git.ipfire.org Git - thirdparty/krb5.git/commit

author	Ben Kaduk <kaduk@mit.edu>
	Thu, 21 Aug 2014 22:56:24 +0000 (18:56 -0400)
committer	Tom Yu <tlyu@mit.edu>
	Fri, 12 Sep 2014 21:27:38 +0000 (17:27 -0400)
commit	8aa1d7c7334f2928d12694c8f72f7b5bb5c8f1c7
tree	8803bbf570724d337749dcbc7eba23801f4d2404	tree \| snapshot
parent	c6775894ad477de0c16564c62a88bd435ed0b77b	commit \| diff

Let libgssapi see TGTs in the MSLSA cache

When the current user is a local administrator of a windows machine
where User Account Control (UAC) is enabled, the Windows LSA will
return a block of zeros as the session key for any TGT entry in the
MSLSA: cache.  The lcc_retrieve() implementation checks for such
"null" session keys and prevents them from escaping to callers (as
attempts to use them would encounger strange errors).  However,
when the TGT is the only entry in the cache, this filtering prevents
scan_ccache() from detecting that the cache contains non-expired
credentials (and that there is a TGT present).

Since scan_ccache() is only looking at metadata in the cache entries,
and does not need to actually use any tickets or session keys, set
the KRB5_TC_NOTICKET flag on the ccache before scanning it.  This
will allow the MSLSA implementation to return a cred for the TGT
entry and cause the GSSAPI credential selection algorithm to function
properly.

(cherry picked from commit 0794746f8d8e6b8ce3748d442d2bc1faecf960ce)

ticket: 8013 (new)
version_fixed: 1.12.3
subject: gssapi.dll fails to detect TGTs in the MSLSA cache when UAC is enabled
status: resolved