Author: gd Date: 2005-10-11 16:27:05 +0000 (Tue, 11 Oct 2005) New Revision: 10907
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=10907 Log: Handle the case when we can't verify the PAC signature because the ticket was encrypted using a DES key (and the Windows KDC still puts CKSUMTYPE_HMAC_MD5_ARCFOUR in the PAC). In that case, return to old behaviour and ignore the PAC. Thanks to Chengjie Liu <[EMAIL PROTECTED]>. Guenther Modified: branches/SAMBA_3_0/source/libads/kerberos_verify.c branches/SAMBA_3_0/source/libsmb/clikrb5.c trunk/source/libads/kerberos_verify.c trunk/source/libsmb/clikrb5.c Changeset: Modified: branches/SAMBA_3_0/source/libads/kerberos_verify.c =================================================================== --- branches/SAMBA_3_0/source/libads/kerberos_verify.c 2005-10-11 16:14:00 UTC (rev 10906) +++ branches/SAMBA_3_0/source/libads/kerberos_verify.c 2005-10-11 16:27:05 UTC (rev 10907) @@ -272,6 +272,7 @@ DATA_BLOB *session_key) { NTSTATUS sret = NT_STATUS_LOGON_FAILURE; + NTSTATUS pac_ret; DATA_BLOB auth_data; krb5_context context = NULL; krb5_auth_context auth_context = NULL; @@ -400,7 +401,8 @@ #endif /* continue when no PAC is retrieved - (like accounts that have the UF_NO_AUTH_DATA_REQUIRED flag set) */ + (like accounts that have the UF_NO_AUTH_DATA_REQUIRED flag set, + or Kerberos tickets encryped using a DES key) - Guenther */ got_auth_data = get_auth_data_from_tkt(mem_ctx, &auth_data, tkt); if (!got_auth_data) { @@ -409,10 +411,10 @@ if (got_auth_data && pac_data != NULL) { - sret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data); - if (!NT_STATUS_IS_OK(sret)) { - DEBUG(0,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(sret))); - goto out; + pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data); + if (!NT_STATUS_IS_OK(pac_ret)) { + DEBUG(3,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(pac_ret))); + *pac_data = NULL; } data_blob_free(&auth_data); } Modified: branches/SAMBA_3_0/source/libsmb/clikrb5.c =================================================================== --- branches/SAMBA_3_0/source/libsmb/clikrb5.c 2005-10-11 16:14:00 UTC (rev 10906) +++ branches/SAMBA_3_0/source/libsmb/clikrb5.c 2005-10-11 16:27:05 UTC (rev 10907) @@ -689,6 +689,12 @@ &input, cksum, &checksum_valid); + if (ret) { + DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n", + error_message(ret))); + return ret; + } + if (!checksum_valid) ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; } Modified: trunk/source/libads/kerberos_verify.c =================================================================== --- trunk/source/libads/kerberos_verify.c 2005-10-11 16:14:00 UTC (rev 10906) +++ trunk/source/libads/kerberos_verify.c 2005-10-11 16:27:05 UTC (rev 10907) @@ -272,6 +272,7 @@ DATA_BLOB *session_key) { NTSTATUS sret = NT_STATUS_LOGON_FAILURE; + NTSTATUS pac_ret; DATA_BLOB auth_data; krb5_context context = NULL; krb5_auth_context auth_context = NULL; @@ -400,7 +401,8 @@ #endif /* continue when no PAC is retrieved - (like accounts that have the UF_NO_AUTH_DATA_REQUIRED flag set) */ + (like accounts that have the UF_NO_AUTH_DATA_REQUIRED flag set, + or Kerberos tickets encryped using a DES key) - Guenther */ got_auth_data = get_auth_data_from_tkt(mem_ctx, &auth_data, tkt); if (!got_auth_data) { @@ -409,10 +411,10 @@ if (got_auth_data && pac_data != NULL) { - sret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data); - if (!NT_STATUS_IS_OK(sret)) { - DEBUG(0,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(sret))); - goto out; + pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data); + if (!NT_STATUS_IS_OK(pac_ret)) { + DEBUG(3,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(pac_ret))); + *pac_data = NULL; } data_blob_free(&auth_data); } Modified: trunk/source/libsmb/clikrb5.c =================================================================== --- trunk/source/libsmb/clikrb5.c 2005-10-11 16:14:00 UTC (rev 10906) +++ trunk/source/libsmb/clikrb5.c 2005-10-11 16:27:05 UTC (rev 10907) @@ -689,6 +689,12 @@ &input, cksum, &checksum_valid); + if (ret) { + DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n", + error_message(ret))); + return ret; + } + if (!checksum_valid) ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; }