Update: Kerberos Ticket Forwarding Patch/Update [3.2]

Fri Aug 8 19:12:41 GMT 2008

No no, thanks for YOUR patience :-) You're the one that caught all my failures to pay closer attention to return codes :)

I'm building a patch now, it took me a bit of time to get a 3.2 build up and running (and joined) to the network today. Internal complications that have lead me to want to toss the keyboard around for a bit.

Derrick

-----Original Message-----
From: Jeremy Allison [mailto:jra at samba.org] 
Sent: Friday, August 08, 2008 15:10
To: Derrick Schommer
Cc: Jeremy Allison; samba-technical at lists.samba.org; Love Hörnquist Åstrand
Subject: Re: Update: Kerberos Ticket Forwarding Patch/Update [3.2]

On Fri, Aug 08, 2008 at 03:08:35PM -0400, Derrick Schommer wrote:
> Jeremy,
> 
> I just got to this patch, been a long week unfortunately. The updates you provided, although missing krb5_auth_con_set_req_cksumtype are also missing all the GSS API calls needed to make this work.
> 
> You removed the function I write which called krb5_fwd_tgt_creds() and made it call directly, but we still have to compose the GSS API and put the ticket within it:
> 
> 
> 	p = pChksum;
> 
> 	SIVAL(p, 0, GSSAPI_BNDLENGTH);
> 	p += 4;
> 
> 	/* Zero out the bindings fields */
> 	memset(p, 0x0, GSSAPI_BNDLENGTH );
> 	p += GSSAPI_BNDLENGTH;
> 
> 	SIVAL(p, 0, GSS_C_DELEG_FLAG );
> 	p += 4;
> 	SSVAL(p, 0, 1 );
> 	p += 2;
> 	SSVAL(p, 0, fwdData.length );
> 	p += 2;
> 
> 	/* Migrate the kerberos KRB_CRED data to the checksum delegation */
> 	memcpy(p, fwdData.data, fwdData.length );
> 	p += fwdData.length;
> 
> 	/* We need to do this in order to allow our GSS-API  */
> 	retval = krb5_auth_con_set_req_cksumtype( context, *auth_context, GSSAPI_CHECKSUM );
> 	if (retval) {
> 		goto out;
> 	}
> 
> 	/* We now have a service ticket, now turn it into an AP-REQ. */
> 	authenticator->length = ntohs(fwdData.length + GSSAPI_CHECKSUM_SIZE);
> 
> 	/* Caller should call free() when they're done with this. */
> 	authenticator->data = (char *)pChksum;
> 
> 
> I'm putting that part in so that the client will make the correct connection.

Ok, then it probably should be a separate function.
Send me the code when you're done and I'll integrate it.

Cheers & thanks for your patience on this.

Jeremy.