summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/krb5
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-11-02 04:11:36 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:45:40 -0500
commit3b213ca9a3e44266647ac4ceb88d3acd2fb4a295 (patch)
tree7643c449060a495d76f4297118c517714d114130 /source4/heimdal/lib/krb5
parentcc0f3779b1de565ed33504d123e41656d6d2aab2 (diff)
downloadsamba-3b213ca9a3e44266647ac4ceb88d3acd2fb4a295.tar.gz
samba-3b213ca9a3e44266647ac4ceb88d3acd2fb4a295.tar.bz2
samba-3b213ca9a3e44266647ac4ceb88d3acd2fb4a295.zip
r11469: Fix typo, and use the correct (RFC4120) session key for delegating
credentials. This means we now delegate to windows correctly. Andrew Bartlett (This used to be commit d6928a3bf86f1ab89f29eac538ceb701c6669913)
Diffstat (limited to 'source4/heimdal/lib/krb5')
-rw-r--r--source4/heimdal/lib/krb5/get_for_creds.c22
-rw-r--r--source4/heimdal/lib/krb5/rd_cred.c2
2 files changed, 13 insertions, 11 deletions
diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c
index ea0bc4ad9e..adb6000cd6 100644
--- a/source4/heimdal/lib/krb5/get_for_creds.c
+++ b/source4/heimdal/lib/krb5/get_for_creds.c
@@ -378,16 +378,18 @@ krb5_get_forwarded_creds (krb5_context context,
cred.enc_part.cipher.data = buf;
cred.enc_part.cipher.length = buf_size;
} else {
- krb5_keyblock *key;
-
- if (auth_context->local_subkey)
- key = auth_context->local_subkey;
- else if (auth_context->remote_subkey)
- key = auth_context->remote_subkey;
- else
- key = auth_context->keyblock;
-
- ret = krb5_crypto_init(context, key, 0, &crypto);
+ /*
+ * RFC4120 claims we should use the session key, but Heimdal
+ * before 0.8 used the remote subkey if it was send in the
+ * auth_context.
+ *
+ * Lorikeet-Heimdal is interested in windows compatiblity
+ * more than Heimdal compatability, so we must choose the
+ * session key, and break forwarding credentials to older
+ * Heimdal servers.
+ */
+
+ ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
if (ret) {
free(buf);
free_KRB_CRED(&cred);
diff --git a/source4/heimdal/lib/krb5/rd_cred.c b/source4/heimdal/lib/krb5/rd_cred.c
index ddd5866aeb..07f142267c 100644
--- a/source4/heimdal/lib/krb5/rd_cred.c
+++ b/source4/heimdal/lib/krb5/rd_cred.c
@@ -101,7 +101,7 @@ krb5_rd_cred(krb5_context context,
} else {
/* Try both subkey and session key.
*
- * RFC2140 claims we should use the session key, but Heimdal
+ * RFC4120 claims we should use the session key, but Heimdal
* before 0.8 used the remote subkey if it was send in the
* auth_context.
*/