From 3b4db34011f06fb785153fa9070fb1da9d8f5c78 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 11 Sep 2010 16:13:33 +1000 Subject: [PATCH] s3-krb5 Fix Kerberos on FreeBSD with Samba4 DCs The idea of this patch is: Don't support a mix of different kerberos features. Either we should prepare a GSSAPI (8003) checksum and mark the request as such, or we should use the old behaviour (a normal kerberos checksum of 0 data). Sending the GSSAPI checksum data, but without marking it as GSSAPI broke Samba4, and seems well outside the expected behaviour, even if Windows accepts it. Andrew Bartlett --- source3/libsmb/clikrb5.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 854d32476f1..704bcb929ec 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -840,7 +840,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, goto cleanup_creds; } -#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) +#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) if( credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE ) { /* Fetch a forwarded TGT from the KDC so that we can hand off a 2nd ticket as part of the kerberos exchange. */ @@ -902,7 +902,6 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, gss_flags |= GSS_C_DELEG_FLAG; } } -#endif /* Frees and reallocates in_data into a GSS checksum blob. */ retval = create_gss_checksum(&in_data, gss_flags); @@ -910,7 +909,6 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, goto cleanup_data; } -#if defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) /* We always want GSS-checksum types. */ retval = krb5_auth_con_set_req_cksumtype(context, *auth_context, GSSAPI_CHECKSUM ); if (retval) { -- 2.34.1