I will test it as soon as possible. But I believed that non-forwarding TGS-REQs they already have the Name-Type set. In fact, in the case i didnt forward the tiquet (when i create it directly from the ssh server), it worked perfectly against a W2008RODC, So what exactly should I check?
________________________________________ From: Tom Yu [[email protected]] Sent: 20 April 2012 19:14 To: Sebastian Galiano Cc: [email protected] Subject: Re: Kerberos, Windows2008 RODC and ticket forwarding Problem Sebastian Galiano <[email protected]> writes: > It worked great!! > > Thanks! Thanks for helping with the testing. I have an updated patch that should also address the issue with non-forwarding TGS-REQs. Please test this, if you have time. diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c index d602952..8387cea 100644 --- a/src/lib/krb5/krb/fwd_tgt.c +++ b/src/lib/krb5/krb/fwd_tgt.c @@ -28,6 +28,7 @@ #ifdef HAVE_MEMORY_H #include <memory.h> #endif +#include "int-proto.h" /* helper function: convert flags to necessary KDC options */ #define flags2options(flags) (flags & KDC_TKT_COMMON_MASK) @@ -93,14 +94,9 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, if ((retval = krb5_copy_principal(context, client, &creds.client))) goto errout; - if ((retval = krb5_build_principal_ext(context, &creds.server, - client->realm.length, - client->realm.data, - KRB5_TGS_NAME_SIZE, - KRB5_TGS_NAME, - client->realm.length, - client->realm.data, - 0))) + retval = krb5int_tgtname(context, &client->realm, &client->realm, + &creds.server); + if (retval) goto errout; /* fetch tgt directly from cache */ diff --git a/src/lib/krb5/krb/tgtname.c b/src/lib/krb5/krb/tgtname.c index 1a02880..6285b47 100644 --- a/src/lib/krb5/krb/tgtname.c +++ b/src/lib/krb5/krb/tgtname.c @@ -30,8 +30,16 @@ krb5_error_code krb5int_tgtname(krb5_context context, const krb5_data *server, const krb5_data *client, krb5_principal *tgtprinc) { - return krb5_build_principal_ext(context, tgtprinc, client->length, client->data, - KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME, - server->length, server->data, - 0); + krb5_error_code ret; + ret = krb5_build_principal_ext(context, tgtprinc, client->length, client->data, + KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME, + server->length, server->data, + 0); + /* + * Windows Server 2008 R2 RODC insists on TGS principal names having the + * right name type. + */ + krb5_princ_type(context, *tgtprinc) = KRB5_NT_SRV_INST; + + return ret; } ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
