sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-28 01:58:17 +03:00
Code

kdc: Correctly return the krbtgt/realm@REALM principal from our KDC

Browse Source 
This needs to vary depending on if the client requested the canonicalize flag

This was found by our new krb5.kdc test

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Andrew Bartlett 2015-01-23 16:41:50 +13:00
parent 157539c5ad
commit c1819f5fd1
1 changed files with 31 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
source4/kdc/db-glue.c
View File

@ -639,7 +639,37 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
*/
entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) {
ret = krb5_copy_principal(context, principal, &entry_ex->entry.principal);
if (ret) {
return ret;
}
/*
* Windows seems to canonicalize the principal
* in a TGS REP even if the client did not specify
* the canonicalize flag.
*/
if (flags & (HDB_F_CANON|HDB_F_FOR_TGS_REQ)) {
/* When requested to do so, ensure that the
* both realm values in the principal are set
* to the upper case, canonical realm */
free(entry_ex->entry.principal->name.name_string.val[1]);
entry_ex->entry.principal->name.name_string.val[1] = strdup(lpcfg_realm(lp_ctx));
if (!entry_ex->entry.principal->name.name_string.val[1]) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "samba_kdc_fetch: strdup() failed!");
return ret;
}
}
/*
* this has to be with malloc(), and appears to be
* required regardless of the canonicalize flag from
* the client
*/
krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx));
} else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
} else if (flags & HDB_F_CANON) {
krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
@ -1368,30 +1398,6 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
return HDB_ERR_NOENTRY;
}
/*
* Windows seems to canonicalize the principal
* in a TGS REP even if the client did not specify
* the canonicalize flag.
*/
if (flags & (HDB_F_CANON|HDB_F_FOR_TGS_REQ)) {
ret = krb5_copy_principal(context, principal, &alloc_principal);
if (ret) {
return ret;
}
/* When requested to do so, ensure that the
* both realm values in the principal are set
* to the upper case, canonical realm */
free(alloc_principal->name.name_string.val[1]);
alloc_principal->name.name_string.val[1] = strdup(lpcfg_realm(lp_ctx));
if (!alloc_principal->name.name_string.val[1]) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "samba_kdc_fetch: strdup() failed!");
return ret;
}
principal = alloc_principal;
}
ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
principal, SAMBA_KDC_ENT_TYPE_KRBTGT,
flags, realm_dn, msg, entry_ex);