diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-12-01 22:18:34 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:46:57 -0500 |
commit | 6913dddf644525f4bdadfb740b5bff41abe030b2 (patch) | |
tree | 5325b59915008cd16f1f5bf6ab242e8788b0b808 /source4/heimdal/lib/krb5/rd_req.c | |
parent | f536c4a608bc8de3a9a0fd73f4c75f3183caa547 (diff) | |
download | samba-6913dddf644525f4bdadfb740b5bff41abe030b2.tar.gz samba-6913dddf644525f4bdadfb740b5bff41abe030b2.tar.bz2 samba-6913dddf644525f4bdadfb740b5bff41abe030b2.zip |
r12000: Update to current lorikeet-heimdal, including in particular support
for referencing an existing in-MEMORY keytab (required for the new way
we push that to GSSAPI).
Andrew Bartlett
(This used to be commit 2426581dfb9f5f0f9367f846c01dfd3c30fea954)
Diffstat (limited to 'source4/heimdal/lib/krb5/rd_req.c')
-rw-r--r-- | source4/heimdal/lib/krb5/rd_req.c | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c index 582b71db03..313c14f6e6 100644 --- a/source4/heimdal/lib/krb5/rd_req.c +++ b/source4/heimdal/lib/krb5/rd_req.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001, 2003 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: rd_req.c,v 1.58 2005/08/27 05:48:57 lha Exp $"); +RCSID("$Id: rd_req.c,v 1.61 2005/11/29 18:22:51 lha Exp $"); static krb5_error_code decrypt_tkt_enc_part (krb5_context context, @@ -136,7 +136,11 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) int num_realms; krb5_error_code ret; - /* Windows w2k and w2k3 uses this */ + /* + * Windows 2000 and 2003 uses this inside their TGT so its normaly + * not seen by others, however, samba4 joined with a Windows AD as + * a Domain Controller gets exposed to this. + */ if(enc->transited.tr_type == 0 && enc->transited.contents.length == 0) return 0; @@ -417,6 +421,19 @@ krb5_verify_ap_req2(krb5_context context, goto out; } + /* check timestamp in authenticator */ + { + krb5_timestamp now; + + krb5_timeofday (context, &now); + + if (abs(ac->authenticator->ctime - now) > context->max_skew) { + ret = KRB5KRB_AP_ERR_SKEW; + krb5_clear_error_string (context); + goto out; + } + } + if (ac->authenticator->seq_number) krb5_auth_con_setremoteseqnumber(context, ac, *ac->authenticator->seq_number); |