svn commit: samba r9648 - in branches/SAMBA_4_0/source:
auth/kerberos heimdal/kdc kdc
tridge at samba.org
tridge at samba.org
Fri Aug 26 11:52:36 GMT 2005
Author: tridge
Date: 2005-08-26 11:52:35 +0000 (Fri, 26 Aug 2005)
New Revision: 9648
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9648
Log:
this fixes the krb5 based login with the pac. The key to this whole saga was
that the logon_time field in the pac must match the authtime field in the ticket we
gave the client in the AS-REP (and thus also the authtime field in the ticket we get
back in the TGS-REQ).
Many thanks to Andrew Bartlett for his patience in showing me the
basic ropes of all this code! This was a joint effort.
Modified:
branches/SAMBA_4_0/source/auth/kerberos/kerberos.h
branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c
branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c
branches/SAMBA_4_0/source/kdc/pac-glue.c
branches/SAMBA_4_0/source/kdc/pac-glue.h
Changeset:
Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos.h
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos.h 2005-08-26 11:42:21 UTC (rev 9647)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos.h 2005-08-26 11:52:35 UTC (rev 9648)
@@ -143,6 +143,7 @@
krb5_context context,
krb5_keyblock *krbtgt_keyblock,
krb5_keyblock *server_keyblock,
+ time_t tgs_authtime,
DATA_BLOB *pac);
krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx,
Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c 2005-08-26 11:42:21 UTC (rev 9647)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c 2005-08-26 11:52:35 UTC (rev 9648)
@@ -385,6 +385,7 @@
krb5_context context,
krb5_keyblock *krbtgt_keyblock,
krb5_keyblock *service_keyblock,
+ time_t tgs_authtime,
DATA_BLOB *pac)
{
NTSTATUS nt_status;
@@ -478,8 +479,13 @@
LOGON_INFO->info3.base.last_logon = timeval_to_nttime(&tv);
LOGON_NAME->account_name = server_info->account_name;
- LOGON_NAME->logon_time = timeval_to_nttime(&tv);
+ /*
+ this logon_time field is absolutely critical. This is what
+ caused all our pac troubles :-)
+ */
+ unix_to_nt_time(&LOGON_NAME->logon_time, tgs_authtime);
+
ret = kerberos_encode_pac(mem_ctx,
pac_data,
context,
Modified: branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c 2005-08-26 11:42:21 UTC (rev 9647)
+++ branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c 2005-08-26 11:52:35 UTC (rev 9648)
@@ -1597,6 +1597,7 @@
EncTicketPart *tgt,
EncTicketPart *adtkt,
AuthorizationData *auth_data,
+ krb5_ticket *tgs_ticket,
hdb_entry *server,
hdb_entry *client,
krb5_principal client_principal,
@@ -1774,6 +1775,7 @@
client->principal,
tgtkey,
ekey,
+ tgs_ticket->ticket.authtime,
&pac);
if (ret) {
free_AuthorizationData(if_relevant);
@@ -2357,6 +2359,7 @@
tgt,
b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL,
auth_data,
+ ticket,
server,
client,
cp,
Modified: branches/SAMBA_4_0/source/kdc/pac-glue.c
===================================================================
--- branches/SAMBA_4_0/source/kdc/pac-glue.c 2005-08-26 11:42:21 UTC (rev 9647)
+++ branches/SAMBA_4_0/source/kdc/pac-glue.c 2005-08-26 11:52:35 UTC (rev 9648)
@@ -26,11 +26,12 @@
#include "kdc/pac-glue.h" /* Ensure we don't get this prototype wrong, as that could be painful */
krb5_error_code samba_get_pac(krb5_context context,
- struct krb5_kdc_configuration *config,
- krb5_principal client,
- krb5_keyblock *krbtgt_keyblock,
- krb5_keyblock *server_keyblock,
- krb5_data *pac)
+ struct krb5_kdc_configuration *config,
+ krb5_principal client,
+ krb5_keyblock *krbtgt_keyblock,
+ krb5_keyblock *server_keyblock,
+ time_t tgs_authtime,
+ krb5_data *pac)
{
krb5_error_code ret;
NTSTATUS nt_status;
@@ -74,6 +75,7 @@
context,
krbtgt_keyblock,
server_keyblock,
+ tgs_authtime,
&tmp_blob);
if (ret) {
Modified: branches/SAMBA_4_0/source/kdc/pac-glue.h
===================================================================
--- branches/SAMBA_4_0/source/kdc/pac-glue.h 2005-08-26 11:42:21 UTC (rev 9647)
+++ branches/SAMBA_4_0/source/kdc/pac-glue.h 2005-08-26 11:52:35 UTC (rev 9648)
@@ -1,7 +1,8 @@
krb5_error_code samba_get_pac(krb5_context context,
- struct krb5_kdc_configuration *config,
- krb5_principal client,
- krb5_keyblock *krbtgt_keyblock,
- krb5_keyblock *server_keyblock,
+ struct krb5_kdc_configuration *config,
+ krb5_principal client,
+ krb5_keyblock *krbtgt_keyblock,
+ krb5_keyblock *server_keyblock,
+ time_t tgs_authtime,
krb5_data *pac);
More information about the samba-cvs
mailing list