summaryrefslogtreecommitdiff
path: root/source4/heimdal/kdc/krb5tgs.c
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/kdc/krb5tgs.c')
-rw-r--r--source4/heimdal/kdc/krb5tgs.c35
1 files changed, 21 insertions, 14 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index a056839e5f..02cd92de2e 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
-RCSID("$Id: krb5tgs.c,v 1.25 2007/01/04 12:49:45 lha Exp $");
+RCSID("$Id: krb5tgs.c 21041 2007-06-10 06:21:12Z lha $");
/*
* return the realm of a krbtgt-ticket or NULL
@@ -656,7 +656,7 @@ tgs_make_reply(krb5_context context,
KDC_REQ_BODY *b,
krb5_const_principal tgt_name,
const EncTicketPart *tgt,
- const EncryptionKey *ekey,
+ const EncryptionKey *serverkey,
const krb5_keyblock *sessionkey,
krb5_kvno kvno,
AuthorizationData *auth_data,
@@ -883,7 +883,7 @@ tgs_make_reply(krb5_context context,
ret = _kdc_encode_reply(context, config,
&rep, &et, &ek, et.key.keytype,
kvno,
- ekey, 0, &tgt->key, e_text, reply);
+ serverkey, 0, &tgt->key, e_text, reply);
out:
free_TGS_REP(&rep);
free_TransitedEncoding(&et.transited);
@@ -1010,7 +1010,7 @@ static krb5_error_code
tgs_parse_request(krb5_context context,
krb5_kdc_configuration *config,
KDC_REQ_BODY *b,
- PA_DATA *tgs_req,
+ const PA_DATA *tgs_req,
hdb_entry_ex **krbtgt,
krb5_enctype *krbtgt_etype,
krb5_ticket **ticket,
@@ -1258,6 +1258,7 @@ tgs_build_reply(krb5_context context,
krb5_keyblock sessionkey;
krb5_kvno kvno;
krb5_data rspac;
+ int cross_realm = 0;
PrincipalName *s;
Realm r;
@@ -1421,6 +1422,8 @@ server_lookup:
kdc_log(context, config, 1, "Client not found in database: %s: %s",
cpn, krb5_get_err_text(context, ret));
+
+ cross_realm = 1;
}
/*
@@ -1707,21 +1710,25 @@ server_lookup:
/* check PAC if there is one */
{
Key *tkey;
+ krb5_keyblock *tgtkey = NULL;
- ret = hdb_enctype2key(context, &krbtgt->entry,
- krbtgt_etype, &tkey);
- if(ret) {
- kdc_log(context, config, 0,
- "Failed to find key for krbtgt PAC check");
- goto out;
+ if (!cross_realm) {
+ ret = hdb_enctype2key(context, &krbtgt->entry,
+ krbtgt_etype, &tkey);
+ if(ret) {
+ kdc_log(context, config, 0,
+ "Failed to find key for krbtgt PAC check");
+ goto out;
+ }
+ tgtkey = &tkey->key;
}
ret = check_PAC(context, config, client_principal,
- client, server, ekey, &tkey->key,
+ client, server, ekey, tgtkey,
tgt, &rspac, &require_signedpath);
if (ret) {
kdc_log(context, config, 0,
- "check_PAC check failed for %s (%s) from %s with %s",
+ "Verify PAC failed for %s (%s) from %s with %s",
spn, cpn, from, krb5_get_err_text(context, ret));
goto out;
}
@@ -1804,7 +1811,7 @@ _kdc_tgs_rep(krb5_context context,
AuthorizationData *auth_data = NULL;
krb5_error_code ret;
int i = 0;
- PA_DATA *tgs_req = NULL;
+ const PA_DATA *tgs_req;
hdb_entry_ex *krbtgt = NULL;
krb5_ticket *ticket = NULL;
generated by cgit (git 2.34.1) at 2024-06-23 03:07:22 +0000