From: kouril <kouril>
Date: Tue, 10 Feb 2004 13:52:44 +0000 (+0000)
Subject: Don't use the service name when reading the keytab. This should prevent from
X-Git-Tag: v5.0-rc5~21
X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;ds=sidebyside;h=a6e37f5e5d3b7ebb7e547fbcfc5fdf3919f01b27;p=mod_auth_kerb.cvs%2F.git

Don't use the service name when reading the keytab. This should prevent from
problems between the MS and MIT krb5 implementation. (this fix works only with
1.3.x).
---

diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
index e3f0708..a44b458 100644
--- a/src/mod_auth_kerb.c
+++ b/src/mod_auth_kerb.c
@@ -882,7 +882,15 @@ get_gss_creds(request_rec *r,
    gss_name_t server_name = GSS_C_NO_NAME;
    char buf[1024];
 
-   snprintf(buf, sizeof(buf), "%s/%s", conf->krb_service_name, ap_get_server_name(r));
+#if 0
+   /* Don't specify service name. This makes MIT 1.3 not to use replay caches,
+    * which causes large problems with the Microsoft krb5 implementation. MS
+    * obviously uses a format of the krb5 authenticator that is considered by
+    * the MIT as replay (Two valid MS authenticators may contain the same time
+    * and utime fields and only differ in the sequential numbers).
+    */
+   snprintf(buf, sizeof(buf), "%s/%s", conf->krb_service_name,
+	 ap_get_server_name(r));
 
    input_token.value = buf;
    input_token.length = strlen(buf) + 1;
@@ -896,6 +904,7 @@ get_gss_creds(request_rec *r,
 		 "gss_import_name() failed"));
       return HTTP_INTERNAL_SERVER_ERROR;
    }
+#endif
    
    major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
 			           GSS_C_NO_OID_SET, GSS_C_ACCEPT,