summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-09-22 18:39:49 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:19:14 -0500
commit83558e822b9b1ea64ae89b77b2d815d19211d996 (patch)
tree2d627bc8675ab721d55b822bbdd7934ec00f6b5c
parentdaf51dfe26378e80d14c0b608c70a41b7e017e69 (diff)
downloadsamba-83558e822b9b1ea64ae89b77b2d815d19211d996.tar.gz
samba-83558e822b9b1ea64ae89b77b2d815d19211d996.tar.bz2
samba-83558e822b9b1ea64ae89b77b2d815d19211d996.zip
r18826: Allow 'enterprise' principal names to log in.
These principals do not need to be in the same realm as the rest of the ticket, the full principal name is in the first componet of the ASN.1. Samba4's backend will handle getting this to the 'right' place. Andrew Bartlett (This used to be commit 90b01b8af21609e2e5c8b6bd8cab8bd393844acf)
-rw-r--r--source4/heimdal/kdc/524.c4
-rw-r--r--source4/heimdal/kdc/kerberos4.c6
-rw-r--r--source4/heimdal/kdc/kerberos5.c14
-rw-r--r--source4/heimdal/lib/krb5/asn1_glue.c20
-rw-r--r--source4/heimdal/lib/krb5/get_in_tkt.c6
-rw-r--r--source4/heimdal/lib/krb5/krb5-private.h1
-rw-r--r--source4/heimdal/lib/krb5/rd_cred.c5
-rw-r--r--source4/heimdal/lib/krb5/rd_req.c12
8 files changed, 43 insertions, 25 deletions
diff --git a/source4/heimdal/kdc/524.c b/source4/heimdal/kdc/524.c
index 14969aaa52..d61b78d9b6 100644
--- a/source4/heimdal/kdc/524.c
+++ b/source4/heimdal/kdc/524.c
@@ -53,7 +53,7 @@ fetch_server (krb5_context context,
krb5_error_code ret;
krb5_principal sprinc;
- ret = _krb5_principalname2krb5_principal(&sprinc, t->sname, t->realm);
+ ret = _krb5_principalname2krb5_principal(context, &sprinc, t->sname, t->realm);
if (ret) {
kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s",
krb5_get_err_text(context, ret));
@@ -90,7 +90,7 @@ log_524 (krb5_context context,
char *cpn;
krb5_error_code ret;
- ret = _krb5_principalname2krb5_principal(&client, et->cname, et->crealm);
+ ret = _krb5_principalname2krb5_principal(context, &client, et->cname, et->crealm);
if (ret) {
kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s",
krb5_get_err_text (context, ret));
diff --git a/source4/heimdal/kdc/kerberos4.c b/source4/heimdal/kdc/kerberos4.c
index 4ece1a47d6..d7a3a9cb69 100644
--- a/source4/heimdal/kdc/kerberos4.c
+++ b/source4/heimdal/kdc/kerberos4.c
@@ -655,7 +655,8 @@ _kdc_encode_v4_ticket(krb5_context context,
{
krb5_principal princ;
- _krb5_principalname2krb5_principal(&princ,
+ _krb5_principalname2krb5_principal(context,
+ &princ,
*service,
et->crealm);
ret = krb5_524_conv_principal(context,
@@ -667,7 +668,8 @@ _kdc_encode_v4_ticket(krb5_context context,
if(ret)
return ret;
- _krb5_principalname2krb5_principal(&princ,
+ _krb5_principalname2krb5_principal(context,
+ &princ,
et->cname,
et->crealm);
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 877b88c155..a73c2c10b3 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -869,7 +869,7 @@ _kdc_as_rep(krb5_context context,
ret = KRB5KRB_ERR_GENERIC;
e_text = "No server in request";
} else{
- _krb5_principalname2krb5_principal (&server_princ,
+ _krb5_principalname2krb5_principal (context, &server_princ,
