svn commit: samba r15523 - branches/SAMBA_3_0/source/libads
branches/SAMBA_3_0/source/nsswitch branches/SAMBA_3_0/source/smbd
branches/SAMBA_3_0/source/utils trunk/source/libads
trunk/source/nsswitch trunk/source/smbd trunk/source/utils
gd at samba.org
gd at samba.org
Tue May 9 19:02:28 GMT 2006
Author: gd
Date: 2006-05-09 19:02:26 +0000 (Tue, 09 May 2006)
New Revision: 15523
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=15523
Log:
Honour the time_offset also when verifying kerberos tickets. This
prevents a nasty failure condition in winbindd's pam_auth where a tgt
and a service ticket could have been succefully retrieved, but just not
validated.
Guenther
Modified:
branches/SAMBA_3_0/source/libads/kerberos_verify.c
branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
branches/SAMBA_3_0/source/smbd/sesssetup.c
branches/SAMBA_3_0/source/utils/ntlm_auth.c
trunk/source/libads/kerberos_verify.c
trunk/source/nsswitch/winbindd_pam.c
trunk/source/smbd/sesssetup.c
trunk/source/utils/ntlm_auth.c
Changeset:
Modified: branches/SAMBA_3_0/source/libads/kerberos_verify.c
===================================================================
--- branches/SAMBA_3_0/source/libads/kerberos_verify.c 2006-05-09 15:50:35 UTC (rev 15522)
+++ branches/SAMBA_3_0/source/libads/kerberos_verify.c 2006-05-09 19:02:26 UTC (rev 15523)
@@ -286,7 +286,8 @@
***********************************************************************************/
NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
- const char *realm, const DATA_BLOB *ticket,
+ const char *realm, time_t time_offset,
+ const DATA_BLOB *ticket,
char **principal, PAC_DATA **pac_data,
DATA_BLOB *ap_rep,
DATA_BLOB *session_key)
@@ -323,6 +324,10 @@
return NT_STATUS_LOGON_FAILURE;
}
+ if (time_offset != 0) {
+ krb5_set_real_time(context, time(NULL) + time_offset, 0);
+ }
+
ret = krb5_set_default_realm(context, realm);
if (ret) {
DEBUG(1,("ads_verify_ticket: krb5_set_default_realm failed (%s)\n", error_message(ret)));
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2006-05-09 15:50:35 UTC (rev 15522)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2006-05-09 19:02:26 UTC (rev 15523)
@@ -540,6 +540,7 @@
result = ads_verify_ticket(state->mem_ctx,
lp_realm(),
+ time_offset,
&tkt,
&client_princ_out,
&pac_data,
Modified: branches/SAMBA_3_0/source/smbd/sesssetup.c
===================================================================
--- branches/SAMBA_3_0/source/smbd/sesssetup.c 2006-05-09 15:50:35 UTC (rev 15522)
+++ branches/SAMBA_3_0/source/smbd/sesssetup.c 2006-05-09 19:02:26 UTC (rev 15523)
@@ -194,7 +194,7 @@
return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
}
- ret = ads_verify_ticket(mem_ctx, lp_realm(), &ticket, &client, &pac_data, &ap_rep, &session_key);
+ ret = ads_verify_ticket(mem_ctx, lp_realm(), 0, &ticket, &client, &pac_data, &ap_rep, &session_key);
data_blob_free(&ticket);
Modified: branches/SAMBA_3_0/source/utils/ntlm_auth.c
===================================================================
--- branches/SAMBA_3_0/source/utils/ntlm_auth.c 2006-05-09 15:50:35 UTC (rev 15522)
+++ branches/SAMBA_3_0/source/utils/ntlm_auth.c 2006-05-09 19:02:26 UTC (rev 15523)
@@ -916,7 +916,7 @@
response.negTokenTarg.mechListMIC = data_blob(NULL, 0);
response.negTokenTarg.responseToken = data_blob(NULL, 0);
- status = ads_verify_ticket(mem_ctx, lp_realm(),
+ status = ads_verify_ticket(mem_ctx, lp_realm(), 0,
&request.negTokenInit.mechToken,
&principal, NULL, &ap_rep,
&session_key);
Modified: trunk/source/libads/kerberos_verify.c
===================================================================
--- trunk/source/libads/kerberos_verify.c 2006-05-09 15:50:35 UTC (rev 15522)
+++ trunk/source/libads/kerberos_verify.c 2006-05-09 19:02:26 UTC (rev 15523)
@@ -286,7 +286,8 @@
***********************************************************************************/
NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
- const char *realm, const DATA_BLOB *ticket,
+ const char *realm, time_t time_offset,
+ const DATA_BLOB *ticket,
char **principal, PAC_DATA **pac_data,
DATA_BLOB *ap_rep,
DATA_BLOB *session_key)
@@ -323,6 +324,10 @@
return NT_STATUS_LOGON_FAILURE;
}
+ if (time_offset != 0) {
+ krb5_set_real_time(context, time(NULL) + time_offset, 0);
+ }
+
ret = krb5_set_default_realm(context, realm);
if (ret) {
DEBUG(1,("ads_verify_ticket: krb5_set_default_realm failed (%s)\n", error_message(ret)));
Modified: trunk/source/nsswitch/winbindd_pam.c
===================================================================
--- trunk/source/nsswitch/winbindd_pam.c 2006-05-09 15:50:35 UTC (rev 15522)
+++ trunk/source/nsswitch/winbindd_pam.c 2006-05-09 19:02:26 UTC (rev 15523)
@@ -540,6 +540,7 @@
result = ads_verify_ticket(state->mem_ctx,
lp_realm(),
+ time_offset,
&tkt,
&client_princ_out,
&pac_data,
Modified: trunk/source/smbd/sesssetup.c
===================================================================
--- trunk/source/smbd/sesssetup.c 2006-05-09 15:50:35 UTC (rev 15522)
+++ trunk/source/smbd/sesssetup.c 2006-05-09 19:02:26 UTC (rev 15523)
@@ -194,7 +194,7 @@
return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
}
- ret = ads_verify_ticket(mem_ctx, lp_realm(), &ticket, &client, &pac_data, &ap_rep, &session_key);
+ ret = ads_verify_ticket(mem_ctx, lp_realm(), 0, &ticket, &client, &pac_data, &ap_rep, &session_key);
data_blob_free(&ticket);
Modified: trunk/source/utils/ntlm_auth.c
===================================================================
--- trunk/source/utils/ntlm_auth.c 2006-05-09 15:50:35 UTC (rev 15522)
+++ trunk/source/utils/ntlm_auth.c 2006-05-09 19:02:26 UTC (rev 15523)
@@ -916,7 +916,7 @@
response.negTokenTarg.mechListMIC = data_blob(NULL, 0);
response.negTokenTarg.responseToken = data_blob(NULL, 0);
- status = ads_verify_ticket(mem_ctx, lp_realm(),
+ status = ads_verify_ticket(mem_ctx, lp_realm(), 0,
&request.negTokenInit.mechToken,
&principal, NULL, &ap_rep,
&session_key);
More information about the samba-cvs
mailing list