Initial patch for dealing with AD x-realm key rollover

AD issues x-realm TGTs with kvno 0. On key x-realm trust key change we need to be able to try current and previous keys for trust, else we will have some failures.
2011-11-11 02:06:48 -06:00
parent b26fc106de
commit c9609cdb37
9 changed files with 105 additions and 47 deletions
--- a/kdc/digest.c
+++ b/kdc/digest.c
@@ -883,7 +883,7 @@ _kdc_do_digest(krb5_context context,
 		goto failed;
 	    }

-	    ret = hdb_enctype2key(context, &user->entry,
+	    ret = hdb_enctype2key(context, &user->entry, NULL,
 				  ETYPE_ARCFOUR_HMAC_MD5, &key);
 	    if (ret) {
 		krb5_set_error_message(context, ret,
@@ -1209,7 +1209,7 @@ _kdc_do_digest(krb5_context context,
 	    goto out;
 	}

-	ret = hdb_enctype2key(context, &user->entry,
+	ret = hdb_enctype2key(context, &user->entry, NULL,
 			      ETYPE_ARCFOUR_HMAC_MD5, &key);
 	if (ret) {
 	    krb5_set_error_message(context, ret, "NTLM missing arcfour key");