Update: Kerberos Ticket Forwarding Patch/Update [3.2]

Derrick Schommer dschommer at F5.com
Fri Aug 8 19:20:54 GMT 2008 

Jeremy,

Okay, here is the integration of your patches with my code (updated also by you with some cool macros).

Let me know how that looks. I've tested it with the F5 Acopia ARX1000 and it proxies Kerberos correctly.

Derrick

-----Original Message-----
From: Jeremy Allison [mailto:jra at samba.org] 
Sent: Friday, August 08, 2008 15:10
To: Derrick Schommer
Cc: Jeremy Allison; samba-technical at lists.samba.org; Love Hörnquist Åstrand
Subject: Re: Update: Kerberos Ticket Forwarding Patch/Update [3.2]

On Fri, Aug 08, 2008 at 03:08:35PM -0400, Derrick Schommer wrote:
> Jeremy,
> 
> I just got to this patch, been a long week unfortunately. The updates you provided, although missing krb5_auth_con_set_req_cksumtype are also missing all the GSS API calls needed to make this work.
> 
> You removed the function I write which called krb5_fwd_tgt_creds() and made it call directly, but we still have to compose the GSS API and put the ticket within it:
> 
> 
> 	p = pChksum;
> 
> 	SIVAL(p, 0, GSSAPI_BNDLENGTH);
> 	p += 4;
> 
> 	/* Zero out the bindings fields */
> 	memset(p, 0x0, GSSAPI_BNDLENGTH );
> 	p += GSSAPI_BNDLENGTH;
> 
> 	SIVAL(p, 0, GSS_C_DELEG_FLAG );
> 	p += 4;
> 	SSVAL(p, 0, 1 );
> 	p += 2;
> 	SSVAL(p, 0, fwdData.length );
> 	p += 2;
> 
> 	/* Migrate the kerberos KRB_CRED data to the checksum delegation */
> 	memcpy(p, fwdData.data, fwdData.length );
> 	p += fwdData.length;
> 
> 	/* We need to do this in order to allow our GSS-API  */
> 	retval = krb5_auth_con_set_req_cksumtype( context, *auth_context, GSSAPI_CHECKSUM );
> 	if (retval) {
> 		goto out;
> 	}
> 
> 	/* We now have a service ticket, now turn it into an AP-REQ. */
> 	authenticator->length = ntohs(fwdData.length + GSSAPI_CHECKSUM_SIZE);
> 
> 	/* Caller should call free() when they're done with this. */
> 	authenticator->data = (char *)pChksum;
> 
> 
> I'm putting that part in so that the client will make the correct connection.

Ok, then it probably should be a separate function.
Send me the code when you're done and I'll integrate it.

Cheers & thanks for your patience on this.

Jeremy.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smb-3.2.patch
Type: application/octet-stream
Size: 7566 bytes
Desc: smb-3.2.patch
Url : http://lists.samba.org/archive/samba-technical/attachments/20080808/7d1cca18/smb-3.2.obj

More information about the samba-technical mailing list