While windows will accept this ticket without the wrapping, it is
nicer to follow the standard and wrap it up in GSSAPI.
This should allow the ntlm_auth gss-spnego-client to talk to
the ntlm_auth gss-spengo server.
Reported by Christof Schmitt <christof.schmitt@us.ibm.com>
Andrew Bartlett
static bool manage_client_krb5_init(struct spnego_data spnego)
{
char *principal;
static bool manage_client_krb5_init(struct spnego_data spnego)
{
char *principal;
- DATA_BLOB tkt, to_server;
+ DATA_BLOB tkt, tkt_wrapped, to_server;
DATA_BLOB session_key_krb5 = data_blob_null;
struct spnego_data reply;
char *reply_base64;
DATA_BLOB session_key_krb5 = data_blob_null;
struct spnego_data reply;
char *reply_base64;
DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval)));
return False;
}
DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval)));
return False;
}
+ /* wrap that up in a nice GSS-API wrapping */
+ tkt_wrapped = spnego_gen_krb5_wrap(ctx, tkt, TOK_ID_KRB_AP_REQ);
+
data_blob_free(&session_key_krb5);
ZERO_STRUCT(reply);
data_blob_free(&session_key_krb5);
ZERO_STRUCT(reply);
reply.negTokenInit.mechTypes = my_mechs;
reply.negTokenInit.reqFlags = data_blob_null;
reply.negTokenInit.reqFlagsPadding = 0;
reply.negTokenInit.mechTypes = my_mechs;
reply.negTokenInit.reqFlags = data_blob_null;
reply.negTokenInit.reqFlagsPadding = 0;
- reply.negTokenInit.mechToken = tkt;
+ reply.negTokenInit.mechToken = tkt_wrapped;
reply.negTokenInit.mechListMIC = data_blob_null;
len = spnego_write_data(ctx, &to_server, &reply);
reply.negTokenInit.mechListMIC = data_blob_null;
len = spnego_write_data(ctx, &to_server, &reply);