[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: trouble with forwarded tgt from windows client
"Zi-Bin Yang" <zbyang@decru.com> writes:
> I forgot to ask about this earlier.... So in the same setup (Windows
> client obtains a forwardable TGT from Windows kdc and sends to Heimdal),
> when we call Heimdal's gss_accept_sec_context() to get the delegated
> credential, it actually fails. We track this down to krb5_rd_cred(),
> where it's checking the timestamp, and both enc_krb_cred_part.timestamp
> and enc_krb_cred_part.usec are NULL. We comment out the check, and
> gss_accept_sec_context() succeeds without any apparent bad side effect.
> So any ideas on this? Is there a way to turn off the
> KRB5_AUTH_CONTEXT_DO_TIME flag? Thanks!
You mean other then this ?
Love
Index: accept_sec_context.c
===================================================================
RCS file: /afs/pdc.kth.se/src/packages/kth-krb/SourceRepository/heimdal/lib/gssapi/accept_sec_context.c,v
retrieving revision 1.40
diff -u -u -w -r1.40 accept_sec_context.c
--- accept_sec_context.c 17 Sep 2003 04:20:33 -0000 1.40
+++ accept_sec_context.c 21 Nov 2003 05:48:10 -0000
@@ -305,8 +305,8 @@
}
if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) {
-
krb5_ccache ccache;
+ int32_t flags;
if (delegated_cred_handle == NULL)
/* XXX Create a new delegated_cred_handle? */
@@ -364,10 +364,19 @@
goto end_fwd;
}
+ krb5_auth_con_getflags(gssapi_krb5_context,
+ (*context_handle)->auth_context,
+ &flags);
+ krb5_auth_con_setflags(gssapi_krb5_context,
+ (*context_handle)->auth_context,
+ flags & ~KRB5_AUTH_CONTEXT_DO_TIME);
kret = krb5_rd_cred2(gssapi_krb5_context,
(*context_handle)->auth_context,
ccache,
&fwd_data);
+ krb5_auth_con_setflags(gssapi_krb5_context,
+ (*context_handle)->auth_context,
+ flags);
if (kret) {
flags &= ~GSS_C_DELEG_FLAG;
goto end_fwd;
PGP signature