Update: Kerberos Ticket Forwarding Patch/Update [3.2]
Love Hörnquist Åstrand
lha at kth.se
Sat Aug 2 00:04:31 GMT 2008
>> Removing krb5_auth_con_set_req_cksumtype() is bad.
>>
>> You have to use the right checksum (0x8003) for gss-api, define it
>> yourself, its part of the gss-api krb5 rfc's.
>
> Ok, I'll re-enable it :-). Does it need to be done
> before the krb5_fwd_tgt_creds() call or after, or
> doesn't it matter as long as it's done before
> krb5_mk_req_extended() ?
Before krb5_mk_req_extended, or as part of krb5_mk_req_extended()
using krb5_auth_con_set_checksum_func(), but I have no idea that the
diffrence is since non have written documentation for the functions in
MIT Kerberos. Before should do.
Also, if KRB5_AUTH_CONTEXT_DO_TIME is set on the auth_context, you
want to strip it off when calling krb5_fwd_tgt_creds(), since
otherwise timestamps get all weird and backward.
client: create fwd-cred at t1,
client: create ap-req packet at t2
server: unpack ap-req packet, see that time is t2
server: unpack fwd-cred, see that time is t1, time is going backward,
hmmm.
But if you are are not running it to it, don't worry about that.
Love
More information about the samba-technical
mailing list