diff options
Diffstat (limited to 'source4/heimdal/lib/krb5/get_for_creds.c')
| -rw-r--r-- | source4/heimdal/lib/krb5/get_for_creds.c | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c index ea0bc4ad9e..adb6000cd6 100644 --- a/source4/heimdal/lib/krb5/get_for_creds.c +++ b/source4/heimdal/lib/krb5/get_for_creds.c @@ -378,16 +378,18 @@ krb5_get_forwarded_creds (krb5_context context, cred.enc_part.cipher.data = buf; cred.enc_part.cipher.length = buf_size; } else { - krb5_keyblock *key; - - if (auth_context->local_subkey) - key = auth_context->local_subkey; - else if (auth_context->remote_subkey) - key = auth_context->remote_subkey; - else - key = auth_context->keyblock; - - ret = krb5_crypto_init(context, key, 0, &crypto); + /* + * RFC4120 claims we should use the session key, but Heimdal + * before 0.8 used the remote subkey if it was send in the + * auth_context. + * + * Lorikeet-Heimdal is interested in windows compatiblity + * more than Heimdal compatability, so we must choose the + * session key, and break forwarding credentials to older + * Heimdal servers. + */ + + ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); if (ret) { free(buf); free_KRB_CRED(&cred); |