Update: Kerberos Ticket Forwarding Patch/Update [3.2]
Derrick Schommer
dschommer at F5.com
Fri Aug 8 19:12:41 GMT 2008
No no, thanks for YOUR patience :-) You're the one that caught all my failures to pay closer attention to return codes :)
I'm building a patch now, it took me a bit of time to get a 3.2 build up and running (and joined) to the network today. Internal complications that have lead me to want to toss the keyboard around for a bit.
Derrick
-----Original Message-----
From: Jeremy Allison [mailto:jra at samba.org]
Sent: Friday, August 08, 2008 15:10
To: Derrick Schommer
Cc: Jeremy Allison; samba-technical at lists.samba.org; Love Hörnquist Åstrand
Subject: Re: Update: Kerberos Ticket Forwarding Patch/Update [3.2]
On Fri, Aug 08, 2008 at 03:08:35PM -0400, Derrick Schommer wrote:
> Jeremy,
>
> I just got to this patch, been a long week unfortunately. The updates you provided, although missing krb5_auth_con_set_req_cksumtype are also missing all the GSS API calls needed to make this work.
>
> You removed the function I write which called krb5_fwd_tgt_creds() and made it call directly, but we still have to compose the GSS API and put the ticket within it:
>
>
> p = pChksum;
>
> SIVAL(p, 0, GSSAPI_BNDLENGTH);
> p += 4;
>
> /* Zero out the bindings fields */
> memset(p, 0x0, GSSAPI_BNDLENGTH );
> p += GSSAPI_BNDLENGTH;
>
> SIVAL(p, 0, GSS_C_DELEG_FLAG );
> p += 4;
> SSVAL(p, 0, 1 );
> p += 2;
> SSVAL(p, 0, fwdData.length );
> p += 2;
>
> /* Migrate the kerberos KRB_CRED data to the checksum delegation */
> memcpy(p, fwdData.data, fwdData.length );
> p += fwdData.length;
>
> /* We need to do this in order to allow our GSS-API */
> retval = krb5_auth_con_set_req_cksumtype( context, *auth_context, GSSAPI_CHECKSUM );
> if (retval) {
> goto out;
> }
>
> /* We now have a service ticket, now turn it into an AP-REQ. */
> authenticator->length = ntohs(fwdData.length + GSSAPI_CHECKSUM_SIZE);
>
> /* Caller should call free() when they're done with this. */
> authenticator->data = (char *)pChksum;
>
>
> I'm putting that part in so that the client will make the correct connection.
Ok, then it probably should be a separate function.
Send me the code when you're done and I'll integrate it.
Cheers & thanks for your patience on this.
Jeremy.
More information about the samba-technical
mailing list