summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/krb5/ccache/ChangeLog13
-rw-r--r--src/lib/krb5/ccache/cc_mslsa.c10
2 files changed, 22 insertions, 1 deletions
diff --git a/src/lib/krb5/ccache/ChangeLog b/src/lib/krb5/ccache/ChangeLog
index e3b86e6eeb..e869f913bf 100644
--- a/src/lib/krb5/ccache/ChangeLog
+++ b/src/lib/krb5/ccache/ChangeLog
@@ -1,5 +1,18 @@
2004-02-02 Jeffrey Altman <jaltman@mit.edu>
+ * cc_msla.c:
+ GetMSCacheTicketFromCacheInfo() uses the tktinfo->TicketFlags as the
+ value to assign to TicketRequest->TicketFlags. This field is blindly
+ inserted into the kdc-options[0] field of the TGS_REQ. If there are
+ bits such as TRANSIT_POLICY_CHECKED in the TicketFlags, this will result
+ in an unknown TGS_OPTION being processed by the KDC.
+
+ This has been fixed by mapping the Ticket Flags to KDC options.
+ We only map Forwardable, Forwarded, Proxiable, and Renewable. The others
+ should not be used.
+
+2004-02-02 Jeffrey Altman <jaltman@mit.edu>
+
* cc_mslsa.c: the MSLSA code was crashing on Pismere machines when
logging on with cross realm credentials. On these machines there are
8 tickets within the LSA cache from two different realms. One of the
diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
index 9c3a57bb9d..a1970a2d6d 100644
--- a/src/lib/krb5/ccache/cc_mslsa.c
+++ b/src/lib/krb5/ccache/cc_mslsa.c
@@ -975,7 +975,15 @@ GetMSCacheTicketFromCacheInfo( HANDLE LogonHandle, ULONG PackageId,
memcpy(pTicketRequest->TargetName.Buffer,tktinfo->ServerName.Buffer, tktinfo->ServerName.Length);
pTicketRequest->CacheOptions = 0;
pTicketRequest->EncryptionType = tktinfo->EncryptionType;
- pTicketRequest->TicketFlags = tktinfo->TicketFlags;
+ pTicketRequest->TicketFlags = 0;
+ if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_forwardable )
+ pTicketRequest->TicketFlags |= KDC_OPT_FORWARDABLE;
+ if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_forwarded )
+ pTicketRequest->TicketFlags |= KDC_OPT_FORWARDED;
+ if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_proxiable )
+ pTicketRequest->TicketFlags |= KDC_OPT_PROXIABLE;
+ if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_renewable )
+ pTicketRequest->TicketFlags |= KDC_OPT_RENEWABLE;
Status = LsaCallAuthenticationPackage(
LogonHandle,
generated by cgit (git 2.34.1) at 2025-04-17 12:05:13 +0000