Bug 14125 - As kerberos service/acceptor we may not accept expired tickets with our previous machine password
As kerberos service/acceptor we may not accept expired tickets with our previ...
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.11.0rc4
All All
: P5 normal
: ---
Assigned To: Stefan Metzmacher
Samba QA Contact
:
Depends on: 12907
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-13 13:19 UTC by Stefan Metzmacher
Modified: 2019-09-13 13:19 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2019-09-13 13:19:29 UTC
As we don't know under what kvno a KDC stores our machine passwords
we just use fantasy numbers when filling the in memory keytab
with our (up to 4) machine passwords.

If the kvno matches by accident the number we made up, the heimdal
kerberos library may not fallback and check all other keys/passwords.