1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

s4:kdc: fix realm for outgoing trusts in samba_kdc_trust_message2entry()

This is a regression introduced in commit
8dd37327b0.

Now we change 'realm' before calling
ret = krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
as before commit 8dd37327b0.

Without this we'd set entry_ex->entry.principal to
krbtgt/DOMA.EXAMPLE.COM@DOMA.EXAMPLE.COM instead
of krbtgt/DOMA.EXAMPLE.COM@DOMB.EXAMPLE.COM,
while we use krbtgt/DOMA.EXAMPLE.COM@DOMB.EXAMPLE.COM as
salt for the keys.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Mar 18 18:56:51 CET 2015 on sn-devel-104
This commit is contained in:
Stefan Metzmacher 2015-03-15 22:25:49 +01:00
parent 9d0f7e1766
commit 8421c403e2

View File

@ -965,6 +965,32 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
supported_enctypes);
}
trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
if (direction == INBOUND) {
password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
} else { /* OUTBOUND */
dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
/* replace realm */
realm = strupper_talloc(mem_ctx, dnsdomain);
password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
}
if (!password_val || !(trust_direction_flags & direction)) {
krb5_clear_error_message(context);
ret = HDB_ERR_NOENTRY;
goto out;
}
ndr_err = ndr_pull_struct_blob(password_val, mem_ctx, &password_blob,
(ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
krb5_clear_error_message(context);
ret = EINVAL;
goto out;
}
p = talloc(mem_ctx, struct samba_kdc_entry);
if (!p) {
ret = ENOMEM;
@ -1023,33 +1049,6 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
entry_ex->entry.valid_start = NULL;
trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
if (direction == INBOUND) {
password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
} else { /* OUTBOUND */
dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
/* replace realm */
realm = strupper_talloc(mem_ctx, dnsdomain);
password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
}
if (!password_val || !(trust_direction_flags & direction)) {
krb5_clear_error_message(context);
ret = HDB_ERR_NOENTRY;
goto out;
}
ndr_err = ndr_pull_struct_blob(password_val, mem_ctx, &password_blob,
(ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
krb5_clear_error_message(context);
ret = EINVAL;
goto out;
}
/* we need to work out if we are going to use the current or
* the previous password hash.
* We base this on the kvno the client passes in. If the kvno