The ticket returned by kdc_request_get_ticket() is the main TGT
presented in a TGS-REQ. If we’re verifying a FAST armor ticket or a
user-to-user ticket, make sure we check the lifetime of that ticket
instead. To do this we need to pass the appropriate ticket into the
plugin function.
NOTE: This commit finally works again!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 18 05:49:31 UTC 2023 on atb-devel-224
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_b
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_rodc_issued
#
-# KDC TGS tests
-#
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_kpasswd.ad_dc
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_kpasswd.ad_dc
-#
# https://bugzilla.samba.org/show_bug.cgi?id=14886: Tests for accounts not revealed to the RODC
#
# The KDC should not accept tickets from an RODC for accounts not in the msDS-RevealedUsers list.
hdb_entry *client,
hdb_entry *server,
hdb_entry *krbtgt,
+ EncTicketPart *ticket,
krb5_pac pac,
krb5_boolean *is_trusted)
{
* check for an incoming trust, as they use a different secret
* and can't be confused with a normal TGT.
*/
- krb5_ticket *tgt = kdc_request_get_ticket(r);
struct timeval now = krb5_kdc_get_time();
* Check if the ticket is in the last two minutes of its
* life.
*/
- KerberosTime lifetime = rk_time_sub(tgt->ticket.endtime, now.tv_sec);
+ KerberosTime lifetime = rk_time_sub(ticket->endtime, now.tv_sec);
if (lifetime <= CHANGEPW_LIFETIME) {
/*
* This ticket has at most two minutes left to live. It
projects / thirdparty / samba.git / commitdiff
