git.samba.org / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ee943fb)
s3-krb5 Fix Kerberos on FreeBSD with Samba4 DCs
authorAndrew Bartlett <abartlet@samba.org>
Sat, 11 Sep 2010 06:13:33 +0000 (16:13 +1000)
committerAndrew Bartlett <abartlet@samba.org>
Sat, 11 Sep 2010 08:46:13 +0000 (18:46 +1000)
The idea of this patch is: Don't support a mix of different kerberos
features.

Either we should prepare a GSSAPI (8003) checksum and mark the request as
such, or we should use the old behaviour (a normal kerberos checksum of 0 data).

Sending the GSSAPI checksum data, but without marking it as GSSAPI broke
Samba4, and seems well outside the expected behaviour, even if Windows accepts it.

Andrew Bartlett

source3/libsmb/clikrb5.c patch | blob | history

diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 854d32476f172a5a27eaca8f87666b9844828003..704bcb929ec66fd26c27b12f8ab4e769b8c76b24 100644 (file)
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -840,7 +840,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
                goto cleanup_creds;
        }
 
                goto cleanup_creds;
        }
 
-#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY)
+#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
        if( credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE ) {
                /* Fetch a forwarded TGT from the KDC so that we can hand off a 2nd ticket
                 as part of the kerberos exchange. */
        if( credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE ) {
                /* Fetch a forwarded TGT from the KDC so that we can hand off a 2nd ticket
                 as part of the kerberos exchange. */
@@ -902,7 +902,6 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
                        gss_flags |= GSS_C_DELEG_FLAG;
                }
        }
                        gss_flags |= GSS_C_DELEG_FLAG;
                }
        }
-#endif
 
        /* Frees and reallocates in_data into a GSS checksum blob. */
        retval = create_gss_checksum(&in_data, gss_flags);
 
        /* Frees and reallocates in_data into a GSS checksum blob. */
        retval = create_gss_checksum(&in_data, gss_flags);
@@ -910,7 +909,6 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
                goto cleanup_data;
        }
 
                goto cleanup_data;
        }
 
-#if defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
        /* We always want GSS-checksum types. */
        retval = krb5_auth_con_set_req_cksumtype(context, *auth_context, GSSAPI_CHECKSUM );
        if (retval) {
        /* We always want GSS-checksum types. */
        retval = krb5_auth_con_set_req_cksumtype(context, *auth_context, GSSAPI_CHECKSUM );
        if (retval) {
Samba Shared Repository