git.samba.org - gd/samba-autobuild/.git/commit

author	Isaac Boukris <iboukris@gmail.com>
	Mon, 12 Nov 2018 10:26:25 +0000 (12:26 +0200)
committer	Andrew Bartlett <abartlet@samba.org>
	Thu, 11 Jun 2020 02:48:58 +0000 (02:48 +0000)
commit	6095a4f0d58cad3dde6e76cadd7bcae0a240c9e6
tree	b6b3f9e5676f557109e3d44e11ddc4562fd3b709	tree
parent	c8080bbd708eaa3212fa516861ac9e3b267989a0	commit \| diff

kdc: allow checksum of PA-FOR-USER to be HMAC_MD5

even if the tgt session key uses different hmac.

Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is
always HMAC_MD5, and that's what windows 7 client
and MIT client send.

In heimdal both the client and kdc use the checksum of
the tgt key instead and therefore work with each other
but windows and MIT clients fail against heimdal KDC.

Windows KDC allows either checksum (HMAC_MD5 or from
tgt) so we should do the same to support all clients.

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 11 02:48:58 UTC 2020 on sn-devel-184

selftest/knownfail		diff \| blob \| history
source4/heimdal/kdc/krb5tgs.c		diff \| blob \| history
source4/heimdal/lib/krb5/version-script.map		diff \| blob \| history