diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2012-01-11 18:06:55 +1100 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2012-01-12 18:02:54 +1100 |
| commit | 49f8113fabd2603b45439404c91d350b4d6eaeac (patch) | |
| tree | ace3a19fcb94bb5ab6396f1be30fb2af7bec8817 /source4/kdc/mit_samba.c | |
| parent | d0bb8b8a15c76c739062e7a78c013b54729dc5ab (diff) | |
| download | samba-49f8113fabd2603b45439404c91d350b4d6eaeac.tar.gz | |
s4-kdc Do the KDC PAC checksum validation in the Samba plugin
Here we can fetch the right key, and check if the PAC is likely to be signed by a key that
we know. We cannot check the KDC signature on incoming trusts.
Andrew Bartlett
Diffstat (limited to 'source4/kdc/mit_samba.c')
| -rw-r--r-- | source4/kdc/mit_samba.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index 06ee46eac02..f56e6796d09 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -254,8 +254,11 @@ static int mit_samba_update_pac_data(struct mit_samba_context *ctx, goto done; } + /* TODO: An implementation-specific decision will need to be + * made as to when to check the KDC pac signature, and how to + * untrust untrusted RODCs */ nt_status = samba_kdc_update_pac_blob(tmp_ctx, ctx->context, - pac, logon_blob); + pac, logon_blob, NULL, NULL); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Building PAC failed: %s\n", nt_errstr(nt_status))); |