summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-11-02 04:11:36 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:45:40 -0500
commit3b213ca9a3e44266647ac4ceb88d3acd2fb4a295 (patch)
tree7643c449060a495d76f4297118c517714d114130
parentcc0f3779b1de565ed33504d123e41656d6d2aab2 (diff)
downloadsamba-3b213ca9a3e44266647ac4ceb88d3acd2fb4a295.tar.gz
samba-3b213ca9a3e44266647ac4ceb88d3acd2fb4a295.tar.bz2
samba-3b213ca9a3e44266647ac4ceb88d3acd2fb4a295.zip
r11469: Fix typo, and use the correct (RFC4120) session key for delegating
credentials. This means we now delegate to windows correctly. Andrew Bartlett (This used to be commit d6928a3bf86f1ab89f29eac538ceb701c6669913)
-rw-r--r--source4/heimdal/lib/krb5/get_for_creds.c22
-rw-r--r--source4/heimdal/lib/krb5/rd_cred.c2
2 files changed, 13 insertions, 11 deletions
diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c
index ea0bc4ad9e..adb6000cd6 100644
--- a/source4/heimdal/lib/krb5/get_for_creds.c
+++ b/source4/heimdal/lib/krb5/get_for_creds.c
@@ -378,16 +378,18 @@ krb5_get_forwarded_creds (krb5_context context,
cred.enc_part.cipher.data = buf;
cred.enc_part.cipher.length = buf_size;
} else {
- krb5_keyblock *key;
-
- if (auth_context->local_subkey)
- key = auth_context->local_subkey;
- else if (auth_context->remote_subkey)
- key = auth_context->remote_subkey;
- else
- key = auth_context->keyblock;
-
- ret = krb5_crypto_init(context, key, 0, &crypto);
+ /*
+ * RFC4120 claims we should use the session key, but Heimdal
+ * before 0.8 used the remote subkey if it was send in the
+ * auth_context.
+ *
+ * Lorikeet-Heimdal is interested in windows compatiblity
+ * more than Heimdal compatability, so we must choose the
+ * session key, and break forwarding credentials to older
+ * Heimdal servers.
+ */
+
+ ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
if (ret) {
free(buf);
free_KRB_CRED(&cred);
diff --git a/source4/heimdal/lib/krb5/rd_cred.c b/source4/heimdal/lib/krb5/rd_cred.c
index ddd5866aeb..07f142267c 100644
--- a/source4/heimdal/lib/krb5/rd_cred.c
+++ b/source4/heimdal/lib/krb5/rd_cred.c
@@ -101,7 +101,7 @@ krb5_rd_cred(krb5_context context,
} else {
/* Try both subkey and session key.
*
- * RFC2140 claims we should use the session key, but Heimdal
+ * RFC4120 claims we should use the session key, but Heimdal
* before 0.8 used the remote subkey if it was send in the
* auth_context.
*/