diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-11-02 04:11:36 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:45:40 -0500 |
commit | 3b213ca9a3e44266647ac4ceb88d3acd2fb4a295 (patch) | |
tree | 7643c449060a495d76f4297118c517714d114130 /source4/heimdal/lib/krb5 | |
parent | cc0f3779b1de565ed33504d123e41656d6d2aab2 (diff) | |
download | samba-3b213ca9a3e44266647ac4ceb88d3acd2fb4a295.tar.gz samba-3b213ca9a3e44266647ac4ceb88d3acd2fb4a295.tar.bz2 samba-3b213ca9a3e44266647ac4ceb88d3acd2fb4a295.zip |
r11469: Fix typo, and use the correct (RFC4120) session key for delegating
credentials. This means we now delegate to windows correctly.
Andrew Bartlett
(This used to be commit d6928a3bf86f1ab89f29eac538ceb701c6669913)
Diffstat (limited to 'source4/heimdal/lib/krb5')
-rw-r--r-- | source4/heimdal/lib/krb5/get_for_creds.c | 22 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/rd_cred.c | 2 |
2 files changed, 13 insertions, 11 deletions
diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c index ea0bc4ad9e..adb6000cd6 100644 --- a/source4/heimdal/lib/krb5/get_for_creds.c +++ b/source4/heimdal/lib/krb5/get_for_creds.c @@ -378,16 +378,18 @@ krb5_get_forwarded_creds (krb5_context context, cred.enc_part.cipher.data = buf; cred.enc_part.cipher.length = buf_size; } else { - krb5_keyblock *key; - - if (auth_context->local_subkey) - key = auth_context->local_subkey; - else if (auth_context->remote_subkey) - key = auth_context->remote_subkey; - else - key = auth_context->keyblock; - - ret = krb5_crypto_init(context, key, 0, &crypto); + /* + * RFC4120 claims we should use the session key, but Heimdal + * before 0.8 used the remote subkey if it was send in the + * auth_context. + * + * Lorikeet-Heimdal is interested in windows compatiblity + * more than Heimdal compatability, so we must choose the + * session key, and break forwarding credentials to older + * Heimdal servers. + */ + + ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); if (ret) { free(buf); free_KRB_CRED(&cred); diff --git a/source4/heimdal/lib/krb5/rd_cred.c b/source4/heimdal/lib/krb5/rd_cred.c index ddd5866aeb..07f142267c 100644 --- a/source4/heimdal/lib/krb5/rd_cred.c +++ b/source4/heimdal/lib/krb5/rd_cred.c @@ -101,7 +101,7 @@ krb5_rd_cred(krb5_context context, } else { /* Try both subkey and session key. * - * RFC2140 claims we should use the session key, but Heimdal + * RFC4120 claims we should use the session key, but Heimdal * before 0.8 used the remote subkey if it was send in the * auth_context. */ |