Update: Kerberos Ticket Forwarding Patch/Update [3.2]
Jeremy Allison
jra at samba.org
Fri Aug 8 19:09:32 GMT 2008
On Fri, Aug 08, 2008 at 03:08:35PM -0400, Derrick Schommer wrote:
> Jeremy,
>
> I just got to this patch, been a long week unfortunately. The updates you provided, although missing krb5_auth_con_set_req_cksumtype are also missing all the GSS API calls needed to make this work.
>
> You removed the function I write which called krb5_fwd_tgt_creds() and made it call directly, but we still have to compose the GSS API and put the ticket within it:
>
>
> p = pChksum;
>
> SIVAL(p, 0, GSSAPI_BNDLENGTH);
> p += 4;
>
> /* Zero out the bindings fields */
> memset(p, 0x0, GSSAPI_BNDLENGTH );
> p += GSSAPI_BNDLENGTH;
>
> SIVAL(p, 0, GSS_C_DELEG_FLAG );
> p += 4;
> SSVAL(p, 0, 1 );
> p += 2;
> SSVAL(p, 0, fwdData.length );
> p += 2;
>
> /* Migrate the kerberos KRB_CRED data to the checksum delegation */
> memcpy(p, fwdData.data, fwdData.length );
> p += fwdData.length;
>
> /* We need to do this in order to allow our GSS-API */
> retval = krb5_auth_con_set_req_cksumtype( context, *auth_context, GSSAPI_CHECKSUM );
> if (retval) {
> goto out;
> }
>
> /* We now have a service ticket, now turn it into an AP-REQ. */
> authenticator->length = ntohs(fwdData.length + GSSAPI_CHECKSUM_SIZE);
>
> /* Caller should call free() when they're done with this. */
> authenticator->data = (char *)pChksum;
>
>
> I'm putting that part in so that the client will make the correct connection.
Ok, then it probably should be a separate function.
Send me the code when you're done and I'll integrate it.
Cheers & thanks for your patience on this.
Jeremy.
More information about the samba-technical
mailing list