[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Renewing tickets broken on Heimdal 1.0.1

To: heimdal-discuss@sics.se, Alec Kloss <alec-keyword-heimdal.e899d7@SetFilePointer.com>
Subject: Re: Renewing tickets broken on Heimdal 1.0.1
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Mon, 10 Mar 2008 09:42:13 -0400
In-Reply-To: <20080302152135.GB8919@hamlet.SetFilePointer.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <20080302152135.GB8919@hamlet.SetFilePointer.com>
Reply-To: heimdal-discuss@sics.se, Love Hörnquist Åstrand <lha@kth.se>

Hello Alec,

Are you not passing in validate to the request (you have a post dated  
ticket ?)


Love



2 mar 2008 kl. 10.21 skrev Alec Kloss:

> I'm having troubles getting tickets to renew using a Heimdal 1.0.1
> KDC and Heimdal 1.0.1 clients.  The kdc.log has the message "Bad
> request to validate ticket".  I've looked around a bit, and this is
> caused by a null ticket start time in check_tgs_flags() in
> krb5tgs.c *and* by tgt->flags.invalid being false (both conditions
> are true in the if check).  By removing the check
> for tgt->flags.invalid and by changing _kdc_as_rep() in kerberos5.c
> to always assign a start time to a ticket (around line 1850), I can
> now renew tickets.  Any thoughts about this?
>
>
> Index: kdc/krb5tgs.c
> ===================================================================
> --- kdc/krb5tgs.c	(revision 22664)
> +++ kdc/krb5tgs.c	(working copy)
> @@ -366,7 +366,7 @@
>     KDCOptions f = b->kdc_options;
> 	
>     if(f.validate){
> -	if(!tgt->flags.invalid || tgt->starttime == NULL){
> +	if(tgt->starttime == NULL){
> 	    kdc_log(context, config, 0,
> 		    "Bad request to validate ticket");
> 	    return KRB5KDC_ERR_BADOPTION;
> Index: kdc/kerberos5.c
> ===================================================================
> --- kdc/kerberos5.c	(revision 22664)
> +++ kdc/kerberos5.c	(working copy)
> @@ -1494,11 +1494,12 @@
> 	start = et.authtime = kdc_time;
>
> 	if(f.postdated && req->req_body.from){
> -	    ALLOC(et.starttime);
> -	    start = *et.starttime = *req->req_body.from;
> +	    start = *req->req_body.from;
> 	    et.flags.invalid = 1;
> 	    et.flags.postdated = 1; /* XXX ??? */
> 	}
> +	ALLOC(et.starttime);
> +	*et.starttime = start;
> 	_kdc_fix_time(&b->till);
> 	t = *b->till;
>
>
> -- 
> Alec Kloss  alec@SetFilePointer.com   IM: angryspamhater@yahoo.com
> PGP key at http://pgp.mit.edu:11371/pks/lookup? 
> op=get&search=0xA241980E
> "No Bunny!" -- Simon, from Frisky Dingo

References:
- Renewing tickets broken on Heimdal 1.0.1
  - From: Alec Kloss <alec-keyword-heimdal.e899d7@SetFilePointer.com>

Prev by Date: RFID products business
Next by Date: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
Prev by thread: Renewing tickets broken on Heimdal 1.0.1
Next by thread: Poor error handling on expired cerficates
Index(es):
- Date
- Thread