The branch, v4-16-test has been updated
via 4b6a6af868c s4:kdc: redirect pre-authentication failures to an RWDC
via b8e20583b05 s4:kdc: let pac functions in wdc-samba4.c take
astgs_request_t
via 302f9acb4a0 third_party/heimdal: import
lorikeet-heimdal-202203031927 (commit 7abc451ddd74d0c2e57dbb32f3198bde8def73ab)
from 9df5283f3d9 s3:utils: assign ids to struct to list shares correctly
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test
- Log -----------------------------------------------------------------
commit 4b6a6af868c03407d41dd978e8a72b1acbc87720
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Feb 21 10:29:12 2022 +0100
s4:kdc: redirect pre-authentication failures to an RWDC
The most important case is that we still have a previous
password cached at the RODC and the inbound replication
hasn't wiped the cache yet and we also haven't triggered
a new replication yet.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 0f5d7ff1a9fd14fd412b09883d413d1d660fa7be)
Autobuild-User(v4-16-test): Jule Anger <jan...@samba.org>
Autobuild-Date(v4-16-test): Tue Mar 8 14:30:45 UTC 2022 on sn-devel-184
commit b8e20583b052aeb8f1bda381f7a0dab420325e8d
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Feb 24 21:31:52 2022 +0100
s4:kdc: let pac functions in wdc-samba4.c take astgs_request_t
NOTE: This commit finally works again!
This aligns us with the following Heimdal change:
commit 11d8a053f50c88256b4d49c7e482c2eb8f6bde33
Author: Stefan Metzmacher <me...@samba.org>
AuthorDate: Thu Feb 24 18:27:09 2022 +0100
Commit: Luke Howard <lu...@padl.com>
CommitDate: Thu Mar 3 09:58:48 2022 +1100
kdc-plugin: also pass astgs_request_t to the pac related functions
This is more consistent and allows the pac hooks to be more flexible.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865
Signed-off-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit 27ee5ad713b760e8226537d79c529ace1efb07bf)
commit 302f9acb4a0c689a572b157f4947333485d05724
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 3 19:17:06 2022 +0100
third_party/heimdal: import lorikeet-heimdal-202203031927 (commit
7abc451ddd74d0c2e57dbb32f3198bde8def73ab)
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit f33f73f82fb2d5d96928ce5910e2d0d939c2ff57)
-----------------------------------------------------------------------
Summary of changes:
selftest/knownfail | 1 -
source4/dsdb/tests/python/rodc_rwdc.py | 3 +-
source4/kdc/hdb-samba4.c | 93 ++++++----------------
source4/kdc/wdc-samba4.c | 10 ++-
third_party/heimdal/kdc/fast.c | 20 +++--
third_party/heimdal/kdc/kdc-accessors.h | 20 +++++
third_party/heimdal/kdc/kdc-plugin.c | 28 +++----
third_party/heimdal/kdc/kdc-plugin.h | 6 +-
third_party/heimdal/kdc/kdc_locl.h | 5 ++
third_party/heimdal/kdc/kerberos5.c | 17 +++-
third_party/heimdal/kdc/krb5tgs.c | 25 ++++--
third_party/heimdal/kdc/libkdc-exports.def | 3 +
third_party/heimdal/kdc/mssfu.c | 5 +-
third_party/heimdal/kdc/version-script.map | 3 +
third_party/heimdal/lib/asn1/krb5.asn1 | 54 ++++++++++++-
third_party/heimdal/lib/asn1/libasn1-exports.def | 25 ++++++
third_party/heimdal/lib/krb5/krb5.h | 4 +
third_party/heimdal/lib/krb5/pac.c | 2 +-
third_party/heimdal/lib/krb5/principal.c | 9 ++-
third_party/heimdal/tests/plugin/kdc_test_plugin.c | 8 +-
20 files changed, 219 insertions(+), 122 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail b/selftest/knownfail
index 2a5287cba2d..7e897dd026d 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -377,7 +377,6 @@
^samba.tests.auth_log_pass_change.samba.tests.auth_log_pass_change.AuthLogPassChangeTests.test_rap_change_password\(ad_dc_ntvfs\)
# We currently don't send referrals for LDAP modify of non-replicated attrs
^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
-^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos
# NETLOGON is disabled in any non-DC environments
^samba.tests.netlogonsvc.python\(ad_member\)
^samba.tests.netlogonsvc.python\(simpleserver\)
diff --git a/source4/dsdb/tests/python/rodc_rwdc.py
b/source4/dsdb/tests/python/rodc_rwdc.py
index 74e0773abc3..beea26e8e1a 100644
--- a/source4/dsdb/tests/python/rodc_rwdc.py
+++ b/source4/dsdb/tests/python/rodc_rwdc.py
@@ -1146,8 +1146,7 @@ class
RodcRwdcTests(password_lockout_base.BasePasswordTestCase):
creds2 = make_creds(username, password)
self.try_ldap_logon(RWDC, creds2)
- # We can forward WRONG_PASSWORD over NTLM.
