summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-11-16 14:16:31 +1100
committerAndrew Bartlett <abartlet@samba.org>2010-11-16 15:30:13 +1100
commitd76f11a8bd685517b0e5a3be4684bec41af9e822 (patch)
tree1e102e7e2fc95e663fe13b380bacf62bb5ff3caa
parent5c72c6b760af479b3e88b10cce713025528496c3 (diff)
downloadsamba-d76f11a8bd685517b0e5a3be4684bec41af9e822.tar.gz
samba-d76f11a8bd685517b0e5a3be4684bec41af9e822.tar.bz2
samba-d76f11a8bd685517b0e5a3be4684bec41af9e822.zip
s4-kdc Fix the realm handling again, this time pay attention to the flags
The KDC sets different flags for the AS-REQ (this is client-depenent) and the TGS-REQ to determine if the realm should be forced to the canonical value. If we do this always, or do this never, we get into trouble, so it's much better to honour the flags we are given. Andrew Bartlett
-rw-r--r--source4/kdc/db-glue.c40
1 files changed, 20 insertions, 20 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 28837f6df0..b062282c28 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1113,7 +1113,6 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
* krbtgt */
int lret;
- char *realm_fixed;
if (krbtgt_number == kdc_db_ctx->my_krbtgt_number) {
lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx,
@@ -1147,31 +1146,32 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
return HDB_ERR_NOENTRY;
}
- realm_fixed = strupper_talloc(mem_ctx, lpcfg_realm(lp_ctx));
- if (!realm_fixed) {
- ret = ENOMEM;
- krb5_set_error_message(context, ret, "strupper_talloc: out of memory");
- return ret;
- }
-
- ret = krb5_copy_principal(context, principal, &alloc_principal);
- if (ret) {
- return ret;
- }
+ if (flags & HDB_F_CANON) {
+ ret = krb5_copy_principal(context, principal, &alloc_principal);
+ if (ret) {
+ return ret;
+ }
- free(alloc_principal->name.name_string.val[1]);
- alloc_principal->name.name_string.val[1] = strdup(realm_fixed);
- talloc_free(realm_fixed);
- if (!alloc_principal->name.name_string.val[1]) {
- ret = ENOMEM;
- krb5_set_error_message(context, ret, "samba_kdc_fetch: strdup() failed!");
- return ret;
+ /* When requested to do so, ensure that the
+ * both realm values in the principal are set
+ * to the upper case, canonical realm */
+ free(alloc_principal->name.name_string.val[1]);
+ alloc_principal->name.name_string.val[1] = strdup(lpcfg_realm(lp_ctx));
+ if (!alloc_principal->name.name_string.val[1]) {
+ ret = ENOMEM;
+ krb5_set_error_message(context, ret, "samba_kdc_fetch: strdup() failed!");
+ return ret;
+ }
+ principal = alloc_principal;
}
- principal = alloc_principal;
ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
principal, SAMBA_KDC_ENT_TYPE_KRBTGT,
flags, realm_dn, msg, entry_ex);
+ if (flags & HDB_F_CANON) {
+ /* This is again copied in the message2entry call */
+ krb5_free_principal(context, alloc_principal);
+ }
if (ret != 0) {
krb5_warnx(context, "samba_kdc_fetch: self krbtgt message2entry failed");
}