mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
heimdal: Try to handle the PAC checking when we are in a cross-realm environment
This commit is contained in:
parent
17fa96b64a
commit
b5c7eb909f
@ -1508,6 +1508,7 @@ tgs_build_reply(krb5_context context,
|
|||||||
|
|
||||||
Key *tkey_check;
|
Key *tkey_check;
|
||||||
Key *tkey_sign;
|
Key *tkey_sign;
|
||||||
|
Key *tkey_krbtgt_check = NULL;
|
||||||
int flags = HDB_F_FOR_TGS_REQ;
|
int flags = HDB_F_FOR_TGS_REQ;
|
||||||
|
|
||||||
memset(&sessionkey, 0, sizeof(sessionkey));
|
memset(&sessionkey, 0, sizeof(sessionkey));
|
||||||
@ -1781,6 +1782,13 @@ server_lookup:
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Check if we would know the krbtgt key for the PAC. We would
|
||||||
|
* only know this if the krbtgt principal was the same (ie, in our
|
||||||
|
* realm, regardless of KVNO) */
|
||||||
|
if (krb5_principal_compare(context, krbtgt_out->entry.principal, krbtgt->entry.principal)) {
|
||||||
|
tkey_krbtgt_check = tkey_check;
|
||||||
|
}
|
||||||
|
|
||||||
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | flags,
|
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | flags,
|
||||||
NULL, &clientdb, &client);
|
NULL, &clientdb, &client);
|
||||||
if(ret == HDB_ERR_NOT_FOUND_HERE) {
|
if(ret == HDB_ERR_NOT_FOUND_HERE) {
|
||||||
@ -1813,7 +1821,8 @@ server_lookup:
|
|||||||
|
|
||||||
ret = check_PAC(context, config, cp, NULL,
|
ret = check_PAC(context, config, cp, NULL,
|
||||||
client, server, krbtgt,
|
client, server, krbtgt,
|
||||||
&tkey_check->key, &tkey_check->key,
|
&tkey_check->key,
|
||||||
|
tkey_krbtgt_check ? &tkey_krbtgt_check->key : NULL,
|
||||||
ekey, &tkey_sign->key,
|
ekey, &tkey_sign->key,
|
||||||
tgt, &rspac, &signedpath);
|
tgt, &rspac, &signedpath);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
|
Loading…
Reference in New Issue
Block a user