diff options
author | Günther Deschner <gd@samba.org> | 2005-10-11 16:27:05 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:04:55 -0500 |
commit | 879eb0933efedd900aba336024ebfec75407d373 (patch) | |
tree | bb9f20d02e9c0e57c20e9c7236d7dafe9721102a /source3/libads | |
parent | 47e297bc8de7bed9de5fc7ce2456c1d414301eca (diff) | |
download | samba-879eb0933efedd900aba336024ebfec75407d373.tar.gz samba-879eb0933efedd900aba336024ebfec75407d373.tar.bz2 samba-879eb0933efedd900aba336024ebfec75407d373.zip |
r10907: Handle the case when we can't verify the PAC signature because the
ticket was encrypted using a DES key (and the Windows KDC still puts
CKSUMTYPE_HMAC_MD5_ARCFOUR in the PAC).
In that case, return to old behaviour and ignore the PAC.
Thanks to Chengjie Liu <chengjie.liu@datadomain.com>.
Guenther
(This used to be commit 48d8a9dd9f573d0d913a26a62e4ad3d224731343)
Diffstat (limited to 'source3/libads')
-rw-r--r-- | source3/libads/kerberos_verify.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index 6a5c6b6a49..f21577d080 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -272,6 +272,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, DATA_BLOB *session_key) { NTSTATUS sret = NT_STATUS_LOGON_FAILURE; + NTSTATUS pac_ret; DATA_BLOB auth_data; krb5_context context = NULL; krb5_auth_context auth_context = NULL; @@ -400,7 +401,8 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, #endif /* continue when no PAC is retrieved - (like accounts that have the UF_NO_AUTH_DATA_REQUIRED flag set) */ + (like accounts that have the UF_NO_AUTH_DATA_REQUIRED flag set, + or Kerberos tickets encryped using a DES key) - Guenther */ got_auth_data = get_auth_data_from_tkt(mem_ctx, &auth_data, tkt); if (!got_auth_data) { @@ -409,10 +411,10 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, if (got_auth_data && pac_data != NULL) { - sret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data); - if (!NT_STATUS_IS_OK(sret)) { - DEBUG(0,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(sret))); - goto out; + pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data); + if (!NT_STATUS_IS_OK(pac_ret)) { + DEBUG(3,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(pac_ret))); + *pac_data = NULL; } data_blob_free(&auth_data); } |