diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-11-16 14:16:31 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-11-16 15:30:13 +1100 |
commit | d76f11a8bd685517b0e5a3be4684bec41af9e822 (patch) | |
tree | 1e102e7e2fc95e663fe13b380bacf62bb5ff3caa | |
parent | 5c72c6b760af479b3e88b10cce713025528496c3 (diff) | |
download | samba-d76f11a8bd685517b0e5a3be4684bec41af9e822.tar.gz samba-d76f11a8bd685517b0e5a3be4684bec41af9e822.tar.bz2 samba-d76f11a8bd685517b0e5a3be4684bec41af9e822.zip |
s4-kdc Fix the realm handling again, this time pay attention to the flags
The KDC sets different flags for the AS-REQ (this is client-depenent)
and the TGS-REQ to determine if the realm should be forced to the
canonical value. If we do this always, or do this never, we get into
trouble, so it's much better to honour the flags we are given.
Andrew Bartlett
-rw-r--r-- | source4/kdc/db-glue.c | 40 |
1 files changed, 20 insertions, 20 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 28837f6df0..b062282c28 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1113,7 +1113,6 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context, * krbtgt */ int lret; - char *realm_fixed; if (krbtgt_number == kdc_db_ctx->my_krbtgt_number) { lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, @@ -1147,31 +1146,32 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context, return HDB_ERR_NOENTRY; } - realm_fixed = strupper_talloc(mem_ctx, lpcfg_realm(lp_ctx)); - if (!realm_fixed) { - ret = ENOMEM; - krb5_set_error_message(context, ret, "strupper_talloc: out of memory"); - return ret; - } - - ret = krb5_copy_principal(context, principal, &alloc_principal); - if (ret) { - return ret; - } + if (flags & HDB_F_CANON) { + ret = krb5_copy_principal(context, principal, &alloc_principal); + if (ret) { + return ret; + } - free(alloc_principal->name.name_string.val[1]); - alloc_principal->name.name_string.val[1] = strdup(realm_fixed); - talloc_free(realm_fixed); - if (!alloc_principal->name.name_string.val[1]) { - ret = ENOMEM; - krb5_set_error_message(context, ret, "samba_kdc_fetch: strdup() failed!"); - return ret; + /* When requested to do so, ensure that the + * both realm values in the principal are set + * to the upper case, canonical realm */ + free(alloc_principal->name.name_string.val[1]); + alloc_principal->name.name_string.val[1] = strdup(lpcfg_realm(lp_ctx)); + if (!alloc_principal->name.name_string.val[1]) { + ret = ENOMEM; + krb5_set_error_message(context, ret, "samba_kdc_fetch: strdup() failed!"); + return ret; + } + principal = alloc_principal; } - principal = alloc_principal; ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx, principal, SAMBA_KDC_ENT_TYPE_KRBTGT, flags, realm_dn, msg, entry_ex); + if (flags & HDB_F_CANON) { + /* This is again copied in the message2entry call */ + krb5_free_principal(context, alloc_principal); + } if (ret != 0) { krb5_warnx(context, "samba_kdc_fetch: self krbtgt message2entry failed"); } |