Author: abartlet Date: 2005-11-02 04:30:38 +0000 (Wed, 02 Nov 2005) New Revision: 491
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=491 Log: Merge from Samba4 fixes for delegated credentials, as well as a typo fix in reference to RFC4120 (not 2140, TCP Control Block Interdependence ;-). Andrew Bartlett Modified: trunk/heimdal/lib/gssapi/init_sec_context.c trunk/heimdal/lib/krb5/get_for_creds.c trunk/heimdal/lib/krb5/rd_cred.c Changeset: Modified: trunk/heimdal/lib/gssapi/init_sec_context.c =================================================================== --- trunk/heimdal/lib/gssapi/init_sec_context.c 2005-11-02 02:23:40 UTC (rev 490) +++ trunk/heimdal/lib/gssapi/init_sec_context.c 2005-11-02 04:30:38 UTC (rev 491) @@ -275,7 +275,7 @@ krb5_creds *cred, const gss_name_t target_name, krb5_data *fwd_data, - int *flags) + u_int32_t *flags) { krb5_creds creds; krb5_kdc_flags fwd_flags; @@ -406,9 +406,26 @@ flags = 0; ap_options = 0; + /* + * If the realm policy approves a delegation, lets check local + * policy if the credentials should be delegated, defafult to + * false. + */ + if (cred->flags.b.ok_as_delegate) { + krb5_boolean delegate = FALSE; + + _gss_check_compat(NULL, target_name, "ok-as-delegate", + &delegate, TRUE); + krb5_appdefault_boolean(gssapi_krb5_context, + "gssapi", target_name->realm, + "ok-as-delegate", delegate, &delegate); + if (delegate) + req_flags |= GSS_C_DELEG_FLAG; + } + if (req_flags & GSS_C_DELEG_FLAG) { do_delegation((*context_handle)->auth_context, - ccache, cred, target_name, &fwd_data, &flags); + ccache, cred, target_name, &fwd_data, &flags); } if (req_flags & GSS_C_MUTUAL_FLAG) { @@ -542,8 +559,8 @@ krb5_error_code kret; krb5_data inbuf; u_int32_t flags = (*context_handle)->flags; - OM_uint32 l_seq_number; - OM_uint32 r_seq_number; + int32_t l_seq_number; + int32_t r_seq_number; /* We need to decapsulate the AP_REP if GSS_C_DCE_STYLE isn't in use */ { Modified: trunk/heimdal/lib/krb5/get_for_creds.c =================================================================== --- trunk/heimdal/lib/krb5/get_for_creds.c 2005-11-02 02:23:40 UTC (rev 490) +++ trunk/heimdal/lib/krb5/get_for_creds.c 2005-11-02 04:30:38 UTC (rev 491) @@ -378,16 +378,18 @@ cred.enc_part.cipher.data = buf; cred.enc_part.cipher.length = buf_size; } else { - krb5_keyblock *key; + /* + * RFC4120 claims we should use the session key, but Heimdal + * before 0.8 used the remote subkey if it was send in the + * auth_context. + * + * Lorikeet-Heimdal is interested in windows compatiblity + * more than Heimdal compatability, so we must choose the + * session key, and break forwarding credentials to older + * Heimdal servers. + */ - if (auth_context->local_subkey) - key = auth_context->local_subkey; - else if (auth_context->remote_subkey) - key = auth_context->remote_subkey; - else - key = auth_context->keyblock; - - ret = krb5_crypto_init(context, key, 0, &crypto); + ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); if (ret) { free(buf); free_KRB_CRED(&cred); Modified: trunk/heimdal/lib/krb5/rd_cred.c =================================================================== --- trunk/heimdal/lib/krb5/rd_cred.c 2005-11-02 02:23:40 UTC (rev 490) +++ trunk/heimdal/lib/krb5/rd_cred.c 2005-11-02 04:30:38 UTC (rev 491) @@ -101,7 +101,7 @@ } else { /* Try both subkey and session key. * - * RFC2140 claims we should use the session key, but Heimdal + * RFC4120 claims we should use the session key, but Heimdal * before 0.8 used the remote subkey if it was send in the * auth_context. */
