diff options
| -rw-r--r-- | src/windows/ms2mit/ChangeLog | 16 | ||||
| -rw-r--r-- | src/windows/ms2mit/ms2mit.c | 14 |
2 files changed, 28 insertions, 2 deletions
diff --git a/src/windows/ms2mit/ChangeLog b/src/windows/ms2mit/ChangeLog index 1c5a9c45f8..f177bb41d9 100644 --- a/src/windows/ms2mit/ChangeLog +++ b/src/windows/ms2mit/ChangeLog @@ -1,3 +1,19 @@ +2003-10-21 Jeffrey Altman <jaltman@mit.edu> + + * ms2mit.c: + + Because of the failure of Windows 2000 and Windows XP to perform + proper ticket expiration time management, the MS Kerberos LSA will + return tickets to a calling application with lifetimes as short as + one second. Tickets with lifetimes less than five minutes can cause + problems for most apps. Tickets with lifetimes less than 20 minutes + will trigger the Leash ticket lifetime warnings. + + Instead of accepting whatever tickets are returned by MS LSA from + the cache, if the ticket lifetime is less than 20 minutes force a + retrieval operation bypassing the LSA ticket cache. + + 2003-07-16 Jeffrey Altman <jaltman@mit.edu> * ms2mit.c: diff --git a/src/windows/ms2mit/ms2mit.c b/src/windows/ms2mit/ms2mit.c index 3baaf19584..12e028e0bc 100644 --- a/src/windows/ms2mit/ms2mit.c +++ b/src/windows/ms2mit/ms2mit.c @@ -649,12 +649,22 @@ GetMSTGT( case KERB_ETYPE_DES_CBC_MD5: case KERB_ETYPE_NULL: case KERB_ETYPE_RC4_HMAC_NT: { - FILETIME Now, EndTime, LocalEndTime; + FILETIME Now, MinLife, EndTime, LocalEndTime; + __int64 temp; + // FILETIME is in units of 100 nano-seconds + // If obtained tickets are either expired or have a lifetime + // less than 20 minutes, retry ... GetSystemTimeAsFileTime(&Now); EndTime.dwLowDateTime=pTicketResponse->Ticket.EndTime.LowPart; EndTime.dwHighDateTime=pTicketResponse->Ticket.EndTime.HighPart; FileTimeToLocalFileTime(&EndTime, &LocalEndTime); - if (CompareFileTime(&Now, &LocalEndTime) >= 0) { + temp = Now.dwHighDateTime; + temp <<= 32; + temp = Now.dwLowDateTime; + temp += 1200 * 10000; + MinLife.dwHighDateTime = (DWORD)((temp >> 32) & 0xFFFFFFFF); + MinLife.dwLowDateTime = (DWORD)(temp & 0xFFFFFFFF); + if (CompareFileTime(&MinLife, &LocalEndTime) >= 0) { #ifdef ENABLE_PURGING purge_cache = 1; #else |