From 0794746f8d8e6b8ce3748d442d2bc1faecf960ce Mon Sep 17 00:00:00 2001 From: Ben Kaduk Date: Thu, 21 Aug 2014 18:56:24 -0400 Subject: [PATCH] Let libgssapi see TGTs in the MSLSA cache When the current user is a local administrator of a windows machine where User Account Control (UAC) is enabled, the Windows LSA will return a block of zeros as the session key for any TGT entry in the MSLSA: cache. The lcc_retrieve() implementation checks for such "null" session keys and prevents them from escaping to callers (as attempts to use them would encounger strange errors). However, when the TGT is the only entry in the cache, this filtering prevents scan_ccache() from detecting that the cache contains non-expired credentials (and that there is a TGT present). Since scan_ccache() is only looking at metadata in the cache entries, and does not need to actually use any tickets or session keys, set the KRB5_TC_NOTICKET flag on the ccache before scanning it. This will allow the MSLSA implementation to return a cred for the TGT entry and cause the GSSAPI credential selection algorithm to function properly. ticket: 8000 (new) tags: pullup target_version: 1.12.3 subject: gssapi.dll fails to detect TGTs in the MSLSA cache when UAC is enabled --- src/lib/gssapi/krb5/acquire_cred.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index eec6f2a4b1..8bdf7c4177 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -376,8 +376,9 @@ scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred) krb5_timestamp endtime; krb5_boolean is_tgt; - /* Turn off OPENCLOSE mode while extensive frobbing is going on. */ - code = krb5_cc_set_flags(context, ccache, 0); + /* Turn off OPENCLOSE mode while extensive frobbing is going on. + * Turn on NOTICKET, as we don't need session keys here. */ + code = krb5_cc_set_flags(context, ccache, KRB5_TC_NOTICKET); if (code) return code; -- 2.47.3