From f7776975080c88bec9013ccac8185c582e818e54 Mon Sep 17 00:00:00 2001
From: Günther Deschner <gd@samba.org>
Date: Tue, 9 May 2006 19:02:26 +0000
Subject: r15523: Honour the time_offset also when verifying kerberos tickets.
 This prevents a nasty failure condition in winbindd's pam_auth where a tgt
 and a service ticket could have been succefully retrieved, but just not
 validated.

Guenther
(This used to be commit a75dd80c6210d01aff104a86b0a9d39d65f2c348)
---
 source3/libads/kerberos_verify.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'source3/libads/kerberos_verify.c')

diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index fa957aa9c0..525a9cfa27 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -286,7 +286,8 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au
 ***********************************************************************************/
 
 NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
-			   const char *realm, const DATA_BLOB *ticket, 
+			   const char *realm, time_t time_offset,
+			   const DATA_BLOB *ticket, 
 			   char **principal, PAC_DATA **pac_data,
 			   DATA_BLOB *ap_rep,
 			   DATA_BLOB *session_key)
@@ -323,6 +324,10 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
+	if (time_offset != 0) {
+		krb5_set_real_time(context, time(NULL) + time_offset, 0);
+	}
+
 	ret = krb5_set_default_realm(context, realm);
 	if (ret) {
 		DEBUG(1,("ads_verify_ticket: krb5_set_default_realm failed (%s)\n", error_message(ret)));
-- 
cgit