diff options
| author | Jeffrey Altman <jaltman@secure-endpoints.com> | 2004-02-03 00:50:43 +0000 |
|---|---|---|
| committer | Jeffrey Altman <jaltman@secure-endpoints.com> | 2004-02-03 00:50:43 +0000 |
| commit | 93e283ad1d13c357fa236995be4937ea8a68e76c (patch) | |
| tree | 1c443421bb1ca5cdd836d43ee56eeffe772889b0 | |
| parent | b5dc3ff298338b1587e98c5ed0ec58c20d3df612 (diff) | |
| download | krb5-93e283ad1d13c357fa236995be4937ea8a68e76c.tar.gz krb5-93e283ad1d13c357fa236995be4937ea8a68e76c.tar.xz krb5-93e283ad1d13c357fa236995be4937ea8a68e76c.zip | |
2004-02-02 Jeffrey Altman <jaltman@mit.edu>
* cc_msla.c:
GetMSCacheTicketFromCacheInfo() uses the tktinfo->TicketFlags as the
value to assign to TicketRequest->TicketFlags. This field is blindly
inserted into the kdc-options[0] field of the TGS_REQ. If there are
bits such as TRANSIT_POLICY_CHECKED in the TicketFlags, this will result
in an unknown TGS_OPTION being processed by the KDC.
This has been fixed by mapping the Ticket Flags to KDC options.
We only map Forwardable, Forwarded, Proxiable, and Renewable. The others
should not be used.
ticket: 2190
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16013 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/lib/krb5/ccache/ChangeLog | 13 | ||||
| -rw-r--r-- | src/lib/krb5/ccache/cc_mslsa.c | 10 |
2 files changed, 22 insertions, 1 deletions
diff --git a/src/lib/krb5/ccache/ChangeLog b/src/lib/krb5/ccache/ChangeLog index e3b86e6eeb..e869f913bf 100644 --- a/src/lib/krb5/ccache/ChangeLog +++ b/src/lib/krb5/ccache/ChangeLog @@ -1,5 +1,18 @@ 2004-02-02 Jeffrey Altman <jaltman@mit.edu> + * cc_msla.c: + GetMSCacheTicketFromCacheInfo() uses the tktinfo->TicketFlags as the + value to assign to TicketRequest->TicketFlags. This field is blindly + inserted into the kdc-options[0] field of the TGS_REQ. If there are + bits such as TRANSIT_POLICY_CHECKED in the TicketFlags, this will result + in an unknown TGS_OPTION being processed by the KDC. + + This has been fixed by mapping the Ticket Flags to KDC options. + We only map Forwardable, Forwarded, Proxiable, and Renewable. The others + should not be used. + +2004-02-02 Jeffrey Altman <jaltman@mit.edu> + * cc_mslsa.c: the MSLSA code was crashing on Pismere machines when logging on with cross realm credentials. On these machines there are 8 tickets within the LSA cache from two different realms. One of the diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c index 9c3a57bb9d..a1970a2d6d 100644 --- a/src/lib/krb5/ccache/cc_mslsa.c +++ b/src/lib/krb5/ccache/cc_mslsa.c @@ -975,7 +975,15 @@ GetMSCacheTicketFromCacheInfo( HANDLE LogonHandle, ULONG PackageId, memcpy(pTicketRequest->TargetName.Buffer,tktinfo->ServerName.Buffer, tktinfo->ServerName.Length); pTicketRequest->CacheOptions = 0; pTicketRequest->EncryptionType = tktinfo->EncryptionType; - pTicketRequest->TicketFlags = tktinfo->TicketFlags; + pTicketRequest->TicketFlags = 0; + if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_forwardable ) + pTicketRequest->TicketFlags |= KDC_OPT_FORWARDABLE; + if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_forwarded ) + pTicketRequest->TicketFlags |= KDC_OPT_FORWARDED; + if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_proxiable ) + pTicketRequest->TicketFlags |= KDC_OPT_PROXIABLE; + if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_renewable ) + pTicketRequest->TicketFlags |= KDC_OPT_RENEWABLE; Status = LsaCallAuthenticationPackage( LogonHandle, |