summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2006-05-09 19:02:26 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:16:55 -0500
commitf7776975080c88bec9013ccac8185c582e818e54 (patch)
tree98ef6a0ddca8465ba1608bd8a713b7422505a171
parent767ac75e6b5a999c8a57560ad888eb88589493a2 (diff)
downloadsamba-f7776975080c88bec9013ccac8185c582e818e54.tar.gz
samba-f7776975080c88bec9013ccac8185c582e818e54.tar.bz2
samba-f7776975080c88bec9013ccac8185c582e818e54.zip
r15523: Honour the time_offset also when verifying kerberos tickets. This
prevents a nasty failure condition in winbindd's pam_auth where a tgt and a service ticket could have been succefully retrieved, but just not validated. Guenther (This used to be commit a75dd80c6210d01aff104a86b0a9d39d65f2c348)
-rw-r--r--source3/libads/kerberos_verify.c7
-rw-r--r--source3/nsswitch/winbindd_pam.c1
-rw-r--r--source3/smbd/sesssetup.c2
-rw-r--r--source3/utils/ntlm_auth.c2
4 files changed, 9 insertions, 3 deletions
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index fa957aa9c0..525a9cfa27 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -286,7 +286,8 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au
***********************************************************************************/
NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
- const char *realm, const DATA_BLOB *ticket,
+ const char *realm, time_t time_offset,
+ const DATA_BLOB *ticket,
char **principal, PAC_DATA **pac_data,
DATA_BLOB *ap_rep,
DATA_BLOB *session_key)
@@ -323,6 +324,10 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
return NT_STATUS_LOGON_FAILURE;
}
+ if (time_offset != 0) {
+ krb5_set_real_time(context, time(NULL) + time_offset, 0);
+ }
+
ret = krb5_set_default_realm(context, realm);
if (ret) {
DEBUG(1,("ads_verify_ticket: krb5_set_default_realm failed (%s)\n", error_message(ret)));
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index ad2127452c..243d2a7838 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -540,6 +540,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
result = ads_verify_ticket(state->mem_ctx,
lp_realm(),
+ time_offset,
&tkt,
&client_princ_out,
&pac_data,
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index b086090bd9..8fe01a19b3 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -194,7 +194,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
}
- ret = ads_verify_ticket(mem_ctx, lp_realm(), &ticket, &client, &pac_data, &ap_rep, &session_key);
+ ret = ads_verify_ticket(mem_ctx, lp_realm(), 0, &ticket, &client, &pac_data, &ap_rep, &session_key);
data_blob_free(&ticket);
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 2e879cc113..ef24f9f161 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -916,7 +916,7 @@ static void manage_gss_spnego_request(enum stdio_helper_mode stdio_helper_mode,
response.negTokenTarg.mechListMIC = data_blob(NULL, 0);
response.negTokenTarg.responseToken = data_blob(NULL, 0);
- status = ads_verify_ticket(mem_ctx, lp_realm(),
+ status = ads_verify_ticket(mem_ctx, lp_realm(), 0,
&request.negTokenInit.mechToken,
&principal, NULL, &ap_rep,
&session_key);