svn commit: samba r9648 - in branches/SAMBA_4_0/source: auth/kerberos heimdal/kdc kdc

tridge at samba.org tridge at samba.org
Fri Aug 26 11:52:36 GMT 2005 

Author: tridge
Date: 2005-08-26 11:52:35 +0000 (Fri, 26 Aug 2005)
New Revision: 9648

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9648

Log:
this fixes the krb5 based login with the pac. The key to this whole saga was
that the logon_time field in the pac must match the authtime field in the ticket we
gave the client in the AS-REP (and thus also the authtime field in the ticket we get
back in the TGS-REQ).

Many thanks to Andrew Bartlett for his patience in showing me the
basic ropes of all this code! This was a joint effort.

Modified:
   branches/SAMBA_4_0/source/auth/kerberos/kerberos.h
   branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c
   branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c
   branches/SAMBA_4_0/source/kdc/pac-glue.c
   branches/SAMBA_4_0/source/kdc/pac-glue.h


Changeset:
Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos.h
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos.h	2005-08-26 11:42:21 UTC (rev 9647)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos.h	2005-08-26 11:52:35 UTC (rev 9648)
@@ -143,6 +143,7 @@
 				    krb5_context context,
 				    krb5_keyblock *krbtgt_keyblock,
 				    krb5_keyblock *server_keyblock,
+				    time_t tgs_authtime,
 				    DATA_BLOB *pac);
 
 krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx,

Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c	2005-08-26 11:42:21 UTC (rev 9647)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c	2005-08-26 11:52:35 UTC (rev 9648)
@@ -385,6 +385,7 @@
 				     krb5_context context,
 				     krb5_keyblock *krbtgt_keyblock,
 				     krb5_keyblock *service_keyblock,
+				     time_t tgs_authtime,
 				     DATA_BLOB *pac)
 {
 	NTSTATUS nt_status;
@@ -478,8 +479,13 @@
 	LOGON_INFO->info3.base.last_logon	= timeval_to_nttime(&tv);
 
 	LOGON_NAME->account_name	= server_info->account_name;
-	LOGON_NAME->logon_time		= timeval_to_nttime(&tv);
 
+	/*
+	  this logon_time field is absolutely critical. This is what
+	  caused all our pac troubles :-)
+	*/
+	unix_to_nt_time(&LOGON_NAME->logon_time, tgs_authtime);
+
 	ret = kerberos_encode_pac(mem_ctx, 
 				  pac_data, 
 				  context,

Modified: branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c	2005-08-26 11:42:21 UTC (rev 9647)
+++ branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c	2005-08-26 11:52:35 UTC (rev 9648)
@@ -1597,6 +1597,7 @@
 	       EncTicketPart *tgt, 
 	       EncTicketPart *adtkt, 
 	       AuthorizationData *auth_data,
+	       krb5_ticket *tgs_ticket,
 	       hdb_entry *server, 
 	       hdb_entry *client, 
 	       krb5_principal client_principal, 
@@ -1774,6 +1775,7 @@
 				client->principal,
 				tgtkey,
 				ekey,
+				tgs_ticket->ticket.authtime,
 				&pac);
 	    if (ret) {
 		    free_AuthorizationData(if_relevant);
@@ -2357,6 +2359,7 @@
 			     tgt, 
 			     b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL, 
 			     auth_data,
+			     ticket,
 			     server, 
 			     client, 
 			     cp, 

Modified: branches/SAMBA_4_0/source/kdc/pac-glue.c
===================================================================
--- branches/SAMBA_4_0/source/kdc/pac-glue.c	2005-08-26 11:42:21 UTC (rev 9647)
+++ branches/SAMBA_4_0/source/kdc/pac-glue.c	2005-08-26 11:52:35 UTC (rev 9648)
@@ -26,11 +26,12 @@
 #include "kdc/pac-glue.h" /* Ensure we don't get this prototype wrong, as that could be painful */
 
  krb5_error_code samba_get_pac(krb5_context context, 
-			      struct krb5_kdc_configuration *config,
-			      krb5_principal client, 
-			      krb5_keyblock *krbtgt_keyblock, 
-			      krb5_keyblock *server_keyblock, 
-			      krb5_data *pac) 
+			       struct krb5_kdc_configuration *config,
+			       krb5_principal client, 
+			       krb5_keyblock *krbtgt_keyblock, 
+			       krb5_keyblock *server_keyblock, 
+			       time_t tgs_authtime,
+			       krb5_data *pac)
 {
 	krb5_error_code ret;
 	NTSTATUS nt_status;
@@ -74,6 +75,7 @@
 				  context, 
 				  krbtgt_keyblock,
 				  server_keyblock,
+				  tgs_authtime,
 				  &tmp_blob);
 
 	if (ret) {

Modified: branches/SAMBA_4_0/source/kdc/pac-glue.h
===================================================================
--- branches/SAMBA_4_0/source/kdc/pac-glue.h	2005-08-26 11:42:21 UTC (rev 9647)
+++ branches/SAMBA_4_0/source/kdc/pac-glue.h	2005-08-26 11:52:35 UTC (rev 9648)
@@ -1,7 +1,8 @@
 
  krb5_error_code samba_get_pac(krb5_context context, 
-			      struct krb5_kdc_configuration *config,
-			      krb5_principal client, 
-			      krb5_keyblock *krbtgt_keyblock, 
-			      krb5_keyblock *server_keyblock, 
+			       struct krb5_kdc_configuration *config,
+			       krb5_principal client, 
+			       krb5_keyblock *krbtgt_keyblock, 
+			       krb5_keyblock *server_keyblock, 
+			       time_t tgs_authtime,
 			       krb5_data *pac);

More information about the samba-cvs mailing list