1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s4:kdc: Set entry.flags.force_canonicalize to override the new Heimdal behaviour

This is needed to give hdb_samba4 the full control over the returned
principal, rather than the new code in the Heimdal KDC.

Including changes selected from code by Stefan Metzmacher <metze@samba.org>
in his Heimdal upgrade branch.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Andrew Bartlett 2021-06-23 11:35:01 +12:00 committed by Joseph Sutton
parent eb5c3bb951
commit 8329e8d469
3 changed files with 9 additions and 2 deletions

View File

@ -966,6 +966,13 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
/* First try and figure out the flags based on the userAccountControl */
entry_ex->entry.flags = uf2SDBFlags(context, userAccountControl, ent_type);
/*
* Take control of the returned principal here, rather than
* allowing the Heimdal code to do it as we have specific
* behaviour around the forced realm to honour
*/
entry_ex->entry.flags.force_canonicalize = true;
/* Windows 2008 seems to enforce this (very sensible) rule by
* default - don't allow offline attacks on a user's password
* by asking for a ticket to them as a service (encrypted with

View File

@ -76,7 +76,7 @@ struct SDBFlags {
unsigned int _unused27:1;
unsigned int _unused28:1;
unsigned int _unused29:1;
unsigned int _unused30:1;
unsigned int force_canonicalize:1;
unsigned int do_not_store:1;
};

View File

@ -63,7 +63,7 @@ static void sdb_flags_to_hdb_flags(const struct SDBFlags *s,
h->_unused27 = s->_unused27;
h->_unused28 = s->_unused28;
h->_unused29 = s->_unused29;
h->_unused30 = s->_unused30;
h->force_canonicalize = s->force_canonicalize;
h->do_not_store = s->do_not_store;
}