svn commit: samba r11469 - in branches/SAMBA_4_0/source/heimdal/lib/krb5: .

Tue, 01 Nov 2005 20:12:01 -0800 

Author: abartlet
Date: 2005-11-02 04:11:36 +0000 (Wed, 02 Nov 2005)
New Revision: 11469

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=11469

Log:
Fix typo, and use the correct (RFC4120) session key for delegating
credentials.  This means we now delegate to windows correctly.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/heimdal/lib/krb5/get_for_creds.c
   branches/SAMBA_4_0/source/heimdal/lib/krb5/rd_cred.c


Changeset:
Modified: branches/SAMBA_4_0/source/heimdal/lib/krb5/get_for_creds.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/krb5/get_for_creds.c  2005-11-02 
03:48:49 UTC (rev 11468)
+++ branches/SAMBA_4_0/source/heimdal/lib/krb5/get_for_creds.c  2005-11-02 
04:11:36 UTC (rev 11469)
@@ -378,16 +378,18 @@
        cred.enc_part.cipher.data = buf;
        cred.enc_part.cipher.length = buf_size;
     } else {
-       krb5_keyblock *key;
+           /* 
+            * RFC4120 claims we should use the session key, but Heimdal
+            * before 0.8 used the remote subkey if it was send in the
+            * auth_context.  
+            *
+            * Lorikeet-Heimdal is interested in windows compatiblity
+            * more than Heimdal compatability, so we must choose the
+            * session key, and break forwarding credentials to older
+            * Heimdal servers. 
+            */
 
-       if (auth_context->local_subkey)
-           key = auth_context->local_subkey;
-       else if (auth_context->remote_subkey)
-           key = auth_context->remote_subkey;
-       else
-           key = auth_context->keyblock;
-       
-       ret = krb5_crypto_init(context, key, 0, &crypto);
+       ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
        if (ret) {
            free(buf);
            free_KRB_CRED(&cred);

Modified: branches/SAMBA_4_0/source/heimdal/lib/krb5/rd_cred.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/krb5/rd_cred.c        2005-11-02 
03:48:49 UTC (rev 11468)
+++ branches/SAMBA_4_0/source/heimdal/lib/krb5/rd_cred.c        2005-11-02 
04:11:36 UTC (rev 11469)
@@ -101,7 +101,7 @@
     } else {
        /* Try both subkey and session key.
         * 
-        * RFC2140 claims we should use the session key, but Heimdal
+        * RFC4120 claims we should use the session key, but Heimdal
         * before 0.8 used the remote subkey if it was send in the
         * auth_context.
         */

Reply via email to