svn commit: samba r11469 - in
branches/SAMBA_4_0/source/heimdal/lib/krb5: .
abartlet at samba.org
abartlet at samba.org
Wed Nov 2 04:11:37 GMT 2005
Author: abartlet
Date: 2005-11-02 04:11:36 +0000 (Wed, 02 Nov 2005)
New Revision: 11469
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=11469
Log:
Fix typo, and use the correct (RFC4120) session key for delegating
credentials. This means we now delegate to windows correctly.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/heimdal/lib/krb5/get_for_creds.c
branches/SAMBA_4_0/source/heimdal/lib/krb5/rd_cred.c
Changeset:
Modified: branches/SAMBA_4_0/source/heimdal/lib/krb5/get_for_creds.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/krb5/get_for_creds.c 2005-11-02 03:48:49 UTC (rev 11468)
+++ branches/SAMBA_4_0/source/heimdal/lib/krb5/get_for_creds.c 2005-11-02 04:11:36 UTC (rev 11469)
@@ -378,16 +378,18 @@
cred.enc_part.cipher.data = buf;
cred.enc_part.cipher.length = buf_size;
} else {
- krb5_keyblock *key;
+ /*
+ * RFC4120 claims we should use the session key, but Heimdal
+ * before 0.8 used the remote subkey if it was send in the
+ * auth_context.
+ *
+ * Lorikeet-Heimdal is interested in windows compatiblity
+ * more than Heimdal compatability, so we must choose the
+ * session key, and break forwarding credentials to older
+ * Heimdal servers.
+ */
- if (auth_context->local_subkey)
- key = auth_context->local_subkey;
- else if (auth_context->remote_subkey)
- key = auth_context->remote_subkey;
- else
- key = auth_context->keyblock;
-
- ret = krb5_crypto_init(context, key, 0, &crypto);
+ ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
if (ret) {
free(buf);
free_KRB_CRED(&cred);
Modified: branches/SAMBA_4_0/source/heimdal/lib/krb5/rd_cred.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/krb5/rd_cred.c 2005-11-02 03:48:49 UTC (rev 11468)
+++ branches/SAMBA_4_0/source/heimdal/lib/krb5/rd_cred.c 2005-11-02 04:11:36 UTC (rev 11469)
@@ -101,7 +101,7 @@
} else {
/* Try both subkey and session key.
*
- * RFC2140 claims we should use the session key, but Heimdal
+ * RFC4120 claims we should use the session key, but Heimdal
* before 0.8 used the remote subkey if it was send in the
* auth_context.
*/
More information about the samba-cvs
mailing list