diff options
author | Günther Deschner <gd@samba.org> | 2006-05-09 19:02:26 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:16:55 -0500 |
commit | f7776975080c88bec9013ccac8185c582e818e54 (patch) | |
tree | 98ef6a0ddca8465ba1608bd8a713b7422505a171 | |
parent | 767ac75e6b5a999c8a57560ad888eb88589493a2 (diff) | |
download | samba-f7776975080c88bec9013ccac8185c582e818e54.tar.gz samba-f7776975080c88bec9013ccac8185c582e818e54.tar.bz2 samba-f7776975080c88bec9013ccac8185c582e818e54.zip |
r15523: Honour the time_offset also when verifying kerberos tickets. This
prevents a nasty failure condition in winbindd's pam_auth where a tgt
and a service ticket could have been succefully retrieved, but just not
validated.
Guenther
(This used to be commit a75dd80c6210d01aff104a86b0a9d39d65f2c348)
-rw-r--r-- | source3/libads/kerberos_verify.c | 7 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 1 | ||||
-rw-r--r-- | source3/smbd/sesssetup.c | 2 | ||||
-rw-r--r-- | source3/utils/ntlm_auth.c | 2 |
4 files changed, 9 insertions, 3 deletions
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index fa957aa9c0..525a9cfa27 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -286,7 +286,8 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au ***********************************************************************************/ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, - const char *realm, const DATA_BLOB *ticket, + const char *realm, time_t time_offset, + const DATA_BLOB *ticket, char **principal, PAC_DATA **pac_data, DATA_BLOB *ap_rep, DATA_BLOB *session_key) @@ -323,6 +324,10 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, return NT_STATUS_LOGON_FAILURE; } + if (time_offset != 0) { + krb5_set_real_time(context, time(NULL) + time_offset, 0); + } + ret = krb5_set_default_realm(context, realm); if (ret) { DEBUG(1,("ads_verify_ticket: krb5_set_default_realm failed (%s)\n", error_message(ret))); diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index ad2127452c..243d2a7838 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -540,6 +540,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain, result = ads_verify_ticket(state->mem_ctx, lp_realm(), + time_offset, &tkt, &client_princ_out, &pac_data, diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index b086090bd9..8fe01a19b3 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -194,7 +194,7 @@ static int reply_spnego_kerberos(connection_struct *conn, return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE)); } - ret = ads_verify_ticket(mem_ctx, lp_realm(), &ticket, &client, &pac_data, &ap_rep, &session_key); + ret = ads_verify_ticket(mem_ctx, lp_realm(), 0, &ticket, &client, &pac_data, &ap_rep, &session_key); data_blob_free(&ticket); diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 2e879cc113..ef24f9f161 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -916,7 +916,7 @@ static void manage_gss_spnego_request(enum stdio_helper_mode stdio_helper_mode, response.negTokenTarg.mechListMIC = data_blob(NULL, 0); response.negTokenTarg.responseToken = data_blob(NULL, 0); - status = ads_verify_ticket(mem_ctx, lp_realm(), + status = ads_verify_ticket(mem_ctx, lp_realm(), 0, &request.negTokenInit.mechToken, &principal, NULL, &ap_rep, &session_key); |