summaryrefslogtreecommitdiff
path: root/source4/heimdal
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal')
-rw-r--r--source4/heimdal/lib/krb5/get_for_creds.c22
-rw-r--r--source4/heimdal/lib/krb5/rd_cred.c2
2 files changed, 13 insertions, 11 deletions
diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c
index ea0bc4ad9e..adb6000cd6 100644
--- a/source4/heimdal/lib/krb5/get_for_creds.c
+++ b/source4/heimdal/lib/krb5/get_for_creds.c
@@ -378,16 +378,18 @@ krb5_get_forwarded_creds (krb5_context context,
cred.enc_part.cipher.data = buf;
cred.enc_part.cipher.length = buf_size;
} else {
- krb5_keyblock *key;
-
- if (auth_context->local_subkey)
- key = auth_context->local_subkey;
- else if (auth_context->remote_subkey)
- key = auth_context->remote_subkey;
- else
- key = auth_context->keyblock;
-
- ret = krb5_crypto_init(context, key, 0, &crypto);
+ /*
+ * RFC4120 claims we should use the session key, but Heimdal
+ * before 0.8 used the remote subkey if it was send in the
+ * auth_context.
+ *
+ * Lorikeet-Heimdal is interested in windows compatiblity
+ * more than Heimdal compatability, so we must choose the
+ * session key, and break forwarding credentials to older
+ * Heimdal servers.
+ */
+
+ ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
if (ret) {
free(buf);
free_KRB_CRED(&cred);
diff --git a/source4/heimdal/lib/krb5/rd_cred.c b/source4/heimdal/lib/krb5/rd_cred.c
index ddd5866aeb..07f142267c 100644
--- a/source4/heimdal/lib/krb5/rd_cred.c
+++ b/source4/heimdal/lib/krb5/rd_cred.c
@@ -101,7 +101,7 @@ krb5_rd_cred(krb5_context context,
} else {
/* Try both subkey and session key.
*
- * RFC2140 claims we should use the session key, but Heimdal
+ * RFC4120 claims we should use the session key, but Heimdal
* before 0.8 used the remote subkey if it was send in the
* auth_context.
*/