From f7776975080c88bec9013ccac8185c582e818e54 Mon Sep 17 00:00:00 2001
From: Günther Deschner <gd@samba.org>
Date: Tue, 9 May 2006 19:02:26 +0000
Subject: r15523: Honour the time_offset also when verifying kerberos tickets.
 This prevents a nasty failure condition in winbindd's pam_auth where a tgt
 and a service ticket could have been succefully retrieved, but just not
 validated.

Guenther
(This used to be commit a75dd80c6210d01aff104a86b0a9d39d65f2c348)
---
 source3/libads/kerberos_verify.c | 7 ++++++-
 source3/nsswitch/winbindd_pam.c  | 1 +
 source3/smbd/sesssetup.c         | 2 +-
 source3/utils/ntlm_auth.c        | 2 +-
 4 files changed, 9 insertions(+), 3 deletions(-)

(limited to 'source3')

diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index fa957aa9c0..525a9cfa27 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -286,7 +286,8 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au
 ***********************************************************************************/
 
 NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
-			   const char *realm, const DATA_BLOB *ticket, 
+			   const char *realm, time_t time_offset,
+			   const DATA_BLOB *ticket, 
 			   char **principal, PAC_DATA **pac_data,
 			   DATA_BLOB *ap_rep,
 			   DATA_BLOB *session_key)
@@ -323,6 +324,10 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
+	if (time_offset != 0) {
+		krb5_set_real_time(context, time(NULL) + time_offset, 0);
+	}
+
 	ret = krb5_set_default_realm(context, realm);
 	if (ret) {
 		DEBUG(1,("ads_verify_ticket: krb5_set_default_realm failed (%s)\n", error_message(ret)));
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index ad2127452c..243d2a7838 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -540,6 +540,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 
 	result = ads_verify_ticket(state->mem_ctx, 
 				   lp_realm(), 
+				   time_offset,
 				   &tkt, 
 				   &client_princ_out, 
 				   &pac_data, 
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index b086090bd9..8fe01a19b3 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -194,7 +194,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
 		return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
 	}
 
-	ret = ads_verify_ticket(mem_ctx, lp_realm(), &ticket, &client, &pac_data, &ap_rep, &session_key);
+	ret = ads_verify_ticket(mem_ctx, lp_realm(), 0, &ticket, &client, &pac_data, &ap_rep, &session_key);
 
 	data_blob_free(&ticket);
 
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 2e879cc113..ef24f9f161 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -916,7 +916,7 @@ static void manage_gss_spnego_request(enum stdio_helper_mode stdio_helper_mode,
 			response.negTokenTarg.mechListMIC = data_blob(NULL, 0);
 			response.negTokenTarg.responseToken = data_blob(NULL, 0);
 
-			status = ads_verify_ticket(mem_ctx, lp_realm(),
+			status = ads_verify_ticket(mem_ctx, lp_realm(), 0,
 						   &request.negTokenInit.mechToken,
 						   &principal, NULL, &ap_rep,
 						   &session_key);
-- 
cgit