diff options
| author | Matthieu Patou <mat@matws.net> | 2010-08-15 18:31:28 +0400 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2010-10-03 01:15:04 +0000 |
| commit | ab6e3fce040f9ad27cbce44e9038a24f15b601c8 (patch) | |
| tree | ab99a431c9610927b5d0d26335d2712b509fd6dc /source4/heimdal/kdc/krb5tgs.c | |
| parent | 197a1514d62494cc8b862d169c841a26e04b8925 (diff) | |
| download | samba-ab6e3fce040f9ad27cbce44e9038a24f15b601c8.tar.gz | |
s4:heimdal: import lorikeet-heimdal-201009250123 (commit 42cabfb5b683dbcb97d583c397b897507689e382)
I based this on Matthieu's import of lorikeet-heimdal, and then
updated it to this commit.
Andrew Bartlett
Diffstat (limited to 'source4/heimdal/kdc/krb5tgs.c')
| -rw-r--r-- | source4/heimdal/kdc/krb5tgs.c | 28 |
1 files changed, 19 insertions, 9 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 06a535d4d44..23f9674bef2 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -314,6 +314,7 @@ check_PAC(krb5_context context, for (j = 0; j < child.len; j++) { if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) { + int signed_pac = 0; krb5_pac pac; /* Found PAC */ @@ -334,19 +335,26 @@ check_PAC(krb5_context context, } ret = _kdc_pac_verify(context, client_principal, - client, server, krbtgt, &pac); + client, server, krbtgt, &pac, &signed_pac); if (ret) { krb5_pac_free(context, pac); return ret; } - *signedpath = 1; - - ret = _krb5_pac_sign(context, pac, tkt->authtime, - client_principal, - server_key, krbtgt_sign_key, rspac); + /* + * Only re-sign PAC if we could verify it with the PAC + * function. The no-verify case happens when we get in + * a PAC from cross realm from a Windows domain and + * that there is no PAC verification function. + */ + if (signed_pac) { + *signedpath = 1; + ret = _krb5_pac_sign(context, pac, tkt->authtime, + client_principal, + server_key, krbtgt_key, rspac); + } krb5_pac_free(context, pac); - + return ret; } } @@ -449,7 +457,7 @@ check_tgs_flags(krb5_context context, } if(f.renewable){ - if(!tgt->flags.renewable){ + if(!tgt->flags.renewable || tgt->renew_till == NULL){ kdc_log(context, config, 0, "Bad request for renewable ticket"); return KRB5KDC_ERR_BADOPTION; @@ -802,7 +810,9 @@ tgs_make_reply(krb5_context context, et.endtime = *et.starttime + life; } if(f.renewable_ok && tgt->flags.renewable && - et.renew_till == NULL && et.endtime < *b->till){ + et.renew_till == NULL && et.endtime < *b->till && + tgt->renew_till != NULL) + { et.flags.renewable = 1; ALLOC(et.renew_till); *et.renew_till = *b->till; |