mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s4:kdc: Set entry.flags.force_canonicalize to override the new Heimdal behaviour
This is needed to give hdb_samba4 the full control over the returned principal, rather than the new code in the Heimdal KDC. Including changes selected from code by Stefan Metzmacher <metze@samba.org> in his Heimdal upgrade branch. NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
parent
eb5c3bb951
commit
8329e8d469
@ -966,6 +966,13 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
|
||||
/* First try and figure out the flags based on the userAccountControl */
|
||||
entry_ex->entry.flags = uf2SDBFlags(context, userAccountControl, ent_type);
|
||||
|
||||
/*
|
||||
* Take control of the returned principal here, rather than
|
||||
* allowing the Heimdal code to do it as we have specific
|
||||
* behaviour around the forced realm to honour
|
||||
*/
|
||||
entry_ex->entry.flags.force_canonicalize = true;
|
||||
|
||||
/* Windows 2008 seems to enforce this (very sensible) rule by
|
||||
* default - don't allow offline attacks on a user's password
|
||||
* by asking for a ticket to them as a service (encrypted with
|
||||
|
@ -76,7 +76,7 @@ struct SDBFlags {
|
||||
unsigned int _unused27:1;
|
||||
unsigned int _unused28:1;
|
||||
unsigned int _unused29:1;
|
||||
unsigned int _unused30:1;
|
||||
unsigned int force_canonicalize:1;
|
||||
unsigned int do_not_store:1;
|
||||
};
|
||||
|
||||
|
@ -63,7 +63,7 @@ static void sdb_flags_to_hdb_flags(const struct SDBFlags *s,
|
||||
h->_unused27 = s->_unused27;
|
||||
h->_unused28 = s->_unused28;
|
||||
h->_unused29 = s->_unused29;
|
||||
h->_unused30 = s->_unused30;
|
||||
h->force_canonicalize = s->force_canonicalize;
|
||||
h->do_not_store = s->do_not_store;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user