*(b->sname), b->realm);
ret = krb5_unparse_name(context, server_princ, &server_name);
}
@@ -882,7 +882,7 @@ _kdc_as_rep(krb5_context context,
ret = KRB5KRB_ERR_GENERIC;
e_text = "No client in request";
} else {
- _krb5_principalname2krb5_principal (&client_princ,
+ _krb5_principalname2krb5_principal (context, &client_princ,
*(b->cname), b->realm);
ret = krb5_unparse_name(context, client_princ, &client_name);
}
@@ -1270,7 +1270,7 @@ _kdc_as_rep(krb5_context context,
if (f.request_anonymous)
make_anonymous_principalname (&rep.cname);
else
- _krb5_principal2principalname(&rep.cname,
+ _krb5_principal2principalname(&rep.cname,
client->entry.principal);
rep.ticket.tkt_vno = 5;
copy_Realm(&server->entry.principal->realm, &rep.ticket.realm);
@@ -2137,7 +2137,7 @@ tgs_rep2(krb5_context context,
goto out2;
}
- _krb5_principalname2krb5_principal(&princ,
+ _krb5_principalname2krb5_principal(context, &princ,
ap_req.ticket.sname,
ap_req.ticket.realm);
@@ -2340,7 +2340,7 @@ tgs_rep2(krb5_context context,
ret = KRB5KDC_ERR_POLICY;
goto out2;
}
- _krb5_principalname2krb5_principal(&p, t->sname, t->realm);
+ _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
ret = _kdc_db_fetch(context, config, p,
HDB_F_GET_CLIENT|HDB_F_GET_SERVER, &uu);
krb5_free_principal(context, p);
@@ -2364,11 +2364,11 @@ tgs_rep2(krb5_context context,
r = adtkt.crealm;
}
- _krb5_principalname2krb5_principal(&sp, *s, r);
+ _krb5_principalname2krb5_principal(context, &sp, *s, r);
ret = krb5_unparse_name(context, sp, &spn);
if (ret)
goto out;
- _krb5_principalname2krb5_principal(&cp, tgt->cname, tgt->crealm);
+ _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
ret = krb5_unparse_name(context, cp, &cpn);
if (ret)
goto out;
diff --git a/source4/heimdal/lib/krb5/asn1_glue.c b/source4/heimdal/lib/krb5/asn1_glue.c
index 01b5d3ee44..8f7b886e80 100644
--- a/source4/heimdal/lib/krb5/asn1_glue.c
+++ b/source4/heimdal/lib/krb5/asn1_glue.c
@@ -47,13 +47,23 @@ _krb5_principal2principalname (PrincipalName *p,
}
krb5_error_code KRB5_LIB_FUNCTION
-_krb5_principalname2krb5_principal (krb5_principal *principal,
+_krb5_principalname2krb5_principal (krb5_context context,
+ krb5_principal *principal,
const PrincipalName from,
const Realm realm)
{
- krb5_principal p = malloc(sizeof(*p));
- copy_PrincipalName(&from, &p->name);
- p->realm = strdup(realm);
- *principal = p;
+ if (from.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+ if (from.name_string.len != 1) {
+ return KRB5_PARSE_MALFORMED;
+ }
+ return krb5_parse_name(context,
+ from.name_string.val[0],
+ principal);
+ } else {
+ krb5_principal p = malloc(sizeof(*p));
+ copy_PrincipalName(&from, &p->name);
+ p->realm = strdup(realm);
+ *principal = p;
+ }
return 0;
}
diff --git a/source4/heimdal/lib/krb5/get_in_tkt.c b/source4/heimdal/lib/krb5/get_in_tkt.c
index 24d6c29f52..5c488d1ddc 100644
--- a/source4/heimdal/lib/krb5/get_in_tkt.c
+++ b/source4/heimdal/lib/krb5/get_in_tkt.c
@@ -137,7 +137,8 @@ _krb5_extract_ticket(krb5_context context,
time_t tmp_time;
krb5_timestamp sec_now;
