[SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-2797-g5f41913

Jeremy Allison jra at samba.org
Tue Sep 9 23:47:21 GMT 2008

On Wed, Sep 10, 2008 at 12:24:27AM +0100, Love Hörnquist Åstrand wrote:
>> Ok, thanks - that look easier. What do you think of
>> the patch I just posted. It deletes the created
>> auth_context and any created ticket data and
>> just falls back to the old krb5_mk_req_extended()
>> call with a NULL auth_context. I think that should
>> also do the trick.
> It uses the incorrect krb5 checksum, for gss-api you have to use 0x8003 
> checksum.

Interesting. This is the code path we used to have in there,
for all the 3.0.x series, so it's no more broken than it was before. Remeber the
new code path will only be used for forwardable tickets,
so I'm restoring the old brokenness in this case which
we've shipped for years (sad but true, I know).

> MIT refuses this packet, heimdal have fix for samba brokenness. msft  
> just  accepts both types.

Ah. So we really should be calling ads_krb5_get_fwd_ticket in
every case (just calling krb5_fwd_tgt_creds() with the
"forwardable" flag as zero in the non-forwardable
case. However, I'm assuming that if we continue when
krb5_fwd_tgt_creds() fails the returned fwdData will
not have been created, and so I really should add
a "if (fwdData.length)" around the "memcpy(p, fwdData.data, fwdData.length"
call and any other use of fwdData.data.

Correct ?


More information about the samba-technical mailing list