diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2006-12-29 11:01:37 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:30:24 -0500 |
| commit | cb785a891bb4938692b45c78c921f75ed7ddbade (patch) | |
| tree | e1f3961716392cfb5524961e674eec4b59ec30fa | |
| parent | d97302d539e7747da28984880769d6cbf8b7357c (diff) | |
| download | samba-cb785a891bb4938692b45c78c921f75ed7ddbade.tar.gz samba-cb785a891bb4938692b45c78c921f75ed7ddbade.tar.bz2 samba-cb785a891bb4938692b45c78c921f75ed7ddbade.zip | |
r20406: Metze's change in -r 19662 broke Kerberos logins from Win2k3.
The reason is long and complex, but is due to forwardable tickets:
We would extract the forwardable ticket from the GSSAPI payload, and
look for the expiry time of the ticket for krbtgt/REALM@REALM.
However, with -r 19662 the ticket is given to the client as being for
krbtgt/realm@REALM, as it asked for a lower case realm. Heimdal is
case sensitive for realms, and bails out. (It should just not store
the forwarded ticket).
We need to co-ordinate changes in the KDC with relaxation of checks in
Heimdal, and a better kerberos behaviour testsuite.
Andrew Bartlett
(This used to be commit be4c1a36b0e31cbb680d55e8d933818dc3c7435b)
| -rw-r--r-- | source4/kdc/hdb-ldb.c | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c index f7bbbb9a9b..a05295205b 100644 --- a/source4/kdc/hdb-ldb.c +++ b/source4/kdc/hdb-ldb.c @@ -630,6 +630,7 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, struct ldb_message **realm_ref_msg = NULL; struct ldb_dn *realm_dn; + krb5_principal alloc_principal = NULL; if (principal->name.name_string.len != 2 || (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) { /* Not a krbtgt */ @@ -640,6 +641,30 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db, mem_ctx, principal->name.name_string.val[1], &realm_ref_msg) == 0)) { /* us */ + /* Cludge, cludge cludge. If the realm part of krbtgt/realm, + * is in our db, then direct the caller at our primary + * krgtgt */ + + const char *dnsdomain = ldb_msg_find_attr_as_string(realm_ref_msg[0], "dnsRoot", NULL); + char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain); + if (!realm_fixed) { + krb5_set_error_string(context, "strupper_talloc: out of memory"); + return ENOMEM; + } + + ret = krb5_copy_principal(context, principal, &alloc_principal); + if (ret) { + return ret; + } + + free(alloc_principal->name.name_string.val[1]); + alloc_principal->name.name_string.val[1] = strdup(realm_fixed); + talloc_free(realm_fixed); + if (!alloc_principal->name.name_string.val[1]) { + krb5_set_error_string(context, "LDB_fetch: strdup() failed!"); + return ENOMEM; + } + principal = alloc_principal; realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db, mem_ctx, realm_ref_msg[0], "nCName", NULL); } else { /* we should lookup trusted domains */ |