

 static krb5_error_code