Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into pac-verify

(This used to be commit 32143287c7eb452c6ed9ccd15e8cd4e5a907b437)
author: Andrew Bartlett <abartlet@samba.org> 2008-08-27 11:01:55 +1000
committer: Andrew Bartlett <abartlet@samba.org> 2008-08-27 11:01:55 +1000
commit: 8b94f7bcd70b1196487b433e355127a4f84bf5a5 (patch)
tree: 940c1838cd0fa4033fef7945e97b530341f99ecf /source4/heimdal/kdc
parent: ca20c56b260e2799c40b0c7c0e3ef5f7308b586e (diff)
parent: 9430420ba246c26489ad51e8b52e13d891436bb3 (diff)
download: samba-8b94f7bcd70b1196487b433e355127a4f84bf5a5.tar.gz
samba-8b94f7bcd70b1196487b433e355127a4f84bf5a5.tar.bz2
samba-8b94f7bcd70b1196487b433e355127a4f84bf5a5.zip
20 files changed, 66 insertions, 421 deletions
diff --git a/source4/heimdal/kdc/524.c b/source4/heimdal/kdc/524.c
index 3e4ad29253..a46c9175b0 100644
--- a/source4/heimdal/kdc/524.c
+++ b/source4/heimdal/kdc/524.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: 524.c 18270 2006-10-06 17:06:30Z lha $");
+RCSID("$Id$");
 
 #include <krb5-v4compat.h>
 
diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c
index 33a2c297fa..87952ca6eb 100644
--- a/source4/heimdal/kdc/default_config.c
+++ b/source4/heimdal/kdc/default_config.c
@@ -36,7 +36,7 @@
 #include <getarg.h>
 #include <parse_bytes.h>
 
-RCSID("$Id: default_config.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
 
 krb5_error_code
 krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
diff --git a/source4/heimdal/kdc/digest.c b/source4/heimdal/kdc/digest.c
index bf1e45b328..401ca1db11 100644
--- a/source4/heimdal/kdc/digest.c
+++ b/source4/heimdal/kdc/digest.c
@@ -34,7 +34,7 @@
 #include "kdc_locl.h"
 #include <hex.h>
 
-RCSID("$Id: digest.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
 
 #define MS_CHAP_V2	0x20
 #define CHAP_MD5	0x10
diff --git a/source4/heimdal/kdc/headers.h b/source4/heimdal/kdc/headers.h
index 64f6b6e438..c2bd4c5b4f 100644
--- a/source4/heimdal/kdc/headers.h
+++ b/source4/heimdal/kdc/headers.h
@@ -32,7 +32,7 @@
  */
 
 /* 
- * $Id: headers.h 19658 2007-01-04 00:15:34Z lha $ 
+ * $Id$ 
  */
 
 #ifndef __HEADERS_H__
diff --git a/source4/heimdal/kdc/kaserver.c b/source4/heimdal/kdc/kaserver.c
index 4f257d717e..8f3c3e02ea 100644
--- a/source4/heimdal/kdc/kaserver.c
+++ b/source4/heimdal/kdc/kaserver.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kaserver.c 23110 2008-04-27 18:51:17Z lha $");
+RCSID("$Id$");
 
