diff options
author | Stefan Metzmacher <metze@samba.org> | 2007-02-18 23:27:42 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:48:34 -0500 |
commit | 5cd79db03e143eaaa9b63a28d3f0824edb1295d2 (patch) | |
tree | d2523193897c8de4fa3fe53cb06eceba5d5b73d6 /source4/heimdal/kdc | |
parent | 760f438553d26488c529ef8c13aa7035b6f11dca (diff) | |
download | samba-5cd79db03e143eaaa9b63a28d3f0824edb1295d2.tar.gz samba-5cd79db03e143eaaa9b63a28d3f0824edb1295d2.tar.bz2 samba-5cd79db03e143eaaa9b63a28d3f0824edb1295d2.zip |
r21436: Choose the TGT session key enctype also by checking what enctypes
the krbtgt hdb entry provides.
We need to make sure other KDC's with the same hdb backend data
can accept the TGT. (w2k and w2k3 don't support aes256-cts-hmac-sha1-96 (18)
session keys.)
Love: I'm not sure if this is the correct way of doing it...
metze
(This used to be commit 5840f50d8954e95a7071a90a1c4dcce9ae05d77c)
Diffstat (limited to 'source4/heimdal/kdc')
-rw-r--r-- | source4/heimdal/kdc/kerberos5.c | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index bf727ee739..0cac0765ca 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -1292,19 +1292,35 @@ _kdc_as_rep(krb5_context context, { const krb5_enctype *p; - int i, j; + int i, j, y; p = krb5_kerberos_enctypes(context); sessionetype = ETYPE_NULL; for (i = 0; p[i] != ETYPE_NULL && sessionetype == ETYPE_NULL; i++) { + /* check it's valid */ if (krb5_enctype_valid(context, p[i]) != 0) continue; - for (j = 0; j < b->etype.len; j++) { + + /* check if the client supports it */ + for (j = 0; j < b->etype.len && sessionetype == ETYPE_NULL; j++) { if (p[i] == b->etype.val[j]) { - sessionetype = p[i]; - break; + /* + * if the server (krbtgt) has explicit etypes, + * check if it also supports it + */ + if (server->entry.etypes) { + for (y = 0; y < server->entry.etypes->len; y++) { + if (p[i] == server->entry.etypes->val[y]) { + sessionetype = p[i]; + break; + } + } + } else { + sessionetype = p[i]; + break; + } } } } |