From ddef0e5e1f63775cd22ee3b3febc6f765abbebf8 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 21 Sep 2023 11:14:36 +1200 Subject: [PATCH] =?UTF-8?q?s4:kdc:=20Consider=20a=20single=E2=80=90compone?= =?UTF-8?q?nt=20krbtgt=20principal=20to=20be=20the=20TGS?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This matches the behaviour of Windows. NOTE: This commit finally works again! BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- lib/krb5_wrap/krb5_samba.c | 7 +++++-- selftest/knownfail_heimdal_kdc | 11 ----------- selftest/knownfail_mit_kdc_1_20 | 5 ----- source4/kdc/db-glue.c | 2 +- 4 files changed, 6 insertions(+), 19 deletions(-) diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index 80c9f747e1d..116f916234d 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -3454,6 +3454,10 @@ int smb_krb5_principal_is_tgs(krb5_context context, int eq = 1; krb5_error_code ret = 0; + if (krb5_princ_size(context, principal) > 2) { + return 0; + } + ret = smb_krb5_principal_get_comp_string(NULL, context, principal, 0, &p); if (ret == ENOENT) { return 0; @@ -3461,8 +3465,7 @@ int smb_krb5_principal_is_tgs(krb5_context context, return -1; } - eq = krb5_princ_size(context, principal) == 2 && - (strcmp(p, KRB5_TGS_NAME) == 0); + eq = strcmp(p, KRB5_TGS_NAME) == 0; talloc_free(p); diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 8b0e09fceb5..d59a8cff84d 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -135,14 +135,3 @@ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_device_in_network_group_rbcd\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.DeviceRestrictionTests\.test_device_in_network_group\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_device_in_network_group\(ad_dc\)$ -# -# Singleā€component krbtgt principal tests -# -^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_krbtgt_single_component_krbtgt\(fl2003dc\)$ -^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_krbtgt_single_component_krbtgt\(fl2008r2dc\)$ -^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_as_req\(ad_dc\)$ -^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_tgs_req\(ad_dc\)$ -^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_requester_sid_as_req\(ad_dc\)$ -^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_requester_sid_tgs_req\(ad_dc\)$ -^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_service_ticket\(ad_dc\)$ -^samba\.tests\.krb5\.kpasswd_tests\.samba\.tests\.krb5\.kpasswd_tests\.KpasswdTests\.test_kpasswd_tgt_single_component_krbtgt\(ad_dc\)$ diff --git a/selftest/knownfail_mit_kdc_1_20 b/selftest/knownfail_mit_kdc_1_20 index aaef3a35a9c..a28c3f521f5 100644 --- a/selftest/knownfail_mit_kdc_1_20 +++ b/selftest/knownfail_mit_kdc_1_20 @@ -132,11 +132,6 @@ # # Singleā€component krbtgt principal tests # -^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_krbtgt_single_component_krbtgt\(fl2003dc\)$ -^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_krbtgt_single_component_krbtgt\(fl2008r2dc\)$ ^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_as_req\(ad_dc\)$ ^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_tgs_req\(ad_dc\)$ -^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_requester_sid_as_req\(ad_dc\)$ -^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_requester_sid_tgs_req\(ad_dc\)$ ^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_service_ticket\(ad_dc\)$ -^samba\.tests\.krb5\.kpasswd_tests\.samba\.tests\.krb5\.kpasswd_tests\.KpasswdTests\.test_kpasswd_tgt_single_component_krbtgt\(ad_dc\)$ diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 29b60a663c7..af69ee86aac 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -2488,7 +2488,7 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context, } if (lpcfg_is_my_domain_or_realm(lp_ctx, realm_from_princ) - && lpcfg_is_my_domain_or_realm(lp_ctx, realm_princ_comp)) { + && (realm_princ_comp == NULL || lpcfg_is_my_domain_or_realm(lp_ctx, realm_princ_comp))) { /* us, or someone quite like us */ /* Kludge, kludge, kludge. If the realm part of krbtgt/realm, * is in our db, then direct the caller at our primary