s3:libads: Return canonical principal and realm from kerberos_return_pac()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

source3/libads/authdata.c

@@ -57,6 +57,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 			     time_t renewable_time,
 			     const char *impersonate_princ_s,
 			     const char *local_service,
+			     char **_canon_principal,
+			     char **_canon_realm,
 			     struct PAC_DATA_CTR **_pac_data_ctr)
 {
 	krb5_error_code ret;
@@ -75,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 	struct auth4_context *auth_context;
 	struct loadparm_context *lp_ctx;
 	struct PAC_DATA_CTR *pac_data_ctr = NULL;
+	char *canon_principal = NULL;
+	char *canon_realm = NULL;
 
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 	NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
@@ -88,6 +92,14 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 		goto out;
 	}
 
+	if (_canon_principal != NULL) {
+		*_canon_principal = NULL;
+	}
+
+	if (_canon_realm != NULL) {
+		*_canon_realm = NULL;
+	}
+
 	if (cache_name) {
 		cc = cache_name;
 	}
@@ -109,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 					  request_pac,
 					  add_netbios_addr,
 					  renewable_time,
-					  NULL, NULL, NULL,
+					  tmp_ctx,
+					  &canon_principal,
+					  &canon_realm,
 					  &status);
 	if (ret) {
 		DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
@@ -243,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 	}
 
 	*_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
+	if (_canon_principal != NULL) {
+		*_canon_principal = talloc_move(mem_ctx, &canon_principal);
+	}
+	if (_canon_realm != NULL) {
+		*_canon_realm = talloc_move(mem_ctx, &canon_realm);
+	}
 
 out:
 	talloc_free(tmp_ctx);

source3/libads/kerberos_proto.h

@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 			     time_t renewable_time,
 			     const char *impersonate_princ_s,
 			     const char *local_service,
+			     char **_canon_principal,
+			     char **_canon_realm,
 			     struct PAC_DATA_CTR **pac_data_ctr);
 
 /* The following definitions come from libads/krb5_setpw.c  */

source3/utils/net_ads.c

@@ -2976,6 +2976,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch
 				     2592000, /* one month */
 				     impersonate_princ_s,
 				     local_service,
+				     NULL,
+				     NULL,
 				     pac_data_ctr);
 	if (!NT_STATUS_IS_OK(status)) {
 		d_printf(_("failed to query kerberos PAC: %s\n"),

source3/winbindd/winbindd_pam.c

@@ -789,6 +789,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 				     WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
 				     NULL,
 				     local_service,
+				     NULL,
+				     NULL,
 				     &pac_data_ctr);
 	if (user_ccache_file != NULL) {
 		gain_root_privilege();