mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
r20406: Metze's change in -r 19662 broke Kerberos logins from Win2k3.
The reason is long and complex, but is due to forwardable tickets:
We would extract the forwardable ticket from the GSSAPI payload, and
look for the expiry time of the ticket for krbtgt/REALM@REALM.
However, with -r 19662 the ticket is given to the client as being for
krbtgt/realm@REALM, as it asked for a lower case realm. Heimdal is
case sensitive for realms, and bails out. (It should just not store
the forwarded ticket).
We need to co-ordinate changes in the KDC with relaxation of checks in
Heimdal, and a better kerberos behaviour testsuite.
Andrew Bartlett
(This used to be commit be4c1a36b0
)
This commit is contained in:
parent
d97302d539
commit
cb785a891b
@ -630,6 +630,7 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
|
||||
struct ldb_message **realm_ref_msg = NULL;
|
||||
struct ldb_dn *realm_dn;
|
||||
|
||||
krb5_principal alloc_principal = NULL;
|
||||
if (principal->name.name_string.len != 2
|
||||
|| (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) {
|
||||
/* Not a krbtgt */
|
||||
@ -640,6 +641,30 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
|
||||
if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
|
||||
mem_ctx, principal->name.name_string.val[1], &realm_ref_msg) == 0)) {
|
||||
/* us */
|
||||
/* Cludge, cludge cludge. If the realm part of krbtgt/realm,
|
||||
* is in our db, then direct the caller at our primary
|
||||
* krgtgt */
|
||||
|
||||
const char *dnsdomain = ldb_msg_find_attr_as_string(realm_ref_msg[0], "dnsRoot", NULL);
|
||||
char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain);
|
||||
if (!realm_fixed) {
|
||||
krb5_set_error_string(context, "strupper_talloc: out of memory");
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
ret = krb5_copy_principal(context, principal, &alloc_principal);
|
||||
if (ret) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
free(alloc_principal->name.name_string.val[1]);
|
||||
alloc_principal->name.name_string.val[1] = strdup(realm_fixed);
|
||||
talloc_free(realm_fixed);
|
||||
if (!alloc_principal->name.name_string.val[1]) {
|
||||
krb5_set_error_string(context, "LDB_fetch: strdup() failed!");
|
||||
return ENOMEM;
|
||||
}
|
||||
principal = alloc_principal;
|
||||
realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db, mem_ctx, realm_ref_msg[0], "nCName", NULL);
|
||||
} else {
|
||||
/* we should lookup trusted domains */
|
||||
|
Loading…
Reference in New Issue
Block a user