Allow the PAC to be passed along during cross-realm authentication.
From abartlet git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24021 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
@@ -1380,7 +1380,6 @@ tgs_build_reply(krb5_context context,
|
|||||||
krb5_keyblock sessionkey;
|
krb5_keyblock sessionkey;
|
||||||
krb5_kvno kvno;
|
krb5_kvno kvno;
|
||||||
krb5_data rspac;
|
krb5_data rspac;
|
||||||
int cross_realm = 0;
|
|
||||||
|
|
||||||
METHOD_DATA enc_pa_data;
|
METHOD_DATA enc_pa_data;
|
||||||
|
|
||||||
@@ -1391,6 +1390,8 @@ tgs_build_reply(krb5_context context,
|
|||||||
char opt_str[128];
|
char opt_str[128];
|
||||||
int signedpath = 0;
|
int signedpath = 0;
|
||||||
|
|
||||||
|
Key *tkey;
|
||||||
|
|
||||||
memset(&sessionkey, 0, sizeof(sessionkey));
|
memset(&sessionkey, 0, sizeof(sessionkey));
|
||||||
memset(&adtkt, 0, sizeof(adtkt));
|
memset(&adtkt, 0, sizeof(adtkt));
|
||||||
krb5_data_zero(&rspac);
|
krb5_data_zero(&rspac);
|
||||||
@@ -1558,8 +1559,6 @@ server_lookup:
|
|||||||
|
|
||||||
kdc_log(context, config, 1, "Client not found in database: %s: %s",
|
kdc_log(context, config, 1, "Client not found in database: %s: %s",
|
||||||
cpn, krb5_get_err_text(context, ret));
|
cpn, krb5_get_err_text(context, ret));
|
||||||
|
|
||||||
cross_realm = 1;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -1602,10 +1601,6 @@ server_lookup:
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
|
||||||
* Validate authoriation data
|
|
||||||
*/
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Check that service is in the same realm as the krbtgt. If it's
|
* Check that service is in the same realm as the krbtgt. If it's
|
||||||
* not the same, it's someone that is using a uni-directional trust
|
* not the same, it's someone that is using a uni-directional trust
|
||||||
@@ -1627,27 +1622,26 @@ server_lookup:
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* check PAC if not cross realm and if there is one */
|
/*
|
||||||
if (!cross_realm) {
|
* Validate authoriation data
|
||||||
Key *tkey;
|
*/
|
||||||
|
|
||||||
ret = hdb_enctype2key(context, &krbtgt->entry,
|
ret = hdb_enctype2key(context, &krbtgt->entry,
|
||||||
krbtgt_etype, &tkey);
|
krbtgt_etype, &tkey);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
kdc_log(context, config, 0,
|
kdc_log(context, config, 0,
|
||||||
"Failed to find key for krbtgt PAC check");
|
"Failed to find key for krbtgt PAC check");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = check_PAC(context, config, cp,
|
ret = check_PAC(context, config, cp,
|
||||||
client, server, ekey, &tkey->key,
|
client, server, ekey, &tkey->key,
|
||||||
tgt, &rspac, &signedpath);
|
tgt, &rspac, &signedpath);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 0,
|
kdc_log(context, config, 0,
|
||||||
"Verify PAC failed for %s (%s) from %s with %s",
|
"Verify PAC failed for %s (%s) from %s with %s",
|
||||||
spn, cpn, from, krb5_get_err_text(context, ret));
|
spn, cpn, from, krb5_get_err_text(context, ret));
|
||||||
goto out;
|
goto out;
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* also check the krbtgt for signature */
|
/* also check the krbtgt for signature */
|
||||||
|
|||||||
Reference in New Issue
Block a user