Jennifer Sutton
Jennifer Sutton
That's probably the case, but I'll need to do some more testing against Windows to check what it does for different etypes.
I just addressed a flaw that I noticed in the `_kdc_pac_update()` API. I had callers pass in `is_trusted` to indicate whether or not the PAC in the TGT was trusted,...
> @josephsutton1 does the plugin need to know the `Ticket` envelope's `sname` as well? No, I don’t believe so.
> How should we proceed with this and #1083 ? [lorikeet-heimdal-202305172147](https://git.samba.org/?p=lorikeet-heimdal.git;a=shortlog;h=refs/heads/lorikeet-heimdal-202305172147) should contain these two plugin changes arranged properly (but there this commit is named “kdc: Check lifetime of correct...
Could it be because `PAC_LOGON_INFO` is missing? Samba at least requires that buffer to be present in the PACs it receives.
> I believe it's secure to return `KRB5_ERR_RESPONSE_TOO_BIG` in the outer error and dispense with FAST in that case, but I'm not sure whether that will interoperate with MIT, Windows,...
> This branch now has conflicts. Fixed.
Rebased on master.
Now Samba will produce error messages that are a bit more helpful: `Miscellaneous failure (see text): KDC policy rejects request (NT status code 0xc0000413) (host/[email protected])`
Sigh, MSVC appears to violate the C standard by supporting `uint32_t` but not `PRIx32`.