Update: Kerberos Ticket Forwarding Patch/Update [3.2]

Love Hörnquist Åstrand lha at kth.se
Sat Aug 2 00:04:31 GMT 2008

>> Removing krb5_auth_con_set_req_cksumtype() is bad.
>> You have to use the right checksum (0x8003) for gss-api, define it
>> yourself, its part of the gss-api krb5 rfc's.
> Ok, I'll re-enable it :-). Does it need to be done
> before the krb5_fwd_tgt_creds() call or after, or
> doesn't it matter as long as it's done before
> krb5_mk_req_extended() ?

Before krb5_mk_req_extended, or as part of krb5_mk_req_extended()  
using krb5_auth_con_set_checksum_func(), but I have no idea that the  
diffrence is since non have written documentation for the functions in  
MIT Kerberos. Before should do.

Also, if KRB5_AUTH_CONTEXT_DO_TIME is set on the auth_context, you  
want to strip it off when calling krb5_fwd_tgt_creds(), since  
otherwise timestamps get all weird and backward.

client: create fwd-cred at t1,
client: create ap-req packet at t2

server: unpack ap-req packet, see that time is t2
server: unpack fwd-cred, see that time is t1, time is going backward,  

But if you are are not running it to it, don't worry about that.


More information about the samba-technical mailing list