svn commit: samba r11940 - in branches/SAMBA_4_0/source: auth/kerberos heimdal/kdc

abartlet at samba.org abartlet at samba.org
Mon Nov 28 07:59:47 GMT 2005 

Author: abartlet
Date: 2005-11-28 07:59:46 +0000 (Mon, 28 Nov 2005)
New Revision: 11940

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=11940

Log:
Love has clarified why this code does what it does.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt
   branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt	2005-11-28 05:44:14 UTC (rev 11939)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt	2005-11-28 07:59:46 UTC (rev 11940)
@@ -179,14 +179,6 @@
    allow multiple passwords per account in krb5.  (I think this was
    intened to allow multiple salts)
 
- - When sending the enc-type negotiation, we call get_pa_etype_info if
-   there are only 'old' enc types present, but always call
-   get_pa_etype_info2.  It would seem more logical to have an
-   either/or, or only send both to clients that show signs of knowing
-   about the old enc types.
- - Perhaps this is to cope with clients that expect the older info in
-   the first position?  (Comments needed)
-
 State Machine safety
 --------------------
 

Modified: branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c	2005-11-28 05:44:14 UTC (rev 11939)
+++ branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c	2005-11-28 07:59:46 UTC (rev 11940)
@@ -1099,6 +1099,12 @@
 	pa->padata_value.data	= NULL;
 #endif
 
+	/* RFC4120 requires:
+            - If the client only knows about old enctypes, then send both info replies
+              (we send 'info' first in the list).
+            - If the client is 'modern', because it knows about 'new' enc types, then 
+              only send the 'info2' reply.
+	*/
 	/* XXX check ret */
 	if (only_older_enctype_p(req))
 	    ret = get_pa_etype_info(context, config, &method_data, &client->entry,

More information about the samba-cvs mailing list