Hi Sam,
I've attempted to backport the patch for the 1.8/1.9 branch to Squeeze's
1.8.3+dfsg-4 release of libkrb53.
In my limited testing, this works flawlessly in my environment, however I
imagine further testing may be required.
Patch below:
---------------
--- get_in_tkt.c.orig 2011-03-07 10:01:18.000000000 +1100
+++ get_in_tkt.c 2011-03-07 09:58:53.000000000 +1100
@@ -1023,8 +1023,21 @@ build_in_tkt_name(krb5_context context,
client->realm.length,
client->realm.data,
0);
- }
- return ret;
+ if (ret)
+ return ret;
+ }
+
+ /* Windows Server 2008 R2 RODC insists on TGS principal names having the
+ * right name type.
+ */
+
+ if (krb5_princ_size(context, *server) == 2 &&
+ data_eq_string(*krb5_princ_component(context, *server, 0),
+ KRB5_TGS_NAME)) {
+
+ krb5_princ_type(context, *server) = KRB5_NT_SRV_INST;
+ }
+ return 0;
}
void KRB5_CALLCONV
---------------
Kind Regards,
Jonathan
-----Original Message-----
From: Sam Hartman [mailto:[email protected]]
Sent: Saturday, 5 March 2011 1:51 AM
To: Jonathan Thorpe
Cc: [email protected]; Debian Bug Tracking System
Subject: Re: Bug#616429: libkrb53: Unable to authenticate with Win2K8R2 RODC -
TGS principle name incorrect
severity 616429 serious
thanks
I'll definitely apply this to stable.
I do not plan to update oldstable for this although would not object if someone
wanted to do the work to make that possible.
(I suspect there's not actually a process for doing so though)
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
