Love Hörnquist Åstrand wrote:
15 jan 2007 kl. 23.24 skrev Douglas E. Engert:
The code was not checking if this was the case and always using the
skey and thus would fail to decrypt PAC_SERVER_CHECKSUM.
This is fixed by post 0.8-rc3, I got the same bug report from
Andrew Bartlett.
Are you sure this is correct you patch is correct, I would think
it should
use the o->ticket in the enc_tkt_in_skey case.
I though that was what I did. If the KDC_OPT_ENC_TKT_IN_SKEY is on,
then use the session key: &o->ticket->ticket.key otherwise use the
key used to decrypt the ticket whoich looked liek the o->keyblock.
But looking closer at 791, if (ap_req.ap_options.use_sesion_key...
Is this where the auth_context->keyblock is copied to the o->keyblock
the key to be used? in which case the mod should always use the o-
>keytab.
Then what is the &o->ticket->ticket.key ?
its the session key between the client and the server that is inside
the ticket.
But the text from the MS page say it should be use the key that was used
to encrypt the ticket itself, and that is not the key inside that
ticket.
> Do you have any setup
where you can try out the u2u case easily in a windows domain ?
No.
I just tried it on my w2k3server setup by talking to myself
and it wont even see the enc-tkt-in-skey flag since its on the "server"
(not so helpfully named uu_client in appl/test in heimdal).
Love
