Re: enc_part2?

[Daniel Kouril <kouril@ics.muni.cz>]

On Mon, Dec 10, 2001 at 04:05:05PM +0100, Torbj|rn Lindh wrote:
> I am trying to get postgres 7.1.3 to use heimdal rather than vanilla MIT krb5,
> but after fixing a few minor things I have come across a bit of a stumble.
> 
> In a server side file it says:
> 
> -----------------------------
> /*
>  * The "client" structure comes out of the ticket and is therefore
>  * authenticated.  Use it to check the username obtained from the
>  * postmaster startup packet.
>  *
>  * I have no idea why this is considered necessary.
>  */
> 
> static int
> pg_krb5_recvauth(Port *port)
> {
>   krb5_error_code retval;
>   int ret;
>   krb5_auth_context auth_context = NULL;
>   krb5_ticket *ticket;
>   char *kusername;
> 
>   ...
>   retval = krb5_unparse_name(pg_krb5_context, ticket->enc_part2->client,
>                              &kusername);
> -----------------------------
> 
> but krb5.h says:
> 
> typedef struct krb5_ticket {
>   EncTicketPart ticket;
>   krb5_principal client;
>   krb5_principal server;
> } krb5_ticket;
> 
> I don't have any vanilla MIT krb5 so I cannot compare the ticket formats...  
> unparse_name wants a principal, so I have tried giving it both client and
> server, which, not surprisingly, did not work (Unknown error with a tremendous
> error number).
> 
MIT krb5 1.2.2:
typedef struct _krb5_ticket {
    krb5_magic magic;
    /* cleartext portion */
    krb5_principal server;              /* server name/realm */
    krb5_enc_data enc_part;             /* encryption type, kvno, encrypted
                                           encoding */
    krb5_enc_tkt_part FAR *enc_part2;   /* ptr to decrypted version, if
                                           available */
} krb5_ticket;

AFAIK usage ticket->client instead of ticket->enc_part2->client should
work with heimdal.

--
Dan