1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

r19662: windows 2003 kdc's only rewrite the realm to the full form,

when the client is using the netbios domain name as realm.

we should match this and not rewrite the principal.

This matches what windows give:

metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./kinit administrator@SERNOXDOM4
administrator@SERNOXDOM4's Password:

metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./klist
Credentials cache: FILE:/tmp/krb5cc_10000
Principal: administrator@SERNOXDOM4.MX.BASE

Issued           Expires          Principal
Nov 11 13:37:52  Nov 11 23:37:52  krbtgt/SERNOXDOM4@SERNOXDOM4.MX.BASE

Note:
I need to disable the principal checks in heimdal's
_krb5_extract_ticket() for the kinit to work.

Any ideas how to change heimdal to support this.

For the service principal we should use
the realm and principal in req->kdc_rep.enc_part
instead of the unencrypted req->kdc.ticket.sname
and req->kdc.ticket.realm to have a trusted value.

I'm not sure what we can do with the client realm...

metze
(This used to be commit cfee02143f)
This commit is contained in:
Stefan Metzmacher 2006-11-11 12:52:04 +00:00 committed by Gerald (Jerry) Carter
parent 71846e31fd
commit 3ba2a9dfcf

View File

@ -632,7 +632,6 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
struct ldb_message **realm_ref_msg = NULL;
const struct ldb_dn *realm_dn;
krb5_principal alloc_principal = NULL;
if (principal->name.name_string.len != 2
|| (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) {
/* Not a krbtgt */
@ -642,33 +641,8 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
/* krbtgt case. Either us or a trusted realm */
if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
mem_ctx, principal->name.name_string.val[1], &realm_ref_msg) == 0)) {
/* us */
/* Cludge, cludge cludge. If the realm part of krbtgt/realm,
* is in our db, then direct the caller at our primary
* krgtgt */
const char *dnsdomain = ldb_msg_find_attr_as_string(realm_ref_msg[0], "dnsRoot", NULL);
char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain);
if (!realm_fixed) {
krb5_set_error_string(context, "strupper_talloc: out of memory");
return ENOMEM;
}
ret = krb5_copy_principal(context, principal, &alloc_principal);
if (ret) {
return ret;
}
free(alloc_principal->name.name_string.val[1]);
alloc_principal->name.name_string.val[1] = strdup(realm_fixed);
talloc_free(realm_fixed);
if (!alloc_principal->name.name_string.val[1]) {
krb5_set_error_string(context, "LDB_fetch: strdup() failed!");
return ENOMEM;
}
principal = alloc_principal;
/* us */
realm_dn = samdb_result_dn(mem_ctx, realm_ref_msg[0], "nCName", NULL);
} else {
/* we should lookup trusted domains */
return HDB_ERR_NOENTRY;