- # This SHOULD succeed.
+ # The RODC forward WRONG_PASSWORD to the RWDC
self.try_ldap_logon(RODC, creds2)
def test_change_password_reveal_on_demand_ntlm(self):
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 6e87345e2c3..3f573f297f8 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -466,60 +466,6 @@ static void reset_bad_password_netlogon(TALLOC_CTX
*mem_ctx,
irpc_handle, &req);
}
-static void send_bad_password_netlogon(TALLOC_CTX *mem_ctx,
- struct samba_kdc_db_context *kdc_db_ctx,
- struct auth_usersupplied_info *user_info)
-{
- struct dcerpc_binding_handle *irpc_handle;
- struct winbind_SamLogon req;
- struct netr_IdentityInfo *identity_info;
- struct netr_NetworkInfo *network_info;
-
- irpc_handle = irpc_binding_handle_by_name(mem_ctx, kdc_db_ctx->msg_ctx,
- "winbind_server",
- &ndr_table_winbind);
- if (irpc_handle == NULL) {
- DEBUG(0, ("Winbind forwarding for [%s]\\[%s] failed, "
- "no winbind_server running!\n",
- user_info->mapped.domain_name,
user_info->mapped.account_name));
- return;
- }
-
- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
- if (network_info == NULL) {
- DEBUG(0, ("Winbind forwarding failed: No memory\n"));
- return;
- }
-
- identity_info = &network_info->identity_info;
- req.in.logon_level = 2;
- req.in.logon.network = network_info;
-
- identity_info->domain_name.string = user_info->mapped.domain_name;
- identity_info->parameter_control = user_info->logon_parameters; /* TODO
*/
- identity_info->logon_id = user_info->logon_id;
- identity_info->account_name.string = user_info->mapped.account_name;
- identity_info->workstation.string
- = talloc_asprintf(identity_info, "krb5-bad-pw on RODC from %s",
- tsocket_address_string(user_info->remote_host,
- identity_info));
- if (identity_info->workstation.string == NULL) {
- DEBUG(0, ("Winbind forwarding failed: No memory allocating
workstation string\n"));
- return;
- }
-
- req.in.validation_level = 3;
-
- /*
- * The memory in identity_info and user_info only needs to be
- * valid until the end of this function call, as it will be
- * pushed to NDR during this call
- */
-
- dcerpc_winbind_SamLogon_r_send(mem_ctx, kdc_db_ctx->ev_ctx,
- irpc_handle, &req);
-}
-
static krb5_error_code hdb_samba4_audit(krb5_context context,
HDB *db,
hdb_entry *entry,
@@ -527,24 +473,18 @@ static krb5_error_code hdb_samba4_audit(krb5_context
context,
{
struct samba_kdc_db_context *kdc_db_ctx =
talloc_get_type_abort(db->hdb_db,
struct
samba_kdc_db_context);
-
struct ldb_dn *domain_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
uint64_t logon_id = generate_random_u64();
-
heim_object_t auth_details_obj = NULL;
const char *auth_details = NULL;
-
char *etype_str = NULL;
-
heim_object_t hdb_auth_status_obj = NULL;
int hdb_auth_status;
-
heim_object_t pa_type_obj = NULL;
const char *pa_type = NULL;
-
struct auth_usersupplied_info ui;
-
