kdc: Add support for explicit armoring from MS-KILE

Normally when FAST is used with a TGS-REQ, the armor key is implicitly derived from the TGT rather than armor being explicitly present, as for AS-REQs. However, Windows allows a TGS-REQ to be explicitly armored with a computer's TGT, so that the armor key also depends on the ticket session key. This is used for compound identity, where the computer's group membership and claims are added to the PAC of the resulting ticket. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-17 20:23:12 +13:00
parent 96ee28c32c
commit 717ad8b043
4 changed files with 36 additions and 2 deletions
--- a/lib/krb5/version-script.map
+++ b/lib/krb5/version-script.map
@@ -865,6 +865,7 @@ HEIMDAL_KRB5_2.0 {
 		# FAST
 		_krb5_fast_cf2;
 		_krb5_fast_armor_key;
+		_krb5_fast_explicit_armor_key;

                # TGS
                _krb5_find_capath;