 #include <krb5-v4compat.h>
 #include <rx.h>
diff --git a/source4/heimdal/kdc/kdc-private.h b/source4/heimdal/kdc/kdc-private.h
deleted file mode 100644
index 4052e9b509..0000000000
--- a/source4/heimdal/kdc/kdc-private.h
+++ /dev/null
@@ -1,287 +0,0 @@
-/* This is a generated file */
-#ifndef __kdc_private_h__
-#define __kdc_private_h__
-
-#include <stdarg.h>
-
-krb5_error_code
-_kdc_add_KRB5SignedPath (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	hdb_entry_ex */*krbtgt*/,
-	krb5_enctype /*enctype*/,
-	krb5_const_principal /*server*/,
-	KRB5SignedPathPrincipals */*principals*/,
-	EncTicketPart */*tkt*/);
-
-krb5_error_code
-_kdc_add_inital_verified_cas (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	pk_client_params */*params*/,
-	EncTicketPart */*tkt*/);
-
-krb5_error_code
-_kdc_as_rep (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	KDC_REQ */*req*/,
-	const krb5_data */*req_buffer*/,
-	krb5_data */*reply*/,
-	const char */*from*/,
-	struct sockaddr */*from_addr*/,
-	int /*datagram_reply*/);
-
-krb5_boolean
-_kdc_check_addresses (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	HostAddresses */*addresses*/,
-	const struct sockaddr */*from*/);
-
-krb5_error_code
-_kdc_check_flags (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	hdb_entry_ex */*client_ex*/,
-	const char */*client_name*/,
-	hdb_entry_ex */*server_ex*/,
-	const char */*server_name*/,
-	krb5_boolean /*is_as_req*/);
-
-krb5_error_code
-_kdc_db_fetch (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	krb5_const_principal /*principal*/,
-	unsigned /*flags*/,
-	HDB **/*db*/,
-	hdb_entry_ex **/*h*/);
-
-krb5_error_code
-_kdc_db_fetch4 (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	const char */*name*/,
-	const char */*instance*/,
-	const char */*realm*/,
-	unsigned /*flags*/,
-	hdb_entry_ex **/*ent*/);
-
-krb5_error_code
-_kdc_do_524 (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	const Ticket */*t*/,
-	krb5_data */*reply*/,
-	const char */*from*/,
-	struct sockaddr */*addr*/);
-
-krb5_error_code
-_kdc_do_digest (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	const DigestREQ */*req*/,
-	krb5_data */*reply*/,
-	const char */*from*/,
-	struct sockaddr */*addr*/);
-
-krb5_error_code
-_kdc_do_kaserver (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	unsigned char */*buf*/,
-	size_t /*len*/,
-	krb5_data */*reply*/,
-	const char */*from*/,
-	struct sockaddr_in */*addr*/);
-
-krb5_error_code
-_kdc_do_kx509 (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	const Kx509Request */*req*/,
-	krb5_data */*reply*/,
-	const char */*from*/,
-	struct sockaddr */*addr*/);
-
-krb5_error_code
-_kdc_do_version4 (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	unsigned char */*buf*/,
-	size_t /*len*/,
-	krb5_data */*reply*/,
-	const char */*from*/,
-	struct sockaddr_in */*addr*/);
-
-krb5_error_code
-_kdc_encode_reply (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	KDC_REP */*rep*/,
-	const EncTicketPart */*et*/,
-	EncKDCRepPart */*ek*/,
-	krb5_enctype /*etype*/,
-	int /*skvno*/,
-	const EncryptionKey */*skey*/,
-	int /*ckvno*/,
-	const EncryptionKey */*ckey*/,
-	const char **/*e_text*/,
-	krb5_data */*reply*/);
-
-krb5_error_code
-_kdc_encode_v4_ticket (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	void */*buf*/,
-	size_t /*len*/,
-	const EncTicketPart */*et*/,
-	const PrincipalName */*service*/,
-	size_t */*size*/);
-
-krb5_error_code
-_kdc_find_etype (
-	krb5_context /*context*/,
-	const hdb_entry_ex */*princ*/,
-	krb5_enctype */*etypes*/,
-	unsigned /*len*/,
-	Key **/*ret_key*/,
-	krb5_enctype */*ret_etype*/);
-
-const PA_DATA*
-_kdc_find_padata (
-	const KDC_REQ */*req*/,
-	int */*start*/,
-	int /*type*/);
-
-void
-_kdc_fix_time (time_t **/*t*/);
-
-void
-_kdc_free_ent (
-	krb5_context /*context*/,
-	hdb_entry_ex */*ent*/);
-
-krb5_error_code
-_kdc_get_des_key (
-	krb5_context /*context*/,
-	hdb_entry_ex */*principal*/,
-	krb5_boolean /*is_server*/,
-	krb5_boolean /*prefer_afs_key*/,
-	Key **/*ret_key*/);
-
-krb5_error_code
-_kdc_get_preferred_key (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	hdb_entry_ex */*h*/,
-	const char */*name*/,
-	krb5_enctype */*enctype*/,
-	Key **/*key*/);
-
-void
-_kdc_log_timestamp (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	const char */*type*/,
-	KerberosTime /*authtime*/,
