diff options
author | Andrew Tridgell <tridge@samba.org> | 2005-08-26 11:52:35 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:34:37 -0500 |
commit | b8f4e0796d068fab6844dd94dc28d3e9825e0f55 (patch) | |
tree | 0d6f0aad07b47c42017a1dc0486a186c61167882 /source4/auth | |
parent | 4e24e930583de3e968da06fea9f06eaabec4ac7e (diff) | |
download | samba-b8f4e0796d068fab6844dd94dc28d3e9825e0f55.tar.gz samba-b8f4e0796d068fab6844dd94dc28d3e9825e0f55.tar.bz2 samba-b8f4e0796d068fab6844dd94dc28d3e9825e0f55.zip |
r9648: this fixes the krb5 based login with the pac. The key to this whole saga was
that the logon_time field in the pac must match the authtime field in the ticket we
gave the client in the AS-REP (and thus also the authtime field in the ticket we get
back in the TGS-REQ).
Many thanks to Andrew Bartlett for his patience in showing me the
basic ropes of all this code! This was a joint effort.
(This used to be commit 7bee374b3ffcdb0424a83f909fe5ad504ea3882e)
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/kerberos/kerberos.h | 1 | ||||
-rw-r--r-- | source4/auth/kerberos/kerberos_pac.c | 8 |
2 files changed, 8 insertions, 1 deletions
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h index 0f1b0779b2..33be657ce8 100644 --- a/source4/auth/kerberos/kerberos.h +++ b/source4/auth/kerberos/kerberos.h @@ -143,6 +143,7 @@ krb5_error_code kerberos_create_pac(TALLOC_CTX *mem_ctx, krb5_context context, krb5_keyblock *krbtgt_keyblock, krb5_keyblock *server_keyblock, + time_t tgs_authtime, DATA_BLOB *pac); krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx, diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index 006b54590f..9617e4fd01 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -385,6 +385,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, krb5_context context, krb5_keyblock *krbtgt_keyblock, krb5_keyblock *service_keyblock, + time_t tgs_authtime, DATA_BLOB *pac) { NTSTATUS nt_status; @@ -478,7 +479,12 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, LOGON_INFO->info3.base.last_logon = timeval_to_nttime(&tv); LOGON_NAME->account_name = server_info->account_name; - LOGON_NAME->logon_time = timeval_to_nttime(&tv); + + /* + this logon_time field is absolutely critical. This is what + caused all our pac troubles :-) + */ + unix_to_nt_time(&LOGON_NAME->logon_time, tgs_authtime); ret = kerberos_encode_pac(mem_ctx, pac_data, |