The idea of this patch is: Don't support a mix of different kerberos
features.
Either we should prepare a GSSAPI (8003) checksum and mark the request as
such, or we should use the old behaviour (a normal kerberos checksum of 0 data).
Sending the GSSAPI checksum data, but without marking it as GSSAPI broke
Samba4, and seems well outside the expected behaviour, even if Windows accepts it.
Andrew Bartlett
(cherry picked from commit
3b4db34011f06fb785153fa9070fb1da9d8f5c78)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
b31c9cf18a5bd592912bd300e028d0798e93978d)
goto cleanup_creds;
}
-#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY)
+#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
if( credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE ) {
/* Fetch a forwarded TGT from the KDC so that we can hand off a 2nd ticket
as part of the kerberos exchange. */
gss_flags |= GSS_C_DELEG_FLAG;
}
}
-#endif
/* Frees and reallocates in_data into a GSS checksum blob. */
retval = create_gss_checksum(&in_data, gss_flags);
goto cleanup_data;
}
-#if defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
/* We always want GSS-checksum types. */
retval = krb5_auth_con_set_req_cksumtype(context, *auth_context, GSSAPI_CHECKSUM );
if (retval) {
git.samba.org / samba.git / commitdiff