r25080: Once we decrypted the packet but have timing problems (closkew, tkt not yet or

no longer valid) there is no point to bother the keytab routines.

Guenther
(This used to be commit 7e4dcf8e7ecfd35668e86e22bed5a9280ae83959)

diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 99288b78e5c6768d5850c67b35d221a4295ac59d..0edb5327d339342aef1a5a4e0200fbba543cc3ad 100644 (file)
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -427,9 +427,16 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
        /* Try secrets.tdb first and fallback to the krb5.keytab if
           necessary */
 
-        auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
+       auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
                                            ticket, &tkt, &keyblock, &ret);
 
+       if (!auth_ok &&
+           (ret == KRB5KRB_AP_ERR_TKT_NYV ||
+            ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
+            ret == KRB5KRB_AP_ERR_SKEW)) {
+               goto auth_failed;
+       }
+
        if (!auth_ok && lp_use_kerberos_keytab()) {
                auth_ok = ads_keytab_verify_ticket(context, auth_context, 
                                                   ticket, &tkt, &keyblock, &ret);
@@ -446,6 +453,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
 #endif
        }       
 
+ auth_failed:
        if (!auth_ok) {
                DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n", 
                         error_message(ret)));