| commit | 033236aef2c60aabbe3d4ee73de956887c8417e4 | |
| author | Andrew Bartlett <abartlet@samba.org> | |
| Fri, 29 Dec 2006 11:01:37 +0000 (29 11:01 +0000) | ||
| committer | Andrew Bartlett <abartlet@samba.org> | |
| Fri, 29 Dec 2006 11:01:37 +0000 (29 11:01 +0000) | ||
| tree | dc44c5a20f42e845df1684050ab0a1ca53bea5c7 | treesnapshot (tar.gz zip) |
| parent | 92ae35981be7b0a033b4b7f416cc5991860912cb | commitdiff |
r20406: Metze's change in -r 19662 broke Kerberos logins from Win2k3.
The reason is long and complex, but is due to forwardable tickets:
We would extract the forwardable ticket from the GSSAPI payload, and
look for the expiry time of the ticket for krbtgt/REALM@REALM.
However, with -r 19662 the ticket is given to the client as being for
krbtgt/realm@REALM, as it asked for a lower case realm. Heimdal is
case sensitive for realms, and bails out. (It should just not store
the forwarded ticket).
We need to co-ordinate changes in the KDC with relaxation of checks in
Heimdal, and a better kerberos behaviour testsuite.
Andrew Bartlett
The reason is long and complex, but is due to forwardable tickets:
We would extract the forwardable ticket from the GSSAPI payload, and
look for the expiry time of the ticket for krbtgt/REALM@REALM.
However, with -r 19662 the ticket is given to the client as being for
krbtgt/realm@REALM, as it asked for a lower case realm. Heimdal is
case sensitive for realms, and bails out. (It should just not store
the forwarded ticket).
We need to co-ordinate changes in the KDC with relaxation of checks in
Heimdal, and a better kerberos behaviour testsuite.
Andrew Bartlett
| source/kdc/hdb-ldb.c | diffblobblamehistory |