mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
2d2da2af26
Split Windows PAC signing and verification logic, as the signing has to be when
the ticket is ready.
Create sign and verify the PAC KDC signature if the plugin did not, allowing
for S4U2Proxy to work, instead of KRB5SignedPath.
Use the header key to verify PAC server signature, as the same key used to
encrypt/decrypt the ticket should be used for PAC server signature, like U2U
tickets are signed witht the tgt session-key and not with the longterm key,
and so krbtgt should be no different and the header key should be used.
Lookup the delegated client in DB instead of passing the delegator DB entry.
Add PAC ticket-signatures and related functions.
Note: due to the change from KRB5SignedPath to PAC, S4U2Proxy requests
against new KDC will not work if the evidence ticket was acquired from
an old KDC, and vide versa.
Closes: #767
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton@samba.org Backported from Heimdal commit
2ffaba9401d19c718764d4bd24180960290238e9
- Removed tests
- Adapted to Samba's version of Heimdal
- Addressed build failures with -O3
- Added knownfails
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org backported from commit
|
||
---|---|---|
.. | ||
include | ||
krb5 | ||
asn1_compile_wrapper.sh | ||
config.h | ||
crypto-headers.h | ||
et_compile_wrapper.sh | ||
gssapi-glue.c | ||
hdb-glue.c | ||
ifaddrs.hin | ||
kafs.h | ||
krb5-glue.c | ||
lexyacc.sh | ||
perl_path_wrapper.sh | ||
print_version.h | ||
replace.c | ||
roken.h | ||
version.c | ||
vis.h | ||
wscript_build | ||
wscript_configure |