r11469: Fix typo, and use the correct (RFC4120) session key for delegating

credentials.  This means we now delegate to windows correctly.

Andrew Bartlett

source/heimdal/lib/krb5/get_for_creds.c

@@ -378,16 +378,18 @@ krb5_get_forwarded_creds (krb5_context	    context,
 	cred.enc_part.cipher.data = buf;
 	cred.enc_part.cipher.length = buf_size;
     } else {
-	krb5_keyblock *key;
+	    /* 
+	     * RFC4120 claims we should use the session key, but Heimdal
+	     * before 0.8 used the remote subkey if it was send in the
+	     * auth_context.  
+	     *
+	     * Lorikeet-Heimdal is interested in windows compatiblity
+	     * more than Heimdal compatability, so we must choose the
+	     * session key, and break forwarding credentials to older
+	     * Heimdal servers. 
+	     */
 
-	if (auth_context->local_subkey)
-	    key = auth_context->local_subkey;
-	else if (auth_context->remote_subkey)
-	    key = auth_context->remote_subkey;
-	else
-	    key = auth_context->keyblock;
-	
-	ret = krb5_crypto_init(context, key, 0, &crypto);
+	ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
 	if (ret) {
 	    free(buf);
 	    free_KRB_CRED(&cred);

source/heimdal/lib/krb5/rd_cred.c

@@ -101,7 +101,7 @@ krb5_rd_cred(krb5_context context,
     } else {
 	/* Try both subkey and session key.
 	 * 
-	 * RFC2140 claims we should use the session key, but Heimdal
+	 * RFC4120 claims we should use the session key, but Heimdal
 	 * before 0.8 used the remote subkey if it was send in the
 	 * auth_context.
 	 */