s4:kdc: Set entry.flags.force_canonicalize to override the new Heimdal behaviour

This is needed to give hdb_samba4 the full control over the returned
principal, rather than the new code in the Heimdal KDC.

Including changes selected from code by Stefan Metzmacher <metze@samba.org>
in his Heimdal upgrade branch.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

source4/kdc/db-glue.c

@@ -966,6 +966,13 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 	/* First try and figure out the flags based on the userAccountControl */
 	entry_ex->entry.flags = uf2SDBFlags(context, userAccountControl, ent_type);
 
+	/*
+	 * Take control of the returned principal here, rather than
+	 * allowing the Heimdal code to do it as we have specific
+	 * behaviour around the forced realm to honour
+	 */
+	entry_ex->entry.flags.force_canonicalize = true;
+
 	/* Windows 2008 seems to enforce this (very sensible) rule by
 	 * default - don't allow offline attacks on a user's password
 	 * by asking for a ticket to them as a service (encrypted with

source4/kdc/sdb.h

@@ -76,7 +76,7 @@ struct SDBFlags {
 	unsigned int _unused27:1;
 	unsigned int _unused28:1;
 	unsigned int _unused29:1;
-	unsigned int _unused30:1;
+	unsigned int force_canonicalize:1;
 	unsigned int do_not_store:1;
 };
 

source4/kdc/sdb_to_hdb.c

@@ -63,7 +63,7 @@ static void sdb_flags_to_hdb_flags(const struct SDBFlags *s,
 	h->_unused27 = s->_unused27;
 	h->_unused28 = s->_unused28;
 	h->_unused29 = s->_unused29;
-	h->_unused30 = s->_unused30;
+	h->force_canonicalize = s->force_canonicalize;
 	h->do_not_store = s->do_not_store;
 }