From: Tom Yu <tlyu@mit.edu>
Date: Tue, 23 Mar 2010 01:58:29 +0000 (+0000)
Subject: pull up r23821 from trunk
X-Git-Tag: krb5-1.8.1-beta1~5
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=68156d04e3e7fc3080d8aabf366bc52b96852c49;p=krb5.git

pull up r23821 from trunk

 ------------------------------------------------------------------------
 r23821 | ghudson | 2010-03-19 20:50:06 -0700 (Fri, 19 Mar 2010) | 17 lines

 ticket: 6687
 subject: Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512
 target_version: 1.8.1
 tags: pullup

 KRB5_AUTHDATA_SIGNTICKET, originally a Heimdal authorization data
 type, was used to implement PAC-less constrained delegation in krb5
 1.8.  Unfortunately, it was found that Microsoft was using 142 for
 other purposes, which could result in a ticket issued by an MIT or
 Heimdal KDC being rejected by a Windows Server 2008 R2 application
 server.  Because KRB5_AUTHDATA_SIGNTICKET is only used to communicate
 among a realm's KDCs, it is relatively easy to change the number, so
 MIT and Heimdal are both migrating to a new number.  This change will
 cause a transitional interoperability issue when a realm mixes MIT
 krb5 1.8 (or Heimdal 1.3.1) KDCs with MIT krb5 1.8.1 (or Heimdal
 1.3.2) KDCs, but only for constrained delegation evidence tickets.

ticket: 6687
version_fixed: 1.8.1

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23828 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 63b69710a..875d14a60 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -1066,7 +1066,7 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype,
 #define KRB5_AUTHDATA_SESAME    65
 #define KRB5_AUTHDATA_WIN2K_PAC 128
 #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129     /* RFC 4537 */
-#define KRB5_AUTHDATA_SIGNTICKET        142
+#define KRB5_AUTHDATA_SIGNTICKET        512     /* formerly 142 in krb5 1.8 */
 #define KRB5_AUTHDATA_FX_ARMOR 71
 /* password change constants */