Update: Kerberos Ticket Forwarding Patch/Update [3.2]

Jeremy Allison jra at samba.org
Fri Aug 8 19:09:32 GMT 2008


On Fri, Aug 08, 2008 at 03:08:35PM -0400, Derrick Schommer wrote:
> Jeremy,
> 
> I just got to this patch, been a long week unfortunately. The updates you provided, although missing krb5_auth_con_set_req_cksumtype are also missing all the GSS API calls needed to make this work.
> 
> You removed the function I write which called krb5_fwd_tgt_creds() and made it call directly, but we still have to compose the GSS API and put the ticket within it:
> 
> 
> 	p = pChksum;
> 
> 	SIVAL(p, 0, GSSAPI_BNDLENGTH);
> 	p += 4;
> 
> 	/* Zero out the bindings fields */
> 	memset(p, 0x0, GSSAPI_BNDLENGTH );
> 	p += GSSAPI_BNDLENGTH;
> 
> 	SIVAL(p, 0, GSS_C_DELEG_FLAG );
> 	p += 4;
> 	SSVAL(p, 0, 1 );
> 	p += 2;
> 	SSVAL(p, 0, fwdData.length );
> 	p += 2;
> 
> 	/* Migrate the kerberos KRB_CRED data to the checksum delegation */
> 	memcpy(p, fwdData.data, fwdData.length );
> 	p += fwdData.length;
> 
> 	/* We need to do this in order to allow our GSS-API  */
> 	retval = krb5_auth_con_set_req_cksumtype( context, *auth_context, GSSAPI_CHECKSUM );
> 	if (retval) {
> 		goto out;
> 	}
> 
> 	/* We now have a service ticket, now turn it into an AP-REQ. */
> 	authenticator->length = ntohs(fwdData.length + GSSAPI_CHECKSUM_SIZE);
> 
> 	/* Caller should call free() when they're done with this. */
> 	authenticator->data = (char *)pChksum;
> 
> 
> I'm putting that part in so that the client will make the correct connection.

Ok, then it probably should be a separate function.
Send me the code when you're done and I'll integrate it.

Cheers & thanks for your patience on this.

Jeremy.


More information about the samba-technical mailing list