diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-11-15 18:43:51 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-11-15 08:47:44 +0000 |
commit | 1e29ee3a70151ca830f5523834d1f669fd8d0a82 (patch) | |
tree | b8072e4e557b6c24fde4012e72381b692826889f | |
parent | 63583037842417f117f8f3db8f576e1e83d42522 (diff) | |
download | samba-1e29ee3a70151ca830f5523834d1f669fd8d0a82.tar.gz samba-1e29ee3a70151ca830f5523834d1f669fd8d0a82.tar.bz2 samba-1e29ee3a70151ca830f5523834d1f669fd8d0a82.zip |
heimdal Fix handling of backwards cross-realm detection for Samba4
Samba4 may modify the case of the realm in a returned entry, but will no longer modify the case of the prinicipal components.
The easy way to keep this test passing is to consider also what we
need to do to get the krbtgt account for the PAC signing - and to use
krbtgt/<this>/@REALM component to fetch the real krbtgt, and to use
that resutl for realm comparion.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Nov 15 08:47:44 UTC 2010 on sn-devel-104
-rw-r--r-- | source4/heimdal/kdc/krb5tgs.c | 66 |
1 files changed, 48 insertions, 18 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 60fb4dc2cd..9131e5baf0 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -1465,6 +1465,7 @@ tgs_build_reply(krb5_context context, krb5_error_code ret; krb5_principal cp = NULL, sp = NULL; krb5_principal client_principal = NULL; + krb5_principal krbtgt_principal = NULL; char *spn = NULL, *cpn = NULL; hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL; HDB *clientdb, *s4u2self_impersonated_clientdb; @@ -1715,21 +1716,6 @@ server_lookup: * backward. */ - if (strcmp(krb5_principal_get_realm(context, server->entry.principal), - krb5_principal_get_comp_string(context, - krbtgt->entry.principal, - 1)) != 0) { - char *tpn; - ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn); - kdc_log(context, config, 0, - "Request with wrong krbtgt: %s", - (ret == 0) ? tpn : "<unknown>"); - if(ret == 0) - free(tpn); - ret = KRB5KRB_AP_ERR_NOT_US; - goto out; - } - /* * Validate authoriation data */ @@ -1742,14 +1728,58 @@ server_lookup: goto out; } - /* Now refetch the krbtgt, but get the current kvno (the sign check may have been on an old kvno) */ - ret = _kdc_db_fetch(context, config, krbtgt->entry.principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out); + /* Now refetch the primary krbtgt, and get the current kvno (the + * sign check may have been on an old kvno, and the server may + * have been an incoming trust) */ + ret = krb5_make_principal(context, &krbtgt_principal, + krb5_principal_get_comp_string(context, + krbtgt->entry.principal, + 1), + KRB5_TGS_NAME, + krb5_principal_get_comp_string(context, + krbtgt->entry.principal, + 1), NULL); + if(ret) { + kdc_log(context, config, 0, + "Failed to generate krbtgt principal"); + goto out; + } + + ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out); + krb5_free_principal(context, krbtgt_principal); if (ret) { + krb5_error_code ret2; + char *tpn, *tpn2; + ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn); + ret2 = krb5_unparse_name(context, krbtgt->entry.principal, &tpn2); kdc_log(context, config, 0, - "Failed to find krbtgt in DB for krbtgt PAC signature"); + "Request with wrong krbtgt: %s, %s not found in our database", + (ret == 0) ? tpn : "<unknown>", (ret2 == 0) ? tpn2 : "<unknown>"); + if(ret == 0) + free(tpn); + if(ret2 == 0) + free(tpn2); + ret = KRB5KRB_AP_ERR_NOT_US; goto out; } + /* The first realm is the realm of the service, the second is + * krbtgt/<this>/@REALM component of the krbtgt DN the request was + * encrypted to. The redirection via the krbtgt_out entry allows + * the DB to possibly correct the case of the realm (Samba4 does + * this) before the strcmp() */ + if (strcmp(krb5_principal_get_realm(context, server->entry.principal), + krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) { + char *tpn; + ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &tpn); + kdc_log(context, config, 0, + "Request with wrong krbtgt: %s", + (ret == 0) ? tpn : "<unknown>"); + if(ret == 0) + free(tpn); + ret = KRB5KRB_AP_ERR_NOT_US; + } + ret = hdb_enctype2key(context, &krbtgt_out->entry, krbtgt_etype, &tkey_sign); if(ret) { |