From b8f4e0796d068fab6844dd94dc28d3e9825e0f55 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Fri, 26 Aug 2005 11:52:35 +0000
Subject: r9648: this fixes the krb5 based login with the pac. The key to this
 whole saga was that the logon_time field in the pac must match the authtime
 field in the ticket we gave the client in the AS-REP (and thus also the
 authtime field in the ticket we get back in the TGS-REQ).

Many thanks to Andrew Bartlett for his patience in showing me the
basic ropes of all this code! This was a joint effort.
(This used to be commit 7bee374b3ffcdb0424a83f909fe5ad504ea3882e)
---
 source4/heimdal/kdc/kerberos5.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'source4/heimdal')

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 27a25d95ff..453263774b 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1597,6 +1597,7 @@ tgs_make_reply(krb5_context context,
 	       EncTicketPart *tgt, 
 	       EncTicketPart *adtkt, 
 	       AuthorizationData *auth_data,
+	       krb5_ticket *tgs_ticket,
 	       hdb_entry *server, 
 	       hdb_entry *client, 
 	       krb5_principal client_principal, 
@@ -1774,6 +1775,7 @@ tgs_make_reply(krb5_context context,
 				client->principal,
 				tgtkey,
 				ekey,
+				tgs_ticket->ticket.authtime,
 				&pac);
 	    if (ret) {
 		    free_AuthorizationData(if_relevant);
@@ -2357,6 +2359,7 @@ tgs_rep2(krb5_context context,
 			     tgt, 
 			     b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL, 
 			     auth_data,
+			     ticket,
 			     server, 
 			     client, 
 			     cp, 
-- 
cgit