- ret = _krb5_principalname2krb5_principal (&tmp_principal,
+ ret = _krb5_principalname2krb5_principal (context,
+ &tmp_principal,
rep->kdc_rep.cname,
rep->kdc_rep.crealm);
if (ret)
@@ -170,7 +171,8 @@ _krb5_extract_ticket(krb5_context context,
/* compare server */
- ret = _krb5_principalname2krb5_principal (&tmp_principal,
+ ret = _krb5_principalname2krb5_principal (context,
+ &tmp_principal,
rep->kdc_rep.ticket.sname,
rep->kdc_rep.ticket.realm);
if (ret)
diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h
index 17b282f1d8..9ba288e22b 100644
--- a/source4/heimdal/lib/krb5/krb5-private.h
+++ b/source4/heimdal/lib/krb5/krb5-private.h
@@ -372,6 +372,7 @@ _krb5_principal2principalname (
krb5_error_code KRB5_LIB_FUNCTION
_krb5_principalname2krb5_principal (
+ krb5_context /* context */,
krb5_principal */*principal*/,
const PrincipalName /*from*/,
const Realm /*realm*/);
diff --git a/source4/heimdal/lib/krb5/rd_cred.c b/source4/heimdal/lib/krb5/rd_cred.c
index 520b3a1418..01b5188bae 100644
--- a/source4/heimdal/lib/krb5/rd_cred.c
+++ b/source4/heimdal/lib/krb5/rd_cred.c
@@ -265,7 +265,7 @@ krb5_rd_cred(krb5_context context,
krb5_abortx(context, "internal error in ASN.1 encoder");
copy_EncryptionKey (&kci->key, &creds->session);
if (kci->prealm && kci->pname)
- _krb5_principalname2krb5_principal (&creds->client,
+ _krb5_principalname2krb5_principal (context, &creds->client,
*kci->pname,
*kci->prealm);
if (kci->flags)
@@ -279,7 +279,8 @@ krb5_rd_cred(krb5_context context,
if (kci->renew_till)
creds->times.renew_till = *kci->renew_till;
if (kci->srealm && kci->sname)
- _krb5_principalname2krb5_principal (&creds->server,
+ _krb5_principalname2krb5_principal (context,
+ &creds->server,
*kci->sname,
*kci->srealm);
if (kci->caddr)
diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c
index 0d4635b964..c0bb710a59 100644
--- a/source4/heimdal/lib/krb5/rd_req.c
+++ b/source4/heimdal/lib/krb5/rd_req.c
@@ -376,10 +376,12 @@ krb5_verify_ap_req2(krb5_context context,
if(ret)
goto out;
- ret = _krb5_principalname2krb5_principal(&t->server, ap_req->ticket.sname,
+ ret = _krb5_principalname2krb5_principal(context,
+ &t->server, ap_req->ticket.sname,
ap_req->ticket.realm);
if (ret) goto out;
- ret = _krb5_principalname2krb5_principal(&t->client, t->ticket.cname,
+ ret = _krb5_principalname2krb5_principal(context,
+ &t->client, t->ticket.cname,
t->ticket.crealm);
if (ret) goto out;
@@ -400,10 +402,10 @@ krb5_verify_ap_req2(krb5_context context,
krb5_principal p1, p2;
krb5_boolean res;
- _krb5_principalname2krb5_principal(&p1,
+ _krb5_principalname2krb5_principal(context, &p1,
ac->authenticator->cname,
ac->authenticator->crealm);
- _krb5_principalname2krb5_principal(&p2,
+ _krb5_principalname2krb5_principal(context, &p2,
t->ticket.cname,
t->ticket.crealm);
res = krb5_principal_compare (context, p1, p2);
@@ -605,7 +607,7 @@ krb5_rd_req_return_keyblock(krb5_context context,
return ret;
if(server == NULL){
- _krb5_principalname2krb5_principal(&service,
+ _krb5_principalname2krb5_principal(context, &service,
ap_req.ticket.sname,
ap_req.ticket.realm);
server = service;