The Samba-Bugzilla – Attachment 13865 Details for
Bug 13137
S4U2Proxy tickets from a Samba KDC don't pass PAC verification checks (authtime mismatch)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Work in progress patch
tmp.diff.txt (text/plain), 1.75 KB, created by
Stefan Metzmacher
on 2017-12-13 12:45:11 UTC
(
hide
)
Description:
Work in progress patch
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2017-12-13 12:45:11 UTC
Size:
1.75 KB
patch
obsolete
>From b3371af1c50098730dd205f9de00c90289d3af26 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 8 Nov 2017 13:18:29 +0100 >Subject: [PATCH] HEIMDAL:kdc: use the correct authtime from addtitional ticket > for S4U2Proxy tickets > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/heimdal/kdc/krb5tgs.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > >diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c >index d59eb97..5033a24 100644 >--- a/source4/heimdal/kdc/krb5tgs.c >+++ b/source4/heimdal/kdc/krb5tgs.c >@@ -725,6 +725,7 @@ tgs_make_reply(krb5_context context, > KDC_REQ_BODY *b, > krb5_const_principal tgt_name, > const EncTicketPart *tgt, >+ const EncTicketPart *adtgt, > const krb5_keyblock *replykey, > int rk_is_subkey, > const EncryptionKey *serverkey, >@@ -758,7 +759,7 @@ tgs_make_reply(krb5_context context, > rep.pvno = 5; > rep.msg_type = krb_tgs_rep; > >- et.authtime = tgt->authtime; >+ et.authtime = adtgt->authtime; > _kdc_fix_time(&b->till); > et.endtime = min(tgt->endtime, *b->till); > ALLOC(et.starttime); >@@ -1480,6 +1481,7 @@ tgs_build_reply(krb5_context context, > Realm r; > int nloop = 0; > EncTicketPart adtkt; >+ EncTicketPart *adtgt = tgt; > char opt_str[128]; > int signedpath = 0; > >@@ -2147,7 +2149,7 @@ server_lookup: > if (rk_is_subkey == 0) { > auth_data_key = &adtkt.key; > } >- >+ adtgt = &adtkt; > kdc_log(context, config, 0, "constrained delegation for %s " > "from %s (%s) to %s", tpn, cpn, dpn, spn); > } >@@ -2263,6 +2265,7 @@ server_lookup: > b, > tp, > tgt, >+ adtgt, > replykey, > rk_is_subkey, > ekey, >-- >1.9.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=13865">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 13137
:
13865