From a6e37f5e5d3b7ebb7e547fbcfc5fdf3919f01b27 Mon Sep 17 00:00:00 2001 From: kouril Date: Tue, 10 Feb 2004 13:52:44 +0000 Subject: [PATCH] Don't use the service name when reading the keytab. This should prevent from problems between the MS and MIT krb5 implementation. (this fix works only with 1.3.x). --- src/mod_auth_kerb.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c index e3f0708..a44b458 100644 --- a/src/mod_auth_kerb.c +++ b/src/mod_auth_kerb.c @@ -882,7 +882,15 @@ get_gss_creds(request_rec *r, gss_name_t server_name = GSS_C_NO_NAME; char buf[1024]; - snprintf(buf, sizeof(buf), "%s/%s", conf->krb_service_name, ap_get_server_name(r)); +#if 0 + /* Don't specify service name. This makes MIT 1.3 not to use replay caches, + * which causes large problems with the Microsoft krb5 implementation. MS + * obviously uses a format of the krb5 authenticator that is considered by + * the MIT as replay (Two valid MS authenticators may contain the same time + * and utime fields and only differ in the sequential numbers). + */ + snprintf(buf, sizeof(buf), "%s/%s", conf->krb_service_name, + ap_get_server_name(r)); input_token.value = buf; input_token.length = strlen(buf) + 1; @@ -896,6 +904,7 @@ get_gss_creds(request_rec *r, "gss_import_name() failed")); return HTTP_INTERNAL_SERVER_ERROR; } +#endif major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT, -- 2.1.4