size_t sa_socklen = 0;
+ int final_ret = 0;
hdb_auth_status_obj = heim_audit_getkv((heim_svc_req_desc)r,
KDC_REQUEST_KV_AUTH_EVENT);
if (hdb_auth_status_obj == NULL) {
@@ -645,6 +585,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context
context,
const char *auth_description = NULL;
NTSTATUS status;
int ret;
+ bool rwdc_fallback = false;
ret = tsocket_address_bsd_from_sockaddr(frame, r->addr,
sa_socklen,
@@ -677,34 +618,44 @@ static krb5_error_code hdb_samba4_audit(krb5_context
context,
} else if (hdb_auth_status ==
KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg,
domain_dn);
status = NT_STATUS_WRONG_PASSWORD;
- /*
- * TODO We currently send a bad password via NETLOGON,
- * however, it should probably forward the ticket to
- * another KDC to allow login after password changes.
- */
- if (kdc_db_ctx->rodc) {
- send_bad_password_netlogon(frame, kdc_db_ctx,
&ui);
- }
+ rwdc_fallback = kdc_db_ctx->rodc;
} else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_LOCKED_OUT)
{
status = NT_STATUS_ACCOUNT_LOCKED_OUT;
+ rwdc_fallback = kdc_db_ctx->rodc;
} else if (hdb_auth_status ==
KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED) {
if (pa_type != NULL && strncmp(pa_type, "PK-INIT",
strlen("PK-INIT")) == 0) {
status = NT_STATUS_PKINIT_NAME_MISMATCH;
} else {
status = NT_STATUS_ACCOUNT_RESTRICTION;
}
+ rwdc_fallback = kdc_db_ctx->rodc;
} else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_FAILED) {
if (pa_type != NULL && strncmp(pa_type, "PK-INIT",
strlen("PK-INIT")) == 0) {
status = NT_STATUS_PKINIT_FAILURE;
} else {
status = NT_STATUS_GENERIC_COMMAND_FAILED;
}
+ rwdc_fallback = kdc_db_ctx->rodc;
} else {
DBG_ERR("Unhandled hdb_auth_status=%d =>
INTERNAL_ERROR\n",
hdb_auth_status);
status = NT_STATUS_INTERNAL_ERROR;
}
+ if (rwdc_fallback) {
+ /*
+ * Forward the request to an RWDC in order
+ * to give an authoritative answer to the client.
+ */
+ auth_description = talloc_asprintf(frame,
+ "%s,Forward-To-RWDC",
+ ui.auth_description);
+ if (auth_description != NULL) {
+ ui.auth_description = auth_description;
+ }
+ final_ret = HDB_ERR_NOT_FOUND_HERE;
+ }
+
log_authentication_event(kdc_db_ctx->msg_ctx,
kdc_db_ctx->lp_ctx,
&r->tv_start,
@@ -736,6 +687,8 @@ static krb5_error_code hdb_samba4_audit(krb5_context
context,
ui.auth_description = pa_type;
+ /* Note this is not forwarded to an RWDC */
+
log_authentication_event(kdc_db_ctx->msg_ctx,
kdc_db_ctx->lp_ctx,
&r->tv_start,
@@ -750,7 +703,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context
context,
free(etype_str);
- return 0;
+ return final_ret;
}
/* This interface is to be called by the KDC and libnet_keytab_dump,
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index dfca27175a2..7f99233440e 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -36,14 +36,15 @@
*
* For PKINIT we also get pk_reply_key and can add PAC_CREDENTIAL_INFO.
