Bug 14125 – As kerberos service/acceptor we may not accept expired tickets with our previous machine password

Bug 14125 - As kerberos service/acceptor we may not accept expired tickets with our previous machine password


Summary:	As kerberos service/acceptor we may not accept expired tickets with our previ...

Status:	NEW

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind
Version:	4.11.0rc4
Hardware:	All All

Importance:	P5 normal
Target Milestone:	---
Assigned To:	Stefan Metzmacher
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:	12907
Blocks:
	Show dependency tree / graph

Reported:	2019-09-13 13:19 UTC by Stefan Metzmacher
Modified:	2019-09-13 13:19 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Metzmacher 2019-09-13 13:19:29 UTC

As we don't know under what kvno a KDC stores our machine passwords
we just use fantasy numbers when filling the in memory keytab
with our (up to 4) machine passwords.

If the kvno matches by accident the number we made up, the heimdal
kerberos library may not fallback and check all other keys/passwords.