svn commit: samba r11469 - in branches/SAMBA_4_0/source/heimdal/lib/krb5: .

abartlet at samba.org abartlet at samba.org
Wed Nov 2 04:11:37 GMT 2005 

Author: abartlet
Date: 2005-11-02 04:11:36 +0000 (Wed, 02 Nov 2005)
New Revision: 11469

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=11469

Log:
Fix typo, and use the correct (RFC4120) session key for delegating
credentials.  This means we now delegate to windows correctly.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/heimdal/lib/krb5/get_for_creds.c
   branches/SAMBA_4_0/source/heimdal/lib/krb5/rd_cred.c


Changeset:
Modified: branches/SAMBA_4_0/source/heimdal/lib/krb5/get_for_creds.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/krb5/get_for_creds.c	2005-11-02 03:48:49 UTC (rev 11468)
+++ branches/SAMBA_4_0/source/heimdal/lib/krb5/get_for_creds.c	2005-11-02 04:11:36 UTC (rev 11469)
@@ -378,16 +378,18 @@
 	cred.enc_part.cipher.data = buf;
 	cred.enc_part.cipher.length = buf_size;
     } else {
-	krb5_keyblock *key;
+	    /* 
+	     * RFC4120 claims we should use the session key, but Heimdal
+	     * before 0.8 used the remote subkey if it was send in the
+	     * auth_context.  
+	     *
+	     * Lorikeet-Heimdal is interested in windows compatiblity
+	     * more than Heimdal compatability, so we must choose the
+	     * session key, and break forwarding credentials to older
+	     * Heimdal servers. 
+	     */
 
-	if (auth_context->local_subkey)
-	    key = auth_context->local_subkey;
-	else if (auth_context->remote_subkey)
-	    key = auth_context->remote_subkey;
-	else
-	    key = auth_context->keyblock;
-	
-	ret = krb5_crypto_init(context, key, 0, &crypto);
+	ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
 	if (ret) {
 	    free(buf);
 	    free_KRB_CRED(&cred);

Modified: branches/SAMBA_4_0/source/heimdal/lib/krb5/rd_cred.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/krb5/rd_cred.c	2005-11-02 03:48:49 UTC (rev 11468)
+++ branches/SAMBA_4_0/source/heimdal/lib/krb5/rd_cred.c	2005-11-02 04:11:36 UTC (rev 11469)
@@ -101,7 +101,7 @@
     } else {
 	/* Try both subkey and session key.
 	 * 
-	 * RFC2140 claims we should use the session key, but Heimdal
+	 * RFC4120 claims we should use the session key, but Heimdal
 	 * before 0.8 used the remote subkey if it was send in the
 	 * auth_context.
 	 */

More information about the samba-cvs mailing list