*/
-static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context,
- krb5_kdc_configuration *config,
+static krb5_error_code samba_wdc_get_pac(void *priv,
+ astgs_request_t r,
hdb_entry *client,
hdb_entry *server,
const krb5_keyblock *pk_reply_key,
uint64_t pac_attributes,
krb5_pac *pac)
{
+ krb5_context context = kdc_request_get_context((kdc_request_t)r);
TALLOC_CTX *mem_ctx;
DATA_BLOB *logon_blob = NULL;
DATA_BLOB *cred_ndr = NULL;
@@ -663,8 +664,7 @@ out:
/* Resign (and reform, including possibly new groups) a PAC */
-static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context,
- krb5_kdc_configuration *config,
+static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
const krb5_principal
client_principal,
const krb5_principal
delegated_proxy_principal,
hdb_entry *client,
@@ -672,6 +672,8 @@ static krb5_error_code samba_wdc_reget_pac(void *priv,
krb5_context context,
hdb_entry *krbtgt,
krb5_pac *pac)
{
+ krb5_context context = kdc_request_get_context((kdc_request_t)r);
+ krb5_kdc_configuration *config =
kdc_request_get_config((kdc_request_t)r);
struct samba_kdc_entry *krbtgt_skdc_entry =
talloc_get_type_abort(krbtgt->context,
struct samba_kdc_entry);
diff --git a/third_party/heimdal/kdc/fast.c b/third_party/heimdal/kdc/fast.c
index 25cab3096b7..043227892b5 100644
--- a/third_party/heimdal/kdc/fast.c
+++ b/third_party/heimdal/kdc/fast.c
@@ -464,7 +464,6 @@ fast_unwrap_request(astgs_request_t r,
krb5_flags ap_req_options;
krb5_keyblock armorkey;
krb5_keyblock explicit_armorkey;
- krb5_boolean explicit_armor;
krb5_error_code ret;
krb5_ap_req ap_req;
KrbFastReq fastreq;
@@ -518,7 +517,7 @@ fast_unwrap_request(astgs_request_t r,
goto out;
}
- explicit_armor = fxreq.u.armored_data.armor != NULL && tgs_ac != NULL;
+ r->explicit_armor_present = fxreq.u.armored_data.armor != NULL && tgs_ac
!= NULL;
/*
*
@@ -625,11 +624,11 @@ fast_unwrap_request(astgs_request_t r,
ac->remote_subkey,
&ticket->ticket.key,
&armorkey,
- explicit_armor ? NULL : &r->armor_crypto);
+ r->explicit_armor_present ? NULL :
&r->armor_crypto);
if (ret)
goto out;
- if (explicit_armor) {
+ if (r->explicit_armor_present) {
ret = _krb5_fast_explicit_armor_key(r->context,
&armorkey,
tgs_ac->remote_subkey,
@@ -869,7 +868,7 @@ _kdc_fast_check_armor_pac(astgs_request_t r)
if (ret)
goto out;
- ret = _kdc_check_pac(r->context, r->config, armor_client_principal, NULL,
+ ret = _kdc_check_pac(r, armor_client_principal, NULL,
armor_client, r->armor_server,
r->armor_server, r->armor_server,
&r->armor_key->key, &r->armor_key->key,
@@ -887,6 +886,17 @@ _kdc_fast_check_armor_pac(astgs_request_t r)
goto out;
}
+ if (r->explicit_armor_present) {
+ r->explicit_armor_clientdb = armor_db;
+ armor_db = NULL;
+
+ r->explicit_armor_client = armor_client;
+ armor_client = NULL;
+
+ r->explicit_armor_pac = mspac;
+ mspac = NULL;
+ }
+
out:
krb5_xfree(armor_client_principal_name);
if (armor_client)
