s3-gse Don't get the auth time when validating the PAC

All modern kerberos libraries (those modern enough to support the
calls to obtain the PAC) have already validated it at the krb5 layer,
we don't need to do it here again, and it breaks against Heimdal
anyway.

Andrew Bartlett

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 6277338c0844e88f1753ba9679b631e4250a8c37..55e61422f79b054a581a0289efb7afe73426459e 100644 (file)
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -716,44 +716,6 @@ NTSTATUS gse_get_pac_data(struct gse_context *gse_ctx,
        return NT_STATUS_OK;    
 }
 
-NTSTATUS gse_get_authtime(struct gse_context *gse_ctx, time_t *authtime)
-{
-       OM_uint32 gss_min, gss_maj;
-       gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
-       int32_t tkttime;
-
-       if (!gse_ctx->authenticated) {
-               return NT_STATUS_ACCESS_DENIED;
-       }
-
-       gss_maj = gss_inquire_sec_context_by_oid(
-                               &gss_min, gse_ctx->gss_ctx,
-                               &gse_authtime_oid, &set);
-       if (gss_maj) {
-               DEBUG(0, ("gss_inquire_sec_context_by_oid failed [%s]\n",
-                         gse_errstr(talloc_tos(), gss_maj, gss_min)));
-               return NT_STATUS_NOT_FOUND;
-       }
-
-       if ((set == GSS_C_NO_BUFFER_SET) || (set->count != 1) != 0) {
-               DEBUG(0, ("gss_inquire_sec_context_by_oid returned unknown "
-                         "data in results.\n"));
-               return NT_STATUS_INTERNAL_ERROR;
-       }
-
-       if (set->elements[0].length != sizeof(int32_t)) {
-               DEBUG(0, ("Invalid authtime size!\n"));
-               return NT_STATUS_INTERNAL_ERROR;
-       }
-
-       tkttime = *((int32_t *)set->elements[0].value);
-
-       gss_maj = gss_release_buffer_set(&gss_min, &set);
-
-       *authtime = (time_t)tkttime;
-       return NT_STATUS_OK;
-}
-
 size_t gse_get_signature_length(struct gse_context *gse_ctx,
                                int seal, size_t payload_size)
 {
@@ -1007,11 +969,6 @@ NTSTATUS gse_get_authz_data(struct gse_context *gse_ctx,
        return NT_STATUS_NOT_IMPLEMENTED;
 }
 
-NTSTATUS gse_get_authtime(struct gse_context *gse_ctx, time_t *authtime)
-{
-       return NT_STATUS_NOT_IMPLEMENTED;
-}
-
 size_t gse_get_signature_length(struct gse_context *gse_ctx,
                                int seal, size_t payload_size)
 {

diff --git a/source3/rpc_server/dcesrv_gssapi.c b/source3/rpc_server/dcesrv_gssapi.c
index c289adcd8792945d1ffbf8b45bc03ca6d1678004..41fc3b6a8f70f0bd0a17c37c6cf3e3c3af531f5a 100644 (file)
--- a/source3/rpc_server/dcesrv_gssapi.c
+++ b/source3/rpc_server/dcesrv_gssapi.c
@@ -105,8 +105,6 @@ NTSTATUS gssapi_server_get_user_info(struct gse_context *gse_ctx,
                                     struct auth_serversupplied_info **server_info)
 {
        TALLOC_CTX *tmp_ctx;
-       time_t tgs_authtime;
-       NTTIME tgs_authtime_nttime;
        DATA_BLOB pac;
        struct PAC_DATA *pac_data;
        struct PAC_LOGON_NAME *logon_name = NULL;
@@ -143,12 +141,6 @@ NTSTATUS gssapi_server_get_user_info(struct gse_context *gse_ctx,
                goto done;
        }
 
-       status = gse_get_authtime(gse_ctx, &tgs_authtime);
-       if (!NT_STATUS_IS_OK(status)) {
-               goto done;
-       }
-       unix_to_nt_time(&tgs_authtime_nttime, tgs_authtime);
-
        pac_data = talloc_zero(tmp_ctx, struct PAC_DATA);
        if (!pac_data) {
                status = NT_STATUS_NO_MEMORY;
@@ -192,16 +184,6 @@ NTSTATUS gssapi_server_get_user_info(struct gse_context *gse_ctx,
                goto done;
        }
 
-       /* check time */
-       if (tgs_authtime_nttime != logon_name->logon_time) {
-               DEBUG(1, ("Logon time mismatch between ticket and PAC!\n"
-                         "PAC Time = %s | Ticket Time = %s\n",
-                         nt_time_string(tmp_ctx, logon_name->logon_time),
-                         nt_time_string(tmp_ctx, tgs_authtime_nttime)));
-               status = NT_STATUS_ACCESS_DENIED;
-               goto done;
-       }
-
        /* TODO: Should we check princ_name against account_name in
         * logon_name ? Are they supposed to be identical, or can an
         * account_name be different from the UPN ? */