git.samba.org / metze / samba / wip.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b3d4962) | patch
s4:auth/kerberos: don't mix s4u2self creds with machine account creds
authorStefan Metzmacher <metze@samba.org>
Mon, 20 Jun 2011 13:27:58 +0000 (15:27 +0200)
committerStefan Metzmacher <metze@samba.org>
Wed, 22 Jun 2011 06:00:24 +0000 (08:00 +0200)
commit9c56303f5a56697470ea9f2ee1a428aed2367d75
tree1f1f819336bd6e31cd636a290f9ecf60e3673bd5tree
parentb3d49620875d878e2ad39896a6fe9fddb039253ecommit | diff
s4:auth/kerberos: don't mix s4u2self creds with machine account creds

It's important that we don't store the tgt for the machine account
in the same krb5_ccache as the ticket for the impersonated principal.

We may pass it to some krb5/gssapi functions and they may use them
in the wrong way, which would grant machine account privileges to
the client.

metze
source4/auth/kerberos/kerberos.c diff | blob | history
Work in progress branches