that the logon_time field in the pac must match the authtime field in the ticket we
gave the client in the AS-REP (and thus also the authtime field in the ticket we get
back in the TGS-REQ).
Many thanks to Andrew Bartlett for his patience in showing me the
basic ropes of all this code! This was a joint effort.
(This used to be commit
7bee374b3ffcdb0424a83f909fe5ad504ea3882e)
krb5_context context,
krb5_keyblock *krbtgt_keyblock,
krb5_keyblock *server_keyblock,
+ time_t tgs_authtime,
DATA_BLOB *pac);
krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx,
krb5_context context,
krb5_keyblock *krbtgt_keyblock,
krb5_keyblock *service_keyblock,
+ time_t tgs_authtime,
DATA_BLOB *pac)
{
NTSTATUS nt_status;
LOGON_INFO->info3.base.last_logon = timeval_to_nttime(&tv);
LOGON_NAME->account_name = server_info->account_name;
- LOGON_NAME->logon_time = timeval_to_nttime(&tv);
+
+ /*
+ this logon_time field is absolutely critical. This is what
+ caused all our pac troubles :-)
+ */
+ unix_to_nt_time(&LOGON_NAME->logon_time, tgs_authtime);
ret = kerberos_encode_pac(mem_ctx,
pac_data,
EncTicketPart *tgt,
EncTicketPart *adtkt,
AuthorizationData *auth_data,
+ krb5_ticket *tgs_ticket,
hdb_entry *server,
hdb_entry *client,
krb5_principal client_principal,
client->principal,
tgtkey,
ekey,
+ tgs_ticket->ticket.authtime,
&pac);
if (ret) {
free_AuthorizationData(if_relevant);
tgt,
b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL,
auth_data,
+ ticket,
server,
client,
cp,
#include "kdc/pac-glue.h" /* Ensure we don't get this prototype wrong, as that could be painful */
krb5_error_code samba_get_pac(krb5_context context,
- struct krb5_kdc_configuration *config,
- krb5_principal client,
- krb5_keyblock *krbtgt_keyblock,
- krb5_keyblock *server_keyblock,
- krb5_data *pac)
+ struct krb5_kdc_configuration *config,
+ krb5_principal client,
+ krb5_keyblock *krbtgt_keyblock,
+ krb5_keyblock *server_keyblock,
+ time_t tgs_authtime,
+ krb5_data *pac)
{
krb5_error_code ret;
NTSTATUS nt_status;
context,
krbtgt_keyblock,
server_keyblock,
+ tgs_authtime,
&tmp_blob);
if (ret) {
krb5_error_code samba_get_pac(krb5_context context,
- struct krb5_kdc_configuration *config,
- krb5_principal client,
- krb5_keyblock *krbtgt_keyblock,
- krb5_keyblock *server_keyblock,
+ struct krb5_kdc_configuration *config,
+ krb5_principal client,
+ krb5_keyblock *krbtgt_keyblock,
+ krb5_keyblock *server_keyblock,
+ time_t tgs_authtime,
krb5_data *pac);