[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 0.8-rc3



> Love Hörnquist Åstrand wrote:
>> 15 jan 2007 kl. 23.24 skrev Douglas E. Engert:
>>> The code was not checking if this was the case and always using the
>>> skey and thus would fail to decrypt PAC_SERVER_CHECKSUM.
>> This is fixed by post 0.8-rc3, I got the same bug report from  
>> Andrew Bartlett.
>> Are you sure this is correct you patch is correct, I would think  
>> it should
>> use the o->ticket in the enc_tkt_in_skey case.
>
> I though that was what I did.  If the KDC_OPT_ENC_TKT_IN_SKEY  is on,
> then use the session key: &o->ticket->ticket.key  otherwise use the
> key used to decrypt the ticket whoich looked liek the o->keyblock.
>
> But looking closer at 791, if (ap_req.ap_options.use_sesion_key...
> Is this where the auth_context->keyblock is copied to the o->keyblock
> the  key to be used? in which case the mod should always use the o- 
> >keytab.
>
> Then what is the &o->ticket->ticket.key ?

its the session key between the client and the server that is inside  
the ticket.

But the text from the MS page say it should be use the key that was used
to encrypt the ticket itself, and that is not the key inside that  
ticket.

> > Do you have any setup
>> where you can try out the u2u case easily in a windows domain ?
>
> No.

I just tried it on my w2k3server setup by talking to myself
and it wont even see the enc-tkt-in-skey flag since its on the "server"
(not so helpfully named uu_client in appl/test in heimdal).

Love