mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
s4:kdc: fix realm for outgoing trusts in samba_kdc_trust_message2entry()
This is a regression introduced in commit8dd37327b0
. Now we change 'realm' before calling ret = krb5_principal_set_realm(context, entry_ex->entry.principal, realm); as before commit8dd37327b0
. Without this we'd set entry_ex->entry.principal to krbtgt/DOMA.EXAMPLE.COM@DOMA.EXAMPLE.COM instead of krbtgt/DOMA.EXAMPLE.COM@DOMB.EXAMPLE.COM, while we use krbtgt/DOMA.EXAMPLE.COM@DOMB.EXAMPLE.COM as salt for the keys. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Mar 18 18:56:51 CET 2015 on sn-devel-104
This commit is contained in:
parent
9d0f7e1766
commit
8421c403e2
@ -965,6 +965,32 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
|
||||
supported_enctypes);
|
||||
}
|
||||
|
||||
trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
|
||||
|
||||
if (direction == INBOUND) {
|
||||
password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
|
||||
|
||||
} else { /* OUTBOUND */
|
||||
dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
|
||||
/* replace realm */
|
||||
realm = strupper_talloc(mem_ctx, dnsdomain);
|
||||
password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
|
||||
}
|
||||
|
||||
if (!password_val || !(trust_direction_flags & direction)) {
|
||||
krb5_clear_error_message(context);
|
||||
ret = HDB_ERR_NOENTRY;
|
||||
goto out;
|
||||
}
|
||||
|
||||
ndr_err = ndr_pull_struct_blob(password_val, mem_ctx, &password_blob,
|
||||
(ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
|
||||
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
||||
krb5_clear_error_message(context);
|
||||
ret = EINVAL;
|
||||
goto out;
|
||||
}
|
||||
|
||||
p = talloc(mem_ctx, struct samba_kdc_entry);
|
||||
if (!p) {
|
||||
ret = ENOMEM;
|
||||
@ -1023,33 +1049,6 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
|
||||
|
||||
entry_ex->entry.valid_start = NULL;
|
||||
|
||||
trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
|
||||
|
||||
if (direction == INBOUND) {
|
||||
password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
|
||||
|
||||
} else { /* OUTBOUND */
|
||||
dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
|
||||
/* replace realm */
|
||||
realm = strupper_talloc(mem_ctx, dnsdomain);
|
||||
password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
|
||||
}
|
||||
|
||||
if (!password_val || !(trust_direction_flags & direction)) {
|
||||
krb5_clear_error_message(context);
|
||||
ret = HDB_ERR_NOENTRY;
|
||||
goto out;
|
||||
}
|
||||
|
||||
ndr_err = ndr_pull_struct_blob(password_val, mem_ctx, &password_blob,
|
||||
(ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
|
||||
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
||||
krb5_clear_error_message(context);
|
||||
ret = EINVAL;
|
||||
goto out;
|
||||
}
|
||||
|
||||
|
||||
/* we need to work out if we are going to use the current or
|
||||
* the previous password hash.
|
||||
* We base this on the kvno the client passes in. If the kvno
|
||||
|
Loading…
Reference in New Issue
Block a user