heimdal: Try to handle the PAC checking when we are in a cross-realm environment

author Andrew Bartlett <abartlet@samba.org>

Mon, 5 Sep 2011 02:17:11 +0000 (12:17 +1000)

committer Love Hornquist Astrand <lha@h5l.org>

Fri, 9 Sep 2011 08:20:52 +0000 (10:20 +0200)
author Andrew Bartlett <abartlet@samba.org>
Mon, 5 Sep 2011 02:17:11 +0000 (12:17 +1000)
committer Love Hornquist Astrand <lha@h5l.org>
Fri, 9 Sep 2011 08:20:52 +0000 (10:20 +0200)
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c

index 5bf68cdfdc23a9db4807832a44581c2efbfbeccc..ec0776333f034418c396b9e37761ddfe0f2b82ba 100644 (file)
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -1508,6 +1508,7 @@ tgs_build_reply(krb5_context context,
  
      Key *tkey_check;
      Key *tkey_sign;
+    Key *tkey_krbtgt_check = NULL;
      int flags = HDB_F_FOR_TGS_REQ;
  
      memset(&sessionkey, 0, sizeof(sessionkey));
@@ -1795,6 +1796,13 @@ server_lookup:
         goto out;
      }
  
+    /* Check if we would know the krbtgt key for the PAC.  We would
+     * only know this if the krbtgt principal was the same (ie, in our
+     * realm, regardless of KVNO) */
+    if (krb5_principal_compare(context, krbtgt_out->entry.principal, krbtgt->entry.principal)) {
+       tkey_krbtgt_check = tkey_check;
+    }
+
      ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | flags,
                         NULL, &clientdb, &client);
      if(ret == HDB_ERR_NOT_FOUND_HERE) {
@@ -1827,7 +1835,8 @@ server_lookup:
  
      ret = check_PAC(context, config, cp, NULL,
                     client, server, krbtgt,
-                   &tkey_check->key, &tkey_check->key,
+                   &tkey_check->key,
+                   tkey_krbtgt_check ? &tkey_krbtgt_check->key : NULL,
                     ekey, &tkey_sign->key,
                     tgt, &rspac, &signedpath);
      if (ret) {
author	Andrew Bartlett <abartlet@samba.org>
	Mon, 5 Sep 2011 02:17:11 +0000 (12:17 +1000)
committer	Love Hornquist Astrand <lha@h5l.org>
	Fri, 9 Sep 2011 08:20:52 +0000 (10:20 +0200)