r15523: Honour the time_offset also when verifying kerberos tickets. This

prevents a nasty failure condition in winbindd's pam_auth where a tgt
and a service ticket could have been succefully retrieved, but just not
validated.

Guenther
(This used to be commit a75dd80c6210d01aff104a86b0a9d39d65f2c348)

diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index fa957aa9c0688ae69734b13e9f9dea1150b48cbb..525a9cfa27ca312b43a0d25ea60fa7d6860577d0 100644 (file)
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -286,7 +286,8 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au
 ***********************************************************************************/
 
 NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
-                          const char *realm, const DATA_BLOB *ticket, 
+                          const char *realm, time_t time_offset,
+                          const DATA_BLOB *ticket, 
                           char **principal, PAC_DATA **pac_data,
                           DATA_BLOB *ap_rep,
                           DATA_BLOB *session_key)
@@ -323,6 +324,10 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
                return NT_STATUS_LOGON_FAILURE;
        }
 
+       if (time_offset != 0) {
+               krb5_set_real_time(context, time(NULL) + time_offset, 0);
+       }
+
        ret = krb5_set_default_realm(context, realm);
        if (ret) {
                DEBUG(1,("ads_verify_ticket: krb5_set_default_realm failed (%s)\n", error_message(ret)));

diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index ad2127452ca30f1439c537d38c9da281436afda5..243d2a7838638923de680ae5e76582a3a36c714a 100644 (file)
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -540,6 +540,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 
        result = ads_verify_ticket(state->mem_ctx, 
                                   lp_realm(), 
+                                  time_offset,
                                   &tkt, 
                                   &client_princ_out, 
                                   &pac_data, 

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index b086090bd98a87d5f11c8270c68ae16381f2e4c4..8fe01a19b345b42a17d8d36b7d9f6997f9443953 100644 (file)
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -194,7 +194,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
                return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
        }
 
-       ret = ads_verify_ticket(mem_ctx, lp_realm(), &ticket, &client, &pac_data, &ap_rep, &session_key);
+       ret = ads_verify_ticket(mem_ctx, lp_realm(), 0, &ticket, &client, &pac_data, &ap_rep, &session_key);
 
        data_blob_free(&ticket);
 

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 2e879cc113250dd12249acf3486c133b849c04e8..ef24f9f16117eab2b2a77ff886a6395918870b9e 100644 (file)
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -916,7 +916,7 @@ static void manage_gss_spnego_request(enum stdio_helper_mode stdio_helper_mode,
                        response.negTokenTarg.mechListMIC = data_blob(NULL, 0);
                        response.negTokenTarg.responseToken = data_blob(NULL, 0);
 
-                       status = ads_verify_ticket(mem_ctx, lp_realm(),
+                       status = ads_verify_ticket(mem_ctx, lp_realm(), 0,
                                                   &request.negTokenInit.mechToken,
                                                   &principal, NULL, &ap_rep,
                                                   &session_key);