sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-22 05:57:43 +03:00
Code

auth/kerberos: Do a string comparison in kerberos_decode_pac() not a principal comparison

Browse Source 
This ensures that if an enterprise principal is used, we do the
comparison properly

This matters as in the enterprise case, which can be triggered by MIT
kinit -E, does not use canonicalization, and so the enterprise name,
with the @ in it, is in the logon name.

Otherwise, we get errors like:
 Name in PAC [TESTALLOWED@WIN2012R2] does not match principal name in ticket

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
This commit is contained in:
Andrew Bartlett 2015-03-11 15:57:06 +13:00 committed by Günther Deschner
parent 89099611fd
commit e48d136e3a
1 changed files with 12 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
auth/kerberos/kerberos_pac.c
View File

@ -106,7 +106,6 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
DATA_BLOB modified_pac_blob;
NTTIME tgs_authtime_nttime;
krb5_principal client_principal_pac = NULL;
int i;
struct PAC_SIGNATURE_DATA *srv_sig_ptr = NULL;
@ -357,28 +356,30 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
}
if (client_principal) {
ret = smb_krb5_parse_name_norealm(context,
logon_name->account_name,
&client_principal_pac);
char *client_principal_string;
ret = krb5_unparse_name_flags(context, client_principal,
KRB5_PRINCIPAL_UNPARSE_NO_REALM|KRB5_PRINCIPAL_UNPARSE_DISPLAY,
&client_principal_string);
if (ret) {
DEBUG(2, ("Could not parse name from PAC: [%s]:%s\n",
DEBUG(2, ("Could not unparse name from ticket to match with name from PAC: [%s]:%s\n",
logon_name->account_name, error_message(ret)));
talloc_free(tmp_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
bool_ret = smb_krb5_principal_compare_any_realm(context,
client_principal,
client_principal_pac);
krb5_free_principal(context, client_principal_pac);
bool_ret = strcmp(client_principal_string, logon_name->account_name) == 0;
if (!bool_ret) {
DEBUG(2, ("Name in PAC [%s] does not match principal name "
"in ticket\n", logon_name->account_name));
"in ticket [%s]\n",
logon_name->account_name,
client_principal_string));
SAFE_FREE(client_principal_string);
talloc_free(tmp_ctx);
return NT_STATUS_ACCESS_DENIED;
}
SAFE_FREE(client_principal_string);
}
DEBUG(3,("Found account name from PAC: %s [%s]\n",