diff --git a/third_party/heimdal/kdc/kdc-accessors.h
b/third_party/heimdal/kdc/kdc-accessors.h
index 81c03d2f222..911b83d7576 100644
--- a/third_party/heimdal/kdc/kdc-accessors.h
+++ b/third_party/heimdal/kdc/kdc-accessors.h
@@ -346,4 +346,24 @@ ASTGS_REQUEST_GET_ACCESSOR(uint64_t, pac_attributes)
ASTGS_REQUEST_SET_ACCESSOR(uint64_t, pac_attributes)
+/*
+ * const HDB *
+ * kdc_request_get_explicit_armor_clientdb(astgs_request_t);
+ */
+
+ASTGS_REQUEST_GET_ACCESSOR_PTR(HDB *, explicit_armor_clientdb)
+
+/*
+ * const hdb_entry *
+ * kdc_request_get_explicit_armor_client(astgs_request_t);
+ */
+ASTGS_REQUEST_GET_ACCESSOR_PTR(hdb_entry *, explicit_armor_client);
+
+/*
+ * krb5_const_pac
+ * kdc_request_get_explicit_armor_pac(astgs_request_t);
+ */
+
+ASTGS_REQUEST_GET_ACCESSOR_PTR(struct krb5_pac_data *, explicit_armor_pac);
+
#endif /* HEIMDAL_KDC_KDC_ACCESSORS_H */
diff --git a/third_party/heimdal/kdc/kdc-plugin.c
b/third_party/heimdal/kdc/kdc-plugin.c
index 8759893a956..925c250597a 100644
--- a/third_party/heimdal/kdc/kdc-plugin.c
+++ b/third_party/heimdal/kdc/kdc-plugin.c
@@ -72,7 +72,7 @@ krb5_kdc_plugin_init(krb5_context context)
}
struct generate_uc {
- krb5_kdc_configuration *config;
+ astgs_request_t r;
hdb_entry *client;
hdb_entry *server;
const krb5_keyblock *reply_key;
@@ -90,8 +90,7 @@ generate(krb5_context context, const void *plug, void
*plugctx, void *userctx)
return KRB5_PLUGIN_NO_HANDLE;
return ft->pac_generate((void *)plug,
- context,
- uc->config,
+ uc->r,
uc->client,
uc->server,
uc->reply_key,
@@ -101,8 +100,7 @@ generate(krb5_context context, const void *plug, void
*plugctx, void *userctx)
krb5_error_code
-_kdc_pac_generate(krb5_context context,
- krb5_kdc_configuration *config,
+_kdc_pac_generate(astgs_request_t r,
hdb_entry *client,
hdb_entry *server,
const krb5_keyblock *reply_key,
@@ -114,20 +112,20 @@ _kdc_pac_generate(krb5_context context,
*pac = NULL;
- if (krb5_config_get_bool_default(context, NULL, FALSE, "realms",
+ if (krb5_config_get_bool_default(r->context, NULL, FALSE, "realms",
client->principal->realm,
"disable_pac", NULL))
return 0;
if (have_plugin) {
- uc.config = config;
+ uc.r = r;
uc.client = client;
uc.server = server;
uc.reply_key = reply_key;
uc.pac = pac;
uc.pac_attributes = pac_attributes;
- ret = _krb5_plugin_run_f(context, &kdc_plugin_data,
+ ret = _krb5_plugin_run_f(r->context, &kdc_plugin_data,
0, &uc, generate);
if (ret != KRB5_PLUGIN_NO_HANDLE)
return ret;
@@ -135,13 +133,13 @@ _kdc_pac_generate(krb5_context context,
}
if (*pac == NULL)
- ret = krb5_pac_init(context, pac);
+ ret = krb5_pac_init(r->context, pac);
return ret;
}
struct verify_uc {
- krb5_kdc_configuration *config;
+ astgs_request_t r;
krb5_principal client_principal;
krb5_principal delegated_proxy_principal;
hdb_entry *client;
@@ -161,8 +159,7 @@ verify(krb5_context context, const void *plug, void
*plugctx, void *userctx)
return KRB5_PLUGIN_NO_HANDLE;
ret = ft->pac_verify((void *)plug,
