From 3b213ca9a3e44266647ac4ceb88d3acd2fb4a295 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 2 Nov 2005 04:11:36 +0000 Subject: r11469: Fix typo, and use the correct (RFC4120) session key for delegating credentials. This means we now delegate to windows correctly. Andrew Bartlett (This used to be commit d6928a3bf86f1ab89f29eac538ceb701c6669913) --- source4/heimdal/lib/krb5/get_for_creds.c | 22 ++++++++++++---------- source4/heimdal/lib/krb5/rd_cred.c | 2 +- 2 files changed, 13 insertions(+), 11 deletions(-) (limited to 'source4') diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c index ea0bc4ad9e..adb6000cd6 100644 --- a/source4/heimdal/lib/krb5/get_for_creds.c +++ b/source4/heimdal/lib/krb5/get_for_creds.c @@ -378,16 +378,18 @@ krb5_get_forwarded_creds (krb5_context context, cred.enc_part.cipher.data = buf; cred.enc_part.cipher.length = buf_size; } else { - krb5_keyblock *key; - - if (auth_context->local_subkey) - key = auth_context->local_subkey; - else if (auth_context->remote_subkey) - key = auth_context->remote_subkey; - else - key = auth_context->keyblock; - - ret = krb5_crypto_init(context, key, 0, &crypto); + /* + * RFC4120 claims we should use the session key, but Heimdal + * before 0.8 used the remote subkey if it was send in the + * auth_context. + * + * Lorikeet-Heimdal is interested in windows compatiblity + * more than Heimdal compatability, so we must choose the + * session key, and break forwarding credentials to older + * Heimdal servers. + */ + + ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); if (ret) { free(buf); free_KRB_CRED(&cred); diff --git a/source4/heimdal/lib/krb5/rd_cred.c b/source4/heimdal/lib/krb5/rd_cred.c index ddd5866aeb..07f142267c 100644 --- a/source4/heimdal/lib/krb5/rd_cred.c +++ b/source4/heimdal/lib/krb5/rd_cred.c @@ -101,7 +101,7 @@ krb5_rd_cred(krb5_context context, } else { /* Try both subkey and session key. * - * RFC2140 claims we should use the session key, but Heimdal + * RFC4120 claims we should use the session key, but Heimdal * before 0.8 used the remote subkey if it was send in the * auth_context. */ -- cgit