-	KerberosTime */*starttime*/,
-	KerberosTime /*endtime*/,
-	KerberosTime */*renew_till*/);
-
-krb5_error_code
-_kdc_make_anonymous_principalname (PrincipalName */*pn*/);
-
-int
-_kdc_maybe_version4 (
-	unsigned char */*buf*/,
-	int /*len*/);
-
-krb5_error_code
-_kdc_pac_generate (
-	krb5_context /*context*/,
-	hdb_entry_ex */*client*/,
-	krb5_pac */*pac*/);
-
-krb5_error_code
-_kdc_pac_verify (
-	krb5_context /*context*/,
-	const krb5_principal /*client_principal*/,
-	hdb_entry_ex */*client*/,
-	hdb_entry_ex */*server*/,
-	krb5_pac */*pac*/);
-
-krb5_error_code
-_kdc_pk_check_client (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	const hdb_entry_ex */*client*/,
-	pk_client_params */*client_params*/,
-	char **/*subject_name*/);
-
-void
-_kdc_pk_free_client_param (
-	krb5_context /*context*/,
-	pk_client_params */*client_params*/);
-
-krb5_error_code
-_kdc_pk_initialize (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	const char */*user_id*/,
-	const char */*anchors*/,
-	char **/*pool*/,
-	char **/*revoke_list*/);
-
-krb5_error_code
-_kdc_pk_mk_pa_reply (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	pk_client_params */*client_params*/,
-	const hdb_entry_ex */*client*/,
-	const KDC_REQ */*req*/,
-	const krb5_data */*req_buffer*/,
-	krb5_keyblock **/*reply_key*/,
-	METHOD_DATA */*md*/);
-
-krb5_error_code
-_kdc_pk_rd_padata (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	const KDC_REQ */*req*/,
-	const PA_DATA */*pa*/,
-	pk_client_params **/*ret_params*/);
-
-krb5_error_code
-_kdc_tgs_rep (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	KDC_REQ */*req*/,
-	krb5_data */*data*/,
-	const char */*from*/,
-	struct sockaddr */*from_addr*/,
-	int /*datagram_reply*/);
-
-krb5_error_code
-_kdc_tkt_add_if_relevant_ad (
-	krb5_context /*context*/,
-	EncTicketPart */*tkt*/,
-	int /*type*/,
-	const krb5_data */*data*/);
-
-krb5_error_code
-_kdc_try_kx509_request (
-	void */*ptr*/,
-	size_t /*len*/,
-	Kx509Request */*req*/,
-	size_t */*size*/);
-
-krb5_error_code
-_kdc_windc_client_access (
-	krb5_context /*context*/,
-	struct hdb_entry_ex */*client*/,
-	KDC_REQ */*req*/,
-	krb5_data */*e_data*/);
-
-#endif /* __kdc_private_h__ */
diff --git a/source4/heimdal/kdc/kdc-protos.h b/source4/heimdal/kdc/kdc-protos.h
deleted file mode 100644
index 15e8c29f4c..0000000000
--- a/source4/heimdal/kdc/kdc-protos.h
+++ /dev/null
@@ -1,92 +0,0 @@
-/* This is a generated file */
-#ifndef __kdc_protos_h__
-#define __kdc_protos_h__
-
-#include <stdarg.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-void
-kdc_log (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	int /*level*/,
-	const char */*fmt*/,
-	...);
-
-char*
-kdc_log_msg (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	int /*level*/,
-	const char */*fmt*/,
-	...);
-
-char*
-kdc_log_msg_va (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	int /*level*/,
-	const char */*fmt*/,
-	va_list /*ap*/);
-
-void
-kdc_openlog (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/);
-
-krb5_error_code
-krb5_kdc_get_config (
-	krb5_context /*context*/,
-	krb5_kdc_configuration **/*config*/);
-
-int
-krb5_kdc_process_krb5_request (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	unsigned char */*buf*/,
-	size_t /*len*/,
-	krb5_data */*reply*/,
-	const char */*from*/,
-	struct sockaddr */*addr*/,
-	int /*datagram_reply*/);
-
-int
-krb5_kdc_process_request (
-	krb5_context /*context*/,
-	krb5_kdc_configuration */*config*/,
-	unsigned char */*buf*/,
-	size_t /*len*/,
-	krb5_data */*reply*/,
-	krb5_boolean */*prependlength*/,
-	const char */*from*/,
-	struct sockaddr */*addr*/,
-	int /*datagram_reply*/);
-
-int
-krb5_kdc_save_request (
-	krb5_context /*context*/,
-	const char */*fn*/,
-	const unsigned char */*buf*/,
-	size_t /*len*/,
-	const krb5_data */*reply*/,
-	const struct sockaddr */*sa*/);
-
-krb5_error_code
-krb5_kdc_set_dbinfo (
-	krb5_context /*context*/,
-	struct krb5_kdc_configuration */*c*/);
-
-void
-krb5_kdc_update_time (struct timeval */*tv*/);
-
-krb5_error_code
-krb5_kdc_windc_init (krb5_context /*context*/);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* __kdc_protos_h__ */
diff --git a/source4/heimdal/kdc/kdc.h b/source4/heimdal/kdc/kdc.h
index 6c129f38f5..f0edae721f 100644
--- a/source4/heimdal/kdc/kdc.h
+++ b/source4/heimdal/kdc/kdc.h
@@ -35,7 +35,7 @@
  */
 
