r9648: this fixes the krb5 based login with the pac. The key to this whole saga was

that the logon_time field in the pac must match the authtime field in the ticket we
gave the client in the AS-REP (and thus also the authtime field in the ticket we get
back in the TGS-REQ).

Many thanks to Andrew Bartlett for his patience in showing me the
basic ropes of all this code! This was a joint effort.
(This used to be commit 7bee374b3ffcdb0424a83f909fe5ad504ea3882e)

diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index 0f1b0779b2e789ecc0b12e1f3dab8805ea4a0d46..33be657ce828bb75bcf7e2ec0f71581b25261ee9 100644 (file)
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -143,6 +143,7 @@ krb5_error_code kerberos_create_pac(TALLOC_CTX *mem_ctx,
                                    krb5_context context,
                                    krb5_keyblock *krbtgt_keyblock,
                                    krb5_keyblock *server_keyblock,
+                                   time_t tgs_authtime,
                                    DATA_BLOB *pac);
 
 krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx,

diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c
index 006b54590f136e1ff5710c61fb58ea6b60093f08..9617e4fd01fd3fa08e91423611c2d52b2aa1a335 100644 (file)
--- a/source4/auth/kerberos/kerberos_pac.c
+++ b/source4/auth/kerberos/kerberos_pac.c
@@ -385,6 +385,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
                                     krb5_context context,
                                     krb5_keyblock *krbtgt_keyblock,
                                     krb5_keyblock *service_keyblock,
+                                    time_t tgs_authtime,
                                     DATA_BLOB *pac)
 {
        NTSTATUS nt_status;
@@ -478,7 +479,12 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
        LOGON_INFO->info3.base.last_logon       = timeval_to_nttime(&tv);
 
        LOGON_NAME->account_name        = server_info->account_name;
-       LOGON_NAME->logon_time          = timeval_to_nttime(&tv);
+
+       /*
+         this logon_time field is absolutely critical. This is what
+         caused all our pac troubles :-)
+       */
+       unix_to_nt_time(&LOGON_NAME->logon_time, tgs_authtime);
 
        ret = kerberos_encode_pac(mem_ctx, 
                                  pac_data, 

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 27a25d95ff4f79fc2dc6e410e05eae1aedf8aa7f..453263774b6c7f78eaeeab0fb12443dacfde0011 100644 (file)
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1597,6 +1597,7 @@ tgs_make_reply(krb5_context context,
               EncTicketPart *tgt, 
               EncTicketPart *adtkt, 
               AuthorizationData *auth_data,
+              krb5_ticket *tgs_ticket,
               hdb_entry *server, 
               hdb_entry *client, 
               krb5_principal client_principal, 
@@ -1774,6 +1775,7 @@ tgs_make_reply(krb5_context context,
                                client->principal,
                                tgtkey,
                                ekey,
+                               tgs_ticket->ticket.authtime,
                                &pac);
            if (ret) {
                    free_AuthorizationData(if_relevant);
@@ -2357,6 +2359,7 @@ tgs_rep2(krb5_context context,
                             tgt, 
                             b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL, 
                             auth_data,
+                            ticket,
                             server, 
                             client, 
                             cp, 

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 44326cabef0348ea8ccce54512fb9434ac7549e2..45b6776f70ced44984517839ac33c2bd1fbcf95a 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -26,11 +26,12 @@
 #include "kdc/pac-glue.h" /* Ensure we don't get this prototype wrong, as that could be painful */
 
  krb5_error_code samba_get_pac(krb5_context context, 
-                             struct krb5_kdc_configuration *config,
-                             krb5_principal client, 
-                             krb5_keyblock *krbtgt_keyblock, 
-                             krb5_keyblock *server_keyblock, 
-                             krb5_data *pac) 
+                              struct krb5_kdc_configuration *config,
+                              krb5_principal client, 
+                              krb5_keyblock *krbtgt_keyblock, 
+                              krb5_keyblock *server_keyblock, 
+                              time_t tgs_authtime,
+                              krb5_data *pac)
 {
        krb5_error_code ret;
        NTSTATUS nt_status;
@@ -74,6 +75,7 @@
                                  context, 
                                  krbtgt_keyblock,
                                  server_keyblock,
+                                 tgs_authtime,
                                  &tmp_blob);
 
        if (ret) {

diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index dd8ebfc68eea4984cf492ddb24520c20362bc774..69490bb7f3cad2bb42e637b92d29a8370798f695 100644 (file)
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -1,7 +1,8 @@
 
  krb5_error_code samba_get_pac(krb5_context context, 
-                             struct krb5_kdc_configuration *config,
-                             krb5_principal client, 
-                             krb5_keyblock *krbtgt_keyblock, 
-                             krb5_keyblock *server_keyblock, 
+                              struct krb5_kdc_configuration *config,
+                              krb5_principal client, 
+                              krb5_keyblock *krbtgt_keyblock, 
+                              krb5_keyblock *server_keyblock, 
+                              time_t tgs_authtime,
                               krb5_data *pac);