Pre-1.8 MIT GSS accept_sec_context() has a bug which treats
des-cbc-md4 as if the received token format should be CFX.
The previous DES alg ordering resulted in MIT KDCs issuing
des-cbc-md4 session keys for service tickets which triggered
this bug. Reorder the list so md4 is not preferred.
Change-Id: I11269498a6eb8494044c618db29c43f62b0ced49
When building the x64 installer, we can optionally include 32-bit
components as well. This requires that the 32-bit build to be already
completed. The resulting multiplatform installer will install
both sets of components.
This is enabled by the environment variable MULTIPLATFORM_INSTALLER.
If the is Windows 2000 DC, we need to retry with key usage 8 when doing ARCFOUR.
Thanks to Andrew and Tridge that helped me debug this using their systems.
The interaction with Samba4 is subtle - it calls
krb5_kdc_get_config(), but not configure() - but must have PKINIT set
up.
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
By checking the client principal here, we compare the realm based on
the normalised realm, but do so early enough to validate the PAC (and
regenerate it if required).
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Samba4 may modify the case of the realm in a returned entry, but will no longer modify the case of the prinicipal components.
The easy way to keep this test passing is to consider also what we
need to do to get the krbtgt account for the PAC signing - and to use
krbtgt/<this>/@REALM component to fetch the real krbtgt, and to use
that resutl for realm comparion.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Nov 15 08:47:44 UTC 2010 on sn-devel-104
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This means that no reply packet should be generated, but that instead
the user of the libkdc API should forward the packet to a real KDC,
that has a full database.
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
