s3:libads: let kerberos_kinit_password_ext() return the canonicalized principal/realm

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

source3/libads/authdata.c

@@ -170,6 +170,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 					  request_pac,
 					  add_netbios_addr,
 					  renewable_time,
+					  NULL, NULL, NULL,
 					  &status);
 	if (ret) {
 		DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",

source3/libads/kerberos.c

@@ -106,7 +106,7 @@ kerb_prompter(krb5_context ctx, void *data,
   place in default cache location.
   remus@snapserver.com
 */
-int kerberos_kinit_password_ext(const char *principal,
+int kerberos_kinit_password_ext(const char *given_principal,
 				const char *password,
 				int time_offset,
 				time_t *expire_time,
@@ -115,8 +115,12 @@ int kerberos_kinit_password_ext(const char *principal,
 				bool request_pac,
 				bool add_netbios_addr,
 				time_t renewable_time,
+				TALLOC_CTX *mem_ctx,
+				char **_canon_principal,
+				char **_canon_realm,
 				NTSTATUS *ntstatus)
 {
+	TALLOC_CTX *frame = talloc_stackframe();
 	krb5_context ctx = NULL;
 	krb5_error_code code = 0;
 	krb5_ccache cc = NULL;
@@ -125,6 +129,8 @@ int kerberos_kinit_password_ext(const char *principal,
 	krb5_creds my_creds;
 	krb5_get_init_creds_opt *opt = NULL;
 	smb_krb5_addresses *addr = NULL;
+	char *canon_principal = NULL;
+	char *canon_realm = NULL;
 
 	ZERO_STRUCT(my_creds);
 
@@ -132,6 +138,7 @@ int kerberos_kinit_password_ext(const char *principal,
 	if (code != 0) {
 		DBG_ERR("kerberos init context failed (%s)\n",
 			error_message(code));
+		TALLOC_FREE(frame);
 		return code;
 	}
 
@@ -139,16 +146,16 @@ int kerberos_kinit_password_ext(const char *principal,
 		krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
 	}
 
-	DEBUG(10,("kerberos_kinit_password: as %s using [%s] as ccache and config [%s]\n",
-			principal,
-			cache_name ? cache_name: krb5_cc_default_name(ctx),
-			getenv("KRB5_CONFIG")));
+	DBG_DEBUG("as %s using [%s] as ccache and config [%s]\n",
+		  given_principal,
+		  cache_name ? cache_name: krb5_cc_default_name(ctx),
+		  getenv("KRB5_CONFIG"));
 
 	if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) {
 		goto out;
 	}
 
-	if ((code = smb_krb5_parse_name(ctx, principal, &me))) {
+	if ((code = smb_krb5_parse_name(ctx, given_principal, &me))) {
 		goto out;
 	}
 
@@ -195,6 +202,22 @@ int kerberos_kinit_password_ext(const char *principal,
 	canon_princ = me;
 #endif /* MIT */
 
+	code = smb_krb5_unparse_name(frame,
+				     ctx,
+				     canon_princ,
+				     &canon_principal);
+	if (code != 0) {
+		goto out;
+	}
+
+	DBG_DEBUG("%s mapped to %s\n", given_principal, canon_principal);
+
+	canon_realm = smb_krb5_principal_get_realm(frame, ctx, canon_princ);
+	if (canon_realm == NULL) {
+		code = ENOMEM;
+		goto out;
+	}
+
 	if ((code = krb5_cc_initialize(ctx, cc, canon_princ))) {
 		goto out;
 	}
@@ -210,6 +233,13 @@ int kerberos_kinit_password_ext(const char *principal,
 	if (renew_till_time) {
 		*renew_till_time = (time_t) my_creds.times.renew_till;
 	}
+
+	if (_canon_principal != NULL) {
+		*_canon_principal = talloc_move(mem_ctx, &canon_principal);
+	}
+	if (_canon_realm != NULL) {
+		*_canon_realm = talloc_move(mem_ctx, &canon_realm);
+	}
  out:
 	if (ntstatus) {
 		/* fast path */
@@ -239,6 +269,7 @@ int kerberos_kinit_password_ext(const char *principal,
 	if (ctx) {
 		krb5_free_context(ctx);
 	}
+	TALLOC_FREE(frame);
 	return code;
 }
 
@@ -328,6 +359,9 @@ int kerberos_kinit_password(const char *principal,
 					   False,
 					   False,
 					   0,
+					   NULL,
+					   NULL,
+					   NULL,
 					   NULL);
 }
 

source3/libads/kerberos_proto.h

@@ -45,7 +45,7 @@ struct PAC_DATA_CTR {
 
 /* The following definitions come from libads/kerberos.c  */
 
-int kerberos_kinit_password_ext(const char *principal,
+int kerberos_kinit_password_ext(const char *given_principal,
 				const char *password,
 				int time_offset,
 				time_t *expire_time,
@@ -54,6 +54,9 @@ int kerberos_kinit_password_ext(const char *principal,
 				bool request_pac,
 				bool add_netbios_addr,
 				time_t renewable_time,
+				TALLOC_CTX *mem_ctx,
+				char **_canon_principal,
+				char **_canon_realm,
 				NTSTATUS *ntstatus);
 int ads_kdestroy(const char *cc_name);
 

source3/libads/kerberos_util.c

@@ -66,7 +66,8 @@ int ads_kinit_password(ADS_STRUCT *ads)
 					  ads->auth.time_offset,
 					  &ads->auth.tgt_expire, NULL,
 					  ads->auth.ccache_name, false, false,
-					  ads->auth.renewable, NULL);
+					  ads->auth.renewable,
+					  NULL, NULL, NULL, NULL);
 
 	if (ret) {
 		DEBUG(0,("kerberos_kinit_password %s failed: %s\n",

source3/utils/net_ads.c

@@ -3353,6 +3353,9 @@ static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **
 					  true,
 					  true,
 					  2592000, /* one month */
+					  NULL,
+					  NULL,
+					  NULL,
 					  &status);
 	if (ret) {
 		d_printf(_("failed to kinit password: %s\n"),

source3/winbindd/winbindd_cred_cache.c

@@ -146,6 +146,9 @@ rekinit:
 							  False, /* no PAC required anymore */
 							  True,
 							  WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+							  NULL,
+							  NULL,
+							  NULL,
 							  NULL);
 			gain_root_privilege();
 
@@ -343,6 +346,9 @@ static void krb5_ticket_gain_handler(struct tevent_context *event_ctx,
 					  False, /* no PAC required anymore */
 					  True,
 					  WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+					  NULL,
+					  NULL,
+					  NULL,
 					  NULL);
 	gain_root_privilege();