From: Jeffrey Altman Date: Tue, 6 Apr 2004 17:36:44 +0000 (+0000) Subject: * cc_mslsa.c: X-Git-Tag: krb5-1.4-beta1~499 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=0f70ce0814ae83623a1188210fa36071d4ddec79;p=krb5.git * cc_mslsa.c: In at least one case on Win2003 it appears that it is possible for the logon session to be authenticated via NTLM and yet for there to be Kerberos credentials obtained by the LSA on behalf of the logged in user. Therefore, we are removing the test for IsKerberosLogon() within krb5_lcc_resolve() which was meant to avoid the need to perform GetMSTGT() when there was no possibility of credentials being found. ticket: new tags: pullup target_version: next git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16235 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/krb5/ccache/ChangeLog b/src/lib/krb5/ccache/ChangeLog index 61e7a665c..ad73c2a54 100644 --- a/src/lib/krb5/ccache/ChangeLog +++ b/src/lib/krb5/ccache/ChangeLog @@ -1,3 +1,14 @@ +2004-04-06 Jeffrey Altman + + * cc_mslsa.c: + In at least one case on Win2003 it appears that it is possible + for the logon session to be authenticated via NTLM and yet for + there to be Kerberos credentials obtained by the LSA on behalf + of the logged in user. Therefore, we are removing the test + for IsKerberosLogon() within krb5_lcc_resolve() + which was meant to avoid the need to perform GetMSTGT() when + there was no possibility of credentials being found. + 2004-03-31 Jeffrey Altman * cc_mslsa.c: Add IsWindows2000() function and use it to return diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c index 0caf65a28..9d0675359 100644 --- a/src/lib/krb5/ccache/cc_mslsa.c +++ b/src/lib/krb5/ccache/cc_mslsa.c @@ -1126,8 +1126,17 @@ krb5_lcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) if (!IsWindows2000()) return KRB5_FCC_NOFILE; +#ifdef COMMENT + /* In at least one case on Win2003 it appears that it is possible + * for the logon session to be authenticated via NTLM and yet for + * there to be Kerberos credentials obtained by the LSA on behalf + * of the logged in user. Therefore, we are removing this test + * which was meant to avoid the need to perform GetMSTGT() when + * there was no possibility of credentials being found. + */ if (!IsKerberosLogon()) return KRB5_FCC_NOFILE; +#endif if(!PackageConnectLookup(&LogonHandle, &PackageId)) return KRB5_FCC_NOFILE;