summaryrefslogtreecommitdiffstats
path: root/source4/kdc
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2011-09-16 11:15:27 +1000
committerAndrew Tridgell <tridge@samba.org>2011-09-19 10:57:03 +1000
commitee7cfcadc60eac34bf646f765798ca5a01d311ed (patch)
tree52409704cbd23353abe221dbdbd90ba908fe1498 /source4/kdc
parent4577ee1f957e08d19b2c849b9b698b31474040ff (diff)
downloadsamba-ee7cfcadc60eac34bf646f765798ca5a01d311ed.tar.gz
samba-ee7cfcadc60eac34bf646f765798ca5a01d311ed.tar.xz
samba-ee7cfcadc60eac34bf646f765798ca5a01d311ed.zip
s4-kdc: default kvno for inter-domain trusts to zero
the exact value doesn't matter, as both Samba and windows check against the latest password, but the old default of -1 caused ASN.1 parsing errors on windows, which prevented it answering TGS requests thanks to Hongwei Sun for finding this from a ttt trace Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/kdc')
-rw-r--r--source4/kdc/db-glue.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index cdc318a4a8..52bacd0f9d 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -896,7 +896,15 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
goto out;
}
- entry_ex->entry.kvno = -1;
+ entry_ex->entry.kvno = 0;
+ /*
+ we usually don't have a TRUST_AUTH_TYPE_VERSION field, as
+ windows doesn't create one, so we rely on the fact that both
+ windows and Samba don't actually check the kvno and instead
+ just check against the latest password blob. If we do have a
+ TRUST_AUTH_TYPE_VERSION field then we do use it, otherwise
+ we just use 0.
+ */
for (i=0; i < password_blob.count; i++) {
if (password_blob.current.array[i].AuthType == TRUST_AUTH_TYPE_VERSION) {
entry_ex->entry.kvno = password_blob.current.array[i].AuthInfo.version.version;