[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: trouble with forwarded tgt from windows client

To: "'Love'" <lha@stacken.kth.se>
Subject: RE: trouble with forwarded tgt from windows client
From: "Zi-Bin Yang" <zbyang@decru.com>
Date: Fri, 21 Nov 2003 19:45:42 -0800
Cc: <heimdal-discuss@sics.se>
Importance: Normal
In-Reply-To: <am7k1u2rp9.fsf@nutcracker.stacken.kth.se>
Organization: Decru, Inc.
Sender: owner-heimdal-discuss@sics.se

Thanks, that works.  I am still kind of wondering why the timestamp is
not there though....

Zi-Bin Yang


-----Original Message-----
From: Love [mailto:lha@stacken.kth.se] 
Sent: Thursday, November 20, 2003 9:53 PM
To: Zi-Bin Yang
Subject: Re: trouble with forwarded tgt from windows client



"Zi-Bin Yang" <zbyang@decru.com> writes:

> I forgot to ask about this earlier....  So in the same setup (Windows
> client obtains a forwardable TGT from Windows kdc and sends to
Heimdal),
> when we call Heimdal's gss_accept_sec_context() to get the delegated
> credential, it actually fails.  We track this down to krb5_rd_cred(),
> where it's checking the timestamp, and both
enc_krb_cred_part.timestamp
> and enc_krb_cred_part.usec are NULL.  We comment out the check, and
> gss_accept_sec_context() succeeds without any apparent bad side
effect.
> So any ideas on this?  Is there a way to turn off the
> KRB5_AUTH_CONTEXT_DO_TIME flag?  Thanks!

Sorry wrong version of the patch

Love

Index: accept_sec_context.c
===================================================================
RCS file:
/afs/pdc.kth.se/src/packages/kth-krb/SourceRepository/heimdal/lib/gssapi
/accept_sec_context.c,v
retrieving revision 1.40
diff -u -u -w -r1.40 accept_sec_context.c
--- accept_sec_context.c	17 Sep 2003 04:20:33 -0000	1.40
+++ accept_sec_context.c	21 Nov 2003 05:51:48 -0000
@@ -305,8 +305,8 @@
     }
 
     if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) {
-      
 	krb5_ccache ccache;
+	int32_t ac_flags;
       
 	if (delegated_cred_handle == NULL)
 	    /* XXX Create a new delegated_cred_handle? */
@@ -364,10 +364,19 @@
 	    goto end_fwd;
 	}
       
+	krb5_auth_con_getflags(gssapi_krb5_context,
+			       (*context_handle)->auth_context,
+			       &ac_flags);
+	krb5_auth_con_setflags(gssapi_krb5_context,
+			       (*context_handle)->auth_context,
+			       ac_flags & ~KRB5_AUTH_CONTEXT_DO_TIME);
 	kret = krb5_rd_cred2(gssapi_krb5_context,
 			     (*context_handle)->auth_context,
 			     ccache,
 			     &fwd_data);
+	krb5_auth_con_setflags(gssapi_krb5_context,
+			       (*context_handle)->auth_context,
+			       ac_flags);
 	if (kret) {
 	    flags &= ~GSS_C_DELEG_FLAG;
 	    goto end_fwd;

Prev by Date: Re: trouble with forwarded tgt from windows client
Next by Date: problem: default realm in openssh
Prev by thread: Re: trouble with forwarded tgt from windows client
Next by thread: Switching to sub searches for hdb-ldap.c
Index(es):
- Date
- Thread