This avoids hidding a real error like KRB5KRB_AP_ERR_ILL_CR_TKT.
We only want to retry with the next key if the decryption
failed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
&o->ap_req_options,
&o->ticket,
KRB5_KU_AP_REQ_AUTH);
- if (ret) {
+ if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
+ /* failed to decrypt, try the next key */
krb5_kt_free_entry (context, &entry);
continue;
}
+ if (ret) {
+ krb5_kt_free_entry (context, &entry);
+ break;
+ }
/*
* Found a match, save the keyblock for PAC processing,