 /* 
- * $Id: kdc.h 21287 2007-06-25 14:09:03Z lha $ 
+ * $Id$ 
  */
 
 #ifndef __KDC_H__
diff --git a/source4/heimdal/kdc/kdc_locl.h b/source4/heimdal/kdc/kdc_locl.h
index fe0523665a..6ce4a9f40f 100644
--- a/source4/heimdal/kdc/kdc_locl.h
+++ b/source4/heimdal/kdc/kdc_locl.h
@@ -32,7 +32,7 @@
  */
 
 /* 
- * $Id: kdc_locl.h 22247 2007-12-08 23:49:41Z lha $ 
+ * $Id$ 
  */
 
 #ifndef __KDC_LOCL_H__
diff --git a/source4/heimdal/kdc/kerberos4.c b/source4/heimdal/kdc/kerberos4.c
index cbba64945b..3e9a70057e 100644
--- a/source4/heimdal/kdc/kerberos4.c
+++ b/source4/heimdal/kdc/kerberos4.c
@@ -35,7 +35,7 @@
 
 #include <krb5-v4compat.h>
 
-RCSID("$Id: kerberos4.c 21577 2007-07-16 08:14:06Z lha $");
+RCSID("$Id$");
 
 #ifndef swap32
 static uint32_t
@@ -134,7 +134,7 @@ _kdc_do_version4(krb5_context context,
 		 struct sockaddr_in *addr)
 {
     krb5_storage *sp;
-    krb5_error_code ret;
+    krb5_error_code ret = EINVAL;
     hdb_entry_ex *client = NULL, *server = NULL;
     Key *ckey, *skey;
     int8_t pvno;
@@ -162,6 +162,7 @@ _kdc_do_version4(krb5_context context,
 	kdc_log(context, config, 0,
 		"Protocol version mismatch (krb4) (%d)", pvno);
 	make_err_reply(context, reply, KRB4ET_KDC_PKT_VER, "protocol mismatch");
+	ret = KRB4ET_KDC_PKT_VER;
 	goto out;
     }
     RCHECK(krb5_ret_int8(sp, &msg_type), out);
@@ -258,20 +259,6 @@ _kdc_do_version4(krb5_context context,
 	    goto out1;
 	}
 
-#if 0
-	/* this is not necessary with the new code in libkrb */
-	/* find a properly salted key */
-	while(ckey->salt == NULL || ckey->salt->salt.length != 0)
-	    ret = hdb_next_keytype2key(context, &client->entry, KEYTYPE_DES, &ckey);
-	if(ret){
-	    kdc_log(context, config, 0, "No version-4 salted key in database -- %s.%s@%s", 
-		    name, inst, realm);
-	    make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, 
-			   "No version-4 salted key in database");
-	    goto out1;
-	}
-#endif
-	
 	ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
 	if(ret){
 	    kdc_log(context, config, 0, "no suitable DES key for server");
@@ -624,12 +611,14 @@ _kdc_do_version4(krb5_context context,
 	break;
     }
     case AUTH_MSG_ERR_REPLY:
+	ret = EINVAL;
 	break;
     default:
 	kdc_log(context, config, 0, "Unknown message type (krb4): %d from %s", 
 		msg_type, from);
 	
 	make_err_reply(context, reply, KFAILURE, "Unknown message type");
+	ret = EINVAL;
     }
  out:
     if(name)
@@ -647,7 +636,7 @@ _kdc_do_version4(krb5_context context,
     if(server)
 	_kdc_free_ent(context, server);
     krb5_storage_free(sp);
-    return 0;
+    return ret;
 }
 
 krb5_error_code
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 2a2c48c233..7930ef42e4 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kerberos5.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
 
 #define MAX_TIME ((time_t)((1U << 31) - 1))
 
