Author: tridge Date: 2005-08-26 11:52:35 +0000 (Fri, 26 Aug 2005) New Revision: 9648
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9648 Log: this fixes the krb5 based login with the pac. The key to this whole saga was that the logon_time field in the pac must match the authtime field in the ticket we gave the client in the AS-REP (and thus also the authtime field in the ticket we get back in the TGS-REQ). Many thanks to Andrew Bartlett for his patience in showing me the basic ropes of all this code! This was a joint effort. Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos.h branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c branches/SAMBA_4_0/source/kdc/pac-glue.c branches/SAMBA_4_0/source/kdc/pac-glue.h Changeset: Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos.h =================================================================== --- branches/SAMBA_4_0/source/auth/kerberos/kerberos.h 2005-08-26 11:42:21 UTC (rev 9647) +++ branches/SAMBA_4_0/source/auth/kerberos/kerberos.h 2005-08-26 11:52:35 UTC (rev 9648) @@ -143,6 +143,7 @@ krb5_context context, krb5_keyblock *krbtgt_keyblock, krb5_keyblock *server_keyblock, + time_t tgs_authtime, DATA_BLOB *pac); krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx, Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c =================================================================== --- branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c 2005-08-26 11:42:21 UTC (rev 9647) +++ branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c 2005-08-26 11:52:35 UTC (rev 9648) @@ -385,6 +385,7 @@ krb5_context context, krb5_keyblock *krbtgt_keyblock, krb5_keyblock *service_keyblock, + time_t tgs_authtime, DATA_BLOB *pac) { NTSTATUS nt_status; @@ -478,8 +479,13 @@ LOGON_INFO->info3.base.last_logon = timeval_to_nttime(&tv); LOGON_NAME->account_name = server_info->account_name; - LOGON_NAME->logon_time = timeval_to_nttime(&tv); + /* + this logon_time field is absolutely critical. This is what + caused all our pac troubles :-) + */ + unix_to_nt_time(&LOGON_NAME->logon_time, tgs_authtime); + ret = kerberos_encode_pac(mem_ctx, pac_data, context, Modified: branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c =================================================================== --- branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c 2005-08-26 11:42:21 UTC (rev 9647) +++ branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c 2005-08-26 11:52:35 UTC (rev 9648) @@ -1597,6 +1597,7 @@ EncTicketPart *tgt, EncTicketPart *adtkt, AuthorizationData *auth_data, + krb5_ticket *tgs_ticket, hdb_entry *server, hdb_entry *client, krb5_principal client_principal, @@ -1774,6 +1775,7 @@ client->principal, tgtkey, ekey, + tgs_ticket->ticket.authtime, &pac); if (ret) { free_AuthorizationData(if_relevant); @@ -2357,6 +2359,7 @@ tgt, b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL, auth_data, + ticket, server, client, cp, Modified: branches/SAMBA_4_0/source/kdc/pac-glue.c =================================================================== --- branches/SAMBA_4_0/source/kdc/pac-glue.c 2005-08-26 11:42:21 UTC (rev 9647) +++ branches/SAMBA_4_0/source/kdc/pac-glue.c 2005-08-26 11:52:35 UTC (rev 9648) @@ -26,11 +26,12 @@ #include "kdc/pac-glue.h" /* Ensure we don't get this prototype wrong, as that could be painful */ krb5_error_code samba_get_pac(krb5_context context, - struct krb5_kdc_configuration *config, - krb5_principal client, - krb5_keyblock *krbtgt_keyblock, - krb5_keyblock *server_keyblock, - krb5_data *pac) + struct krb5_kdc_configuration *config, + krb5_principal client, + krb5_keyblock *krbtgt_keyblock, + krb5_keyblock *server_keyblock, + time_t tgs_authtime, + krb5_data *pac) { krb5_error_code ret; NTSTATUS nt_status; @@ -74,6 +75,7 @@ context, krbtgt_keyblock, server_keyblock, + tgs_authtime, &tmp_blob); if (ret) { Modified: branches/SAMBA_4_0/source/kdc/pac-glue.h =================================================================== --- branches/SAMBA_4_0/source/kdc/pac-glue.h 2005-08-26 11:42:21 UTC (rev 9647) +++ branches/SAMBA_4_0/source/kdc/pac-glue.h 2005-08-26 11:52:35 UTC (rev 9648) @@ -1,7 +1,8 @@ krb5_error_code samba_get_pac(krb5_context context, - struct krb5_kdc_configuration *config, - krb5_principal client, - krb5_keyblock *krbtgt_keyblock, - krb5_keyblock *server_keyblock, + struct krb5_kdc_configuration *config, + krb5_principal client, + krb5_keyblock *krbtgt_keyblock, + krb5_keyblock *server_keyblock, + time_t tgs_authtime, krb5_data *pac);