- context,
- uc->config,
+ uc->r,
uc->client_principal,
uc->delegated_proxy_principal,
uc->client, uc->server, uc->krbtgt, uc->pac);
@@ -170,8 +167,7 @@ verify(krb5_context context, const void *plug, void
*plugctx, void *userctx)
}
krb5_error_code
-_kdc_pac_verify(krb5_context context,
- krb5_kdc_configuration *config,
+_kdc_pac_verify(astgs_request_t r,
const krb5_principal client_principal,
const krb5_principal delegated_proxy_principal,
hdb_entry *client,
@@ -184,7 +180,7 @@ _kdc_pac_verify(krb5_context context,
if (!have_plugin)
return KRB5_PLUGIN_NO_HANDLE;
- uc.config = config;
+ uc.r = r;
uc.client_principal = client_principal;
uc.delegated_proxy_principal = delegated_proxy_principal;
uc.client = client;
@@ -192,7 +188,7 @@ _kdc_pac_verify(krb5_context context,
uc.krbtgt = krbtgt;
uc.pac = pac;
- return _krb5_plugin_run_f(context, &kdc_plugin_data,
+ return _krb5_plugin_run_f(r->context, &kdc_plugin_data,
0, &uc, verify);
}
diff --git a/third_party/heimdal/kdc/kdc-plugin.h
b/third_party/heimdal/kdc/kdc-plugin.h
index efe8dd6abe0..9fc5946df17 100644
--- a/third_party/heimdal/kdc/kdc-plugin.h
+++ b/third_party/heimdal/kdc/kdc-plugin.h
@@ -48,8 +48,7 @@
typedef krb5_error_code
(KRB5_CALLCONV *krb5plugin_kdc_pac_generate)(void *,
- krb5_context, /* context */
- krb5_kdc_configuration *, /*
configuration */
+ astgs_request_t,
hdb_entry *, /* client */
hdb_entry *, /* server */
const krb5_keyblock *, /*
pk_replykey */
@@ -64,8 +63,7 @@ typedef krb5_error_code
typedef krb5_error_code
(KRB5_CALLCONV *krb5plugin_kdc_pac_verify)(void *,
- krb5_context, /* context */
- krb5_kdc_configuration *, /*
configuration */
+ astgs_request_t,
const krb5_principal, /* new ticket
client */
const krb5_principal, /* delegation
proxy */
hdb_entry *,/* client */
diff --git a/third_party/heimdal/kdc/kdc_locl.h
b/third_party/heimdal/kdc/kdc_locl.h
index 8418a91a0a4..767d04f5c8c 100644
--- a/third_party/heimdal/kdc/kdc_locl.h
+++ b/third_party/heimdal/kdc/kdc_locl.h
@@ -167,6 +167,7 @@ struct astgs_request_desc {
/* only valid for tgs-req */
unsigned int rk_is_subkey : 1;
unsigned int fast_asserted : 1;
+ unsigned int explicit_armor_present : 1;
krb5_crypto armor_crypto;
hdb_entry *armor_server;
@@ -174,6 +175,10 @@ struct astgs_request_desc {
krb5_ticket *armor_ticket;
Key *armor_key;
+ hdb_entry *explicit_armor_client;
+ HDB *explicit_armor_clientdb;
+ krb5_pac explicit_armor_pac;
+
KDCFastState fast;
};
diff --git a/third_party/heimdal/kdc/kerberos5.c
b/third_party/heimdal/kdc/kerberos5.c
index b30d321f6f1..e95bdad0a64 100644
--- a/third_party/heimdal/kdc/kerberos5.c
+++ b/third_party/heimdal/kdc/kerberos5.c
@@ -280,6 +280,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
* enctype in its KDC-REQ-BODY's etype list, which is what
* `etypes' is here.
*/
+ enctype = p[i];
ret = 0;
break;
}
@@ -295,6 +296,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
*/
--
Samba Shared Repository
