r9648: this fixes the krb5 based login with the pac. The key to this whole saga was

that the logon_time field in the pac must match the authtime field in the ticket we
gave the client in the AS-REP (and thus also the authtime field in the ticket we get
back in the TGS-REQ).

Many thanks to Andrew Bartlett for his patience in showing me the
basic ropes of all this code! This was a joint effort.
(This used to be commit 7bee374b3f)

source4/auth/kerberos/kerberos.h

@@ -143,6 +143,7 @@ krb5_error_code kerberos_create_pac(TALLOC_CTX *mem_ctx,
 				    krb5_context context,
 				    krb5_keyblock *krbtgt_keyblock,
 				    krb5_keyblock *server_keyblock,
+				    time_t tgs_authtime,
 				    DATA_BLOB *pac);
 
 krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx,

source4/auth/kerberos/kerberos_pac.c

@@ -385,6 +385,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
 				     krb5_context context,
 				     krb5_keyblock *krbtgt_keyblock,
 				     krb5_keyblock *service_keyblock,
+				     time_t tgs_authtime,
 				     DATA_BLOB *pac)
 {
 	NTSTATUS nt_status;
@@ -478,7 +479,12 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
 	LOGON_INFO->info3.base.last_logon	= timeval_to_nttime(&tv);
 
 	LOGON_NAME->account_name	= server_info->account_name;
-	LOGON_NAME->logon_time		= timeval_to_nttime(&tv);
+
+	/*
+	  this logon_time field is absolutely critical. This is what
+	  caused all our pac troubles :-)
+	*/
+	unix_to_nt_time(&LOGON_NAME->logon_time, tgs_authtime);
 
 	ret = kerberos_encode_pac(mem_ctx, 
 				  pac_data, 

source4/heimdal/kdc/kerberos5.c

@@ -1597,6 +1597,7 @@ tgs_make_reply(krb5_context context,
 	       EncTicketPart *tgt, 
 	       EncTicketPart *adtkt, 
 	       AuthorizationData *auth_data,
+	       krb5_ticket *tgs_ticket,
 	       hdb_entry *server, 
 	       hdb_entry *client, 
 	       krb5_principal client_principal, 
@@ -1774,6 +1775,7 @@ tgs_make_reply(krb5_context context,
 				client->principal,
 				tgtkey,
 				ekey,
+				tgs_ticket->ticket.authtime,
 				&pac);
 	    if (ret) {
 		    free_AuthorizationData(if_relevant);
@@ -2357,6 +2359,7 @@ tgs_rep2(krb5_context context,
 			     tgt, 
 			     b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL, 
 			     auth_data,
+			     ticket,
 			     server, 
 			     client, 
 			     cp, 

source4/kdc/pac-glue.c

@@ -26,11 +26,12 @@
 #include "kdc/pac-glue.h" /* Ensure we don't get this prototype wrong, as that could be painful */
 
  krb5_error_code samba_get_pac(krb5_context context, 
-			      struct krb5_kdc_configuration *config,
-			      krb5_principal client, 
-			      krb5_keyblock *krbtgt_keyblock, 
-			      krb5_keyblock *server_keyblock, 
-			      krb5_data *pac) 
+			       struct krb5_kdc_configuration *config,
+			       krb5_principal client, 
+			       krb5_keyblock *krbtgt_keyblock, 
+			       krb5_keyblock *server_keyblock, 
+			       time_t tgs_authtime,
+			       krb5_data *pac)
 {
 	krb5_error_code ret;
 	NTSTATUS nt_status;
@@ -74,6 +75,7 @@
 				  context, 
 				  krbtgt_keyblock,
 				  server_keyblock,
+				  tgs_authtime,
 				  &tmp_blob);
 
 	if (ret) {

source4/kdc/pac-glue.h

@@ -1,7 +1,8 @@
 
  krb5_error_code samba_get_pac(krb5_context context, 
-			      struct krb5_kdc_configuration *config,
-			      krb5_principal client, 
-			      krb5_keyblock *krbtgt_keyblock, 
-			      krb5_keyblock *server_keyblock, 
+			       struct krb5_kdc_configuration *config,
+			       krb5_principal client, 
+			       krb5_keyblock *krbtgt_keyblock, 
+			       krb5_keyblock *server_keyblock, 
+			       time_t tgs_authtime,
 			       krb5_data *pac);