svn commit: lorikeet r699 - in trunk/heimdal: . cf doc kdc kuser lib/asn1 lib/des lib/des/imath lib/gssapi lib/hdb lib/hx509 lib/hx509/data lib/krb5 lib/roken tests tests/kdc

Wed Jan 10 20:35:07 GMT 2007

On Wed, 2007-01-10 at 16:48 +0100, Love Hörnquist Åstrand wrote:
> 10 jan 2007 kl. 02.44 skrev abartlet at samba.org:
> 
> >    trunk/heimdal/kdc/kerberos5.c
> 
> contains this change:
> 
> @@ -1549,7 +1544,9 @@
> 	if (p != NULL) {
> 	    ret = _krb5_pac_sign(context, p, et.authtime,
> 				 client->entry.principal,
> -				 &et.key, &skey->key, &data);
> +				 &skey->key, /* Server key */
> +				 &skey->key, /* FIXME: should be krbtgt key */
> +				 &data);
> 	    krb5_pac_free(context, p);
> 	    if (ret) {
> 		kdc_log(context, config, 0, "PAC signing failed for -- %s",
> 
> 
> I don't understand this, et.key is the session krbtgt key and skey- 
>  >key is
> the krbtgt key. Assuming this is an AS-REQ for krbtgt of course,
> its it this assumption this comment is questioning ?

Yes, if this was an AS-REQ for a service directly, not for the the
krbtgt, then we would should lookup the krbtgt key separately, to fill
that in.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20070111/1c8cf086/attachment.bin