@@ -85,6 +85,24 @@ _kdc_find_padata(const KDC_REQ *req, int *start, int type)
 }
 
 /*
+ * This is a hack to allow predefined weak services, like afs to
+ * still use weak types
+ */
+
+krb5_boolean
+_kdc_is_weak_expection(krb5_principal principal, krb5_enctype etype)
+{
+    if (principal->name.name_string.len > 0 &&
+	strcmp(principal->name.name_string.val[0], "afs") == 0 &&
+	(etype == ETYPE_DES_CBC_CRC
+	 || etype == ETYPE_DES_CBC_MD4
+	 || etype == ETYPE_DES_CBC_MD5))
+	return TRUE;
+    return FALSE;
+}
+
+
+/*
  * Detect if `key' is the using the the precomputed `default_salt'.
  */
 
@@ -120,7 +138,8 @@ _kdc_find_etype(krb5_context context, const hdb_entry_ex *princ,
     for(i = 0; ret != 0 && i < len ; i++) {
 	Key *key = NULL;
 
-	if (krb5_enctype_valid(context, etypes[i]) != 0)
+	if (krb5_enctype_valid(context, etypes[i]) != 0 &&
+	    !_kdc_is_weak_expection(princ->entry.principal, etypes[i]))
 	    continue;
 
 	while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) {
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 071a30d5a7..19dff5e01d 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: krb5tgs.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
 
 /*
  * return the realm of a krbtgt-ticket or NULL
@@ -662,6 +662,7 @@ tgs_make_reply(krb5_context context,
 	       krb5_kvno kvno,
 	       AuthorizationData *auth_data,
 	       hdb_entry_ex *server,
+	       krb5_principal server_principal,
 	       const char *server_name,
 	       hdb_entry_ex *client,
 	       krb5_principal client_principal,
@@ -678,6 +679,7 @@ tgs_make_reply(krb5_context context,
     EncTicketPart et;
     KDCOptions f = b->kdc_options;
     krb5_error_code ret;
+    int is_weak = 0;
 
     memset(&rep, 0, sizeof(rep));
     memset(&et, 0, sizeof(et));
@@ -729,9 +731,9 @@ tgs_make_reply(krb5_context context,
     if(ret)
 	goto out;
 
-    copy_Realm(krb5_princ_realm(context, server->entry.principal),
+    copy_Realm(krb5_princ_realm(context, server_principal),
 	       &rep.ticket.realm);
-    _krb5_principal2principalname(&rep.ticket.sname, server->entry.principal);
+    _krb5_principal2principalname(&rep.ticket.sname, server_principal);
     copy_Realm(&tgt_name->realm, &rep.crealm);
 /*
     if (f.request_anonymous)
@@ -885,6 +887,14 @@ tgs_make_reply(krb5_context context,
 	    goto out;
     }
 
+    if (krb5_enctype_valid(context, et.key.keytype) != 0
+	&& _kdc_is_weak_expection(server->entry.principal, et.key.keytype)) 
+    {
+	krb5_enctype_enable(context, et.key.keytype);
+	is_weak = 1;
+    }
+
+
     /* It is somewhat unclear where the etype in the following
        encryption should come from. What we have is a session
        key in the passed tgt, and a list of preferred etypes
@@ -899,6 +909,9 @@ tgs_make_reply(krb5_context context,
 			    &rep, &et, &ek, et.key.keytype,
 			    kvno,
 			    serverkey, 0, &tgt->key, e_text, reply);
+    if (is_weak)
+	krb5_enctype_disable(context, et.key.keytype);
+
 out:
     free_TGS_REP(&rep);
     free_TransitedEncoding(&et.transited);
@@ -1462,7 +1475,8 @@ tgs_build_reply(krb5_context context,
      */
 
 server_lookup:
-    ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER, NULL, &server);
+    ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | HDB_F_CANON,
+			NULL, &server);
 
     if(ret){
 	const char *new_rlm;
@@ -1521,7 +1535,8 @@ server_lookup:
 	goto out;
     }
 
-    ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, NULL, &client);
+    ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
+			NULL, &client);
     if(ret) {
 	const char *krbtgt_realm;
 
