summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-09-11 16:13:33 +1000
committerAndrew Bartlett <abartlet@samba.org>2010-09-11 18:46:13 +1000
commit3b4db34011f06fb785153fa9070fb1da9d8f5c78 (patch)
tree9e6049a7a3c6233ea94e4a1b417b331c70dedb86
parentee943fb2bfc1fe7bad924aea9096c246bef6d60b (diff)
downloadsamba-3b4db34011f06fb785153fa9070fb1da9d8f5c78.tar.gz
samba-3b4db34011f06fb785153fa9070fb1da9d8f5c78.tar.bz2
samba-3b4db34011f06fb785153fa9070fb1da9d8f5c78.zip
s3-krb5 Fix Kerberos on FreeBSD with Samba4 DCs
The idea of this patch is: Don't support a mix of different kerberos features. Either we should prepare a GSSAPI (8003) checksum and mark the request as such, or we should use the old behaviour (a normal kerberos checksum of 0 data). Sending the GSSAPI checksum data, but without marking it as GSSAPI broke Samba4, and seems well outside the expected behaviour, even if Windows accepts it. Andrew Bartlett
-rw-r--r--source3/libsmb/clikrb5.c4
1 files changed, 1 insertions, 3 deletions
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 854d32476f..704bcb929e 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -840,7 +840,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
goto cleanup_creds;
}
-#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY)
+#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
if( credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE ) {
/* Fetch a forwarded TGT from the KDC so that we can hand off a 2nd ticket
as part of the kerberos exchange. */
@@ -902,7 +902,6 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
gss_flags |= GSS_C_DELEG_FLAG;
}
}
-#endif
/* Frees and reallocates in_data into a GSS checksum blob. */
retval = create_gss_checksum(&in_data, gss_flags);
@@ -910,7 +909,6 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
goto cleanup_data;
}
-#if defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
/* We always want GSS-checksum types. */
retval = krb5_auth_con_set_req_cksumtype(context, *auth_context, GSSAPI_CHECKSUM );
if (retval) {