diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-09-05 12:17:11 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-09-05 11:19:25 +0200 |
commit | b5c7eb909f21efd8abe212202236388ad6e8e7f9 (patch) | |
tree | 2497f6a8e983bfc7e8d070a6aadc968271c122b6 | |
parent | 17fa96b64a2aa55a204209c031d6e5e514e17a7c (diff) | |
download | samba-b5c7eb909f21efd8abe212202236388ad6e8e7f9.tar.gz samba-b5c7eb909f21efd8abe212202236388ad6e8e7f9.tar.bz2 samba-b5c7eb909f21efd8abe212202236388ad6e8e7f9.zip |
heimdal: Try to handle the PAC checking when we are in a cross-realm environment
-rw-r--r-- | source4/heimdal/kdc/krb5tgs.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 6aad65d408..7955876822 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -1508,6 +1508,7 @@ tgs_build_reply(krb5_context context, Key *tkey_check; Key *tkey_sign; + Key *tkey_krbtgt_check = NULL; int flags = HDB_F_FOR_TGS_REQ; memset(&sessionkey, 0, sizeof(sessionkey)); @@ -1781,6 +1782,13 @@ server_lookup: goto out; } + /* Check if we would know the krbtgt key for the PAC. We would + * only know this if the krbtgt principal was the same (ie, in our + * realm, regardless of KVNO) */ + if (krb5_principal_compare(context, krbtgt_out->entry.principal, krbtgt->entry.principal)) { + tkey_krbtgt_check = tkey_check; + } + ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | flags, NULL, &clientdb, &client); if(ret == HDB_ERR_NOT_FOUND_HERE) { @@ -1813,7 +1821,8 @@ server_lookup: ret = check_PAC(context, config, cp, NULL, client, server, krbtgt, - &tkey_check->key, &tkey_check->key, + &tkey_check->key, + tkey_krbtgt_check ? &tkey_krbtgt_check->key : NULL, ekey, &tkey_sign->key, tgt, &rspac, &signedpath); if (ret) { |