diff options
| -rw-r--r-- | source4/auth/kerberos/kerberos.h | 1 | ||||
| -rw-r--r-- | source4/auth/kerberos/kerberos_pac.c | 8 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kerberos5.c | 3 | ||||
| -rw-r--r-- | source4/kdc/pac-glue.c | 12 | ||||
| -rw-r--r-- | source4/kdc/pac-glue.h | 9 |
5 files changed, 23 insertions, 10 deletions
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h index 0f1b0779b2..33be657ce8 100644 --- a/source4/auth/kerberos/kerberos.h +++ b/source4/auth/kerberos/kerberos.h @@ -143,6 +143,7 @@ krb5_error_code kerberos_create_pac(TALLOC_CTX *mem_ctx, krb5_context context, krb5_keyblock *krbtgt_keyblock, krb5_keyblock *server_keyblock, + time_t tgs_authtime, DATA_BLOB *pac); krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx, diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index 006b54590f..9617e4fd01 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -385,6 +385,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, krb5_context context, krb5_keyblock *krbtgt_keyblock, krb5_keyblock *service_keyblock, + time_t tgs_authtime, DATA_BLOB *pac) { NTSTATUS nt_status; @@ -478,7 +479,12 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, LOGON_INFO->info3.base.last_logon = timeval_to_nttime(&tv); LOGON_NAME->account_name = server_info->account_name; - LOGON_NAME->logon_time = timeval_to_nttime(&tv); + + /* + this logon_time field is absolutely critical. This is what + caused all our pac troubles :-) + */ + unix_to_nt_time(&LOGON_NAME->logon_time, tgs_authtime); ret = kerberos_encode_pac(mem_ctx, pac_data, diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index 27a25d95ff..453263774b 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -1597,6 +1597,7 @@ tgs_make_reply(krb5_context context, EncTicketPart *tgt, EncTicketPart *adtkt, AuthorizationData *auth_data, + krb5_ticket *tgs_ticket, hdb_entry *server, hdb_entry *client, krb5_principal client_principal, @@ -1774,6 +1775,7 @@ tgs_make_reply(krb5_context context, client->principal, tgtkey, ekey, + tgs_ticket->ticket.authtime, &pac); if (ret) { free_AuthorizationData(if_relevant); @@ -2357,6 +2359,7 @@ tgs_rep2(krb5_context context, tgt, b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL, auth_data, + ticket, server, client, cp, diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 44326cabef..45b6776f70 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -26,11 +26,12 @@ #include "kdc/pac-glue.h" /* Ensure we don't get this prototype wrong, as that could be painful */ krb5_error_code samba_get_pac(krb5_context context, - struct krb5_kdc_configuration *config, - krb5_principal client, - krb5_keyblock *krbtgt_keyblock, - krb5_keyblock *server_keyblock, - krb5_data *pac) + struct krb5_kdc_configuration *config, + krb5_principal client, + krb5_keyblock *krbtgt_keyblock, + krb5_keyblock *server_keyblock, + time_t tgs_authtime, + krb5_data *pac) { krb5_error_code ret; NTSTATUS nt_status; @@ -74,6 +75,7 @@ context, krbtgt_keyblock, server_keyblock, + tgs_authtime, &tmp_blob); if (ret) { diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h index dd8ebfc68e..69490bb7f3 100644 --- a/source4/kdc/pac-glue.h +++ b/source4/kdc/pac-glue.h @@ -1,7 +1,8 @@ krb5_error_code samba_get_pac(krb5_context context, - struct krb5_kdc_configuration *config, - krb5_principal client, - krb5_keyblock *krbtgt_keyblock, - krb5_keyblock *server_keyblock, + struct krb5_kdc_configuration *config, + krb5_principal client, + krb5_keyblock *krbtgt_keyblock, + krb5_keyblock *server_keyblock, + time_t tgs_authtime, krb5_data *pac); |