@@ -1927,6 +1942,7 @@ server_lookup:
 			 kvno,
 			 *auth_data,
 			 server,
+			 sp,
 			 spn,
 			 client,
 			 cp,
diff --git a/source4/heimdal/kdc/kx509.c b/source4/heimdal/kdc/kx509.c
index 8f117cebc0..33991d1907 100644
--- a/source4/heimdal/kdc/kx509.c
+++ b/source4/heimdal/kdc/kx509.c
@@ -36,7 +36,7 @@
 #include <rfc2459_asn1.h>
 #include <hx509.h>
 
-RCSID("$Id: kx509.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
 
 /*
  *
diff --git a/source4/heimdal/kdc/log.c b/source4/heimdal/kdc/log.c
index 8cf967fbfb..98b25b92db 100644
--- a/source4/heimdal/kdc/log.c
+++ b/source4/heimdal/kdc/log.c
@@ -32,7 +32,7 @@
  */
 
 #include "kdc_locl.h"
-RCSID("$Id: log.c 22254 2007-12-09 06:01:05Z lha $");
+RCSID("$Id$");
 
 void
 kdc_openlog(krb5_context context, 
diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c
index 528b9e6a3b..0c64dd568e 100644
--- a/source4/heimdal/kdc/misc.c
+++ b/source4/heimdal/kdc/misc.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: misc.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
 
 struct timeval _kdc_now;
 
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index 9f6d57f588..57767c4f48 100755..100644
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: pkinit.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
 
 #ifdef PKINIT
 
diff --git a/source4/heimdal/kdc/process.c b/source4/heimdal/kdc/process.c
index 550bfb04b2..1a0c7c72ce 100644
--- a/source4/heimdal/kdc/process.c
+++ b/source4/heimdal/kdc/process.c
@@ -34,7 +34,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: process.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
 
 /*
  *
@@ -100,9 +100,9 @@ krb5_kdc_process_request(krb5_context context,
 	return ret;
     } else if(_kdc_maybe_version4(buf, len)){
 	*prependlength = FALSE; /* elbitapmoc sdrawkcab XXX */
-	_kdc_do_version4(context, config, buf, len, reply, from, 
-			 (struct sockaddr_in*)addr);
-	return 0;
+	ret = _kdc_do_version4(context, config, buf, len, reply, from, 
+			       (struct sockaddr_in*)addr);
+	return ret;
     } else if (config->enable_kaserver) {
 	ret = _kdc_do_kaserver(context, config, buf, len, reply, from,
 			       (struct sockaddr_in*)addr);
diff --git a/source4/heimdal/kdc/rx.h b/source4/heimdal/kdc/rx.h
index 18806d79da..a84e5ec5f5 100644
--- a/source4/heimdal/kdc/rx.h
+++ b/source4/heimdal/kdc/rx.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: rx.h 17447 2006-05-05 10:52:01Z lha $ */
+/* $Id$ */
 
 #ifndef __RX_H__
 #define __RX_H__
diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c
index 621757f6dc..e057a3e6fb 100644
--- a/source4/heimdal/kdc/windc.c
+++ b/source4/heimdal/kdc/windc.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: windc.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
 
 static krb5plugin_windc_ftable *windcft;
 static void *windcctx;
diff --git a/source4/heimdal/kdc/windc_plugin.h b/source4/heimdal/kdc/windc_plugin.h
index 44aab9e22b..3780258ad0 100644
--- a/source4/heimdal/kdc/windc_plugin.h
+++ b/source4/heimdal/kdc/windc_plugin.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: windc_plugin.h 22693 2008-03-19 08:57:49Z lha $ */
+/* $Id$ */
 
 #ifndef HEIMDAL_KRB5_PAC_PLUGIN_H
 #define HEIMDAL_KRB5_PAC_PLUGIN_H 1
author	Andrew Bartlett <abartlet@samba.org>	2008-08-27 11:01:55 +1000
committer	Andrew Bartlett <abartlet@samba.org>	2008-08-27 11:01:55 +1000
commit	8b94f7bcd70b1196487b433e355127a4f84bf5a5 (patch)
tree	940c1838cd0fa4033fef7945e97b530341f99ecf /source4/heimdal/kdc
parent	ca20c56b260e2799c40b0c7c0e3ef5f7308b586e (diff)
parent	9430420ba246c26489ad51e8b52e13d891436bb3 (diff)
download	samba-8b94f7bcd70b1196487b433e355127a4f84bf5a5.tar.gz samba-8b94f7bcd70b1196487b433e355127a4f84bf5a5.tar.bz2 samba-8b94f7bcd70b1196487b433e355127a4f84bf5a5.zip