sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-03 01:18:10 +03:00
Code

third_party/heimdal kdc: introduce HDB_F_USER2USER_PRINCIPAL (import lorikeet-heimdal-202310152331 (commit a571340c9e1b75d4f5d96f08fcf9fd660d3ba3d4))

Browse Source 
This allows HDB backends to do special handling for
User2User TGS-REQs. The main reason is to let
the HDB_F_GET_SERVER lookup to succeed even for
non-computer accounts. In Samba these are typically
not returned in HDB_F_GET_SERVER in order to avoid
generating tickets with the user password.

But for User2User the account password is not used,
so it is safe to return the server entry.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

[abartlet@samba.org Adapted to be an import from lorikeet-heimdal as requested]
This commit is contained in:
Stefan Metzmacher 2023-10-16 12:33:15 +13:00
parent c99fe118fd
commit cbb8145d0c
2 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
third_party/heimdal/kdc/krb5tgs.c vendored
View File

@ -1375,6 +1375,7 @@ tgs_build_reply(astgs_request_t priv,
Key *tkey_sign;
int flags = HDB_F_FOR_TGS_REQ;
int server_flags;
int result;
@ -1396,6 +1397,10 @@ tgs_build_reply(astgs_request_t priv,
if (b->kdc_options.canonicalize)
flags |= HDB_F_CANON;
server_flags = HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags;
if (b->kdc_options.enc_tkt_in_skey)
server_flags |= HDB_F_USER2USER_PRINCIPAL;
if (s == NULL) {
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
_kdc_set_const_e_text(priv, "No server in request");
@ -1433,7 +1438,7 @@ server_lookup:
_kdc_free_ent(context, serverdb, priv->server);
priv->server = NULL;
ret = _kdc_db_fetch(context, config, priv->server_princ,
HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags,
server_flags,
NULL, &serverdb, &priv->server);
priv->serverdb = serverdb;
if (ret == HDB_ERR_NOT_FOUND_HERE) {

1
third_party/heimdal/lib/hdb/hdb.h vendored
View File

@ -78,6 +78,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
#define HDB_F_SYNTHETIC_OK 0x10000 /* synthetic principal for PKINIT or GSS preauth OK */
#define HDB_F_GET_FAST_COOKIE 0x20000 /* fetch the FX-COOKIE key (not a normal principal) */
#define HDB_F_ARMOR_PRINCIPAL 0x40000 /* fetch is for the client of an armor ticket */
#define HDB_F_USER2USER_PRINCIPAL 0x80000 /* fetch is for the server of a user2user tgs-req */
/* hdb_capability_flags */
#define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1