sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-26 10:04:02 +03:00
Code

r19663: merge changes from lorikeet heimdal:

Browse Source 
support for netbios domain based realms

metze
This commit is contained in:
Stefan Metzmacher 2006-11-11 14:00:24 +00:00 committed by Gerald (Jerry) Carter
parent cfee02143f
commit dcec6eebf1
1 changed files with 53 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
source/heimdal/lib/krb5/get_in_tkt.c
View File

@ -131,12 +131,21 @@ _krb5_extract_ticket(krb5_context context,
krb5_const_pointer decryptarg) krb5_const_pointer decryptarg)
{ {
krb5_error_code ret; krb5_error_code ret;
krb5_principal tmp_principal; krb5_principal tmp_principal, srv_principal = NULL;
int tmp; int tmp;
size_t len; size_t len;
time_t tmp_time; time_t tmp_time;
krb5_timestamp sec_now; krb5_timestamp sec_now;
/*
* HACK:
* this is really a ugly hack, to support using the Netbios Domain Name
* as realm against windows KDC's, they always return the full realm
* based on the DNS Name.
*/
allow_server_mismatch = 1;
ignore_cname = 1;
ret = _krb5_principalname2krb5_principal (context, ret = _krb5_principalname2krb5_principal (context,
&tmp_principal, &tmp_principal,
rep->kdc_rep.cname, rep->kdc_rep.cname,
@ -168,28 +177,6 @@ _krb5_extract_ticket(krb5_context context,
krb5_abortx(context, "internal error in ASN.1 encoder"); krb5_abortx(context, "internal error in ASN.1 encoder");
creds->second_ticket.length = 0; creds->second_ticket.length = 0;
creds->second_ticket.data = NULL; creds->second_ticket.data = NULL;
/* compare server */
ret = _krb5_principalname2krb5_principal (context,
&tmp_principal,
rep->kdc_rep.ticket.sname,
rep->kdc_rep.ticket.realm);
if (ret)
goto out;
if(allow_server_mismatch){
krb5_free_principal(context, creds->server);
creds->server = tmp_principal;
tmp_principal = NULL;
}else{
tmp = krb5_principal_compare (context, tmp_principal, creds->server);
krb5_free_principal (context, tmp_principal);
if (!tmp) {
ret = KRB5KRB_AP_ERR_MODIFIED;
krb5_clear_error_string (context);
goto out;
}
}
/* decrypt */ /* decrypt */
@ -207,6 +194,47 @@ _krb5_extract_ticket(krb5_context context,
goto out; goto out;
#endif #endif
/* compare server */
ret = _krb5_principalname2krb5_principal (context,
&srv_principal,
rep->kdc_rep.ticket.sname,
rep->kdc_rep.ticket.realm);
if (ret)
goto out;
ret = _krb5_principalname2krb5_principal (context,
&tmp_principal,
rep->enc_part.sname,
rep->enc_part.srealm);
if (ret)
goto out;
/*
* see if the service principal matches in the ticket
* and in the enc_part
*/
tmp = krb5_principal_compare (context, tmp_principal, srv_principal);
krb5_free_principal (context, tmp_principal);
if (!tmp) {
ret = KRB5KRB_AP_ERR_MODIFIED;
krb5_clear_error_string (context);
goto out;
}
if(allow_server_mismatch){
krb5_free_principal(context, creds->server);
creds->server = srv_principal;
srv_principal = NULL;
}else{
tmp = krb5_principal_compare (context, srv_principal, creds->server);
if (!tmp) {
ret = KRB5KRB_AP_ERR_MODIFIED;
krb5_clear_error_string (context);
goto out;
}
}
/* compare nonces */ /* compare nonces */
if (nonce != rep->enc_part.nonce) { if (nonce != rep->enc_part.nonce) {
@ -301,6 +329,8 @@ _krb5_extract_ticket(krb5_context context,
out: out:
memset (rep->enc_part.key.keyvalue.data, 0, memset (rep->enc_part.key.keyvalue.data, 0,
rep->enc_part.key.keyvalue.length); rep->enc_part.key.keyvalue.length);
if (srv_principal)
krb5_free_principal (context, srv_principal);
return ret; return ret;
} }