sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code

s4:auth: use the correct client realm in gensec_gssapi_update_internal()

Browse Source 
The function gensec_gssapi_client_creds() may call kinit and gets
a TGT for the user. The principal provided by the user may not
be canonicalized. The user may use 'given.last@example.com'
but that may be mapped to glast@AD.EXAMPLE.PRIVATE in the background.

It means we should use client_realm = AD.EXAMPLE.PRIVATE
instead of client_realm = EXAMPLE.COM

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
This commit is contained in:
Stefan Metzmacher 2019-09-17 08:05:09 +02:00 committed by Günther Deschner
parent acbf922fc2
commit db8fd3d6a3
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
source4/auth/gensec/gensec_gssapi.c
View File

@ -437,8 +437,6 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
const char *target_principal = gensec_get_target_principal(gensec_security); const char *target_principal = gensec_get_target_principal(gensec_security);
const char *hostname = gensec_get_target_hostname(gensec_security); const char *hostname = gensec_get_target_hostname(gensec_security);
const char *service = gensec_get_target_service(gensec_security); const char *service = gensec_get_target_service(gensec_security);
const char *client_realm = cli_credentials_get_realm(cli_creds);
const char *server_realm = NULL;
gss_OID gss_oid_p = NULL; gss_OID gss_oid_p = NULL;
OM_uint32 time_req = 0; OM_uint32 time_req = 0;
OM_uint32 time_rec = 0; OM_uint32 time_rec = 0;
@ -457,6 +455,7 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
switch (gensec_security->gensec_role) { switch (gensec_security->gensec_role) {
case GENSEC_CLIENT: case GENSEC_CLIENT:
{ {
const char *client_realm = NULL;
#ifdef SAMBA4_USES_HEIMDAL #ifdef SAMBA4_USES_HEIMDAL
struct gsskrb5_send_to_kdc send_to_kdc; struct gsskrb5_send_to_kdc send_to_kdc;
krb5_error_code ret; krb5_error_code ret;
@ -532,6 +531,7 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
* transitive forest trusts, would have to do the * transitive forest trusts, would have to do the
* fallback ourself. * fallback ourself.
*/ */
client_realm = cli_credentials_get_realm(cli_creds);
#ifndef SAMBA4_USES_HEIMDAL #ifndef SAMBA4_USES_HEIMDAL
if (gensec_gssapi_state->server_name == NULL) { if (gensec_gssapi_state->server_name == NULL) {
nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
@ -575,6 +575,8 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
} }
#endif /* !SAMBA4_USES_HEIMDAL */ #endif /* !SAMBA4_USES_HEIMDAL */
if (gensec_gssapi_state->server_name == NULL) { if (gensec_gssapi_state->server_name == NULL) {
const char *server_realm = NULL;
server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state, server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state,
hostname, hostname,
client_realm); client_realm);