summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-11-16 09:29:18 +1100
committerAndrew Bartlett <abartlet@samba.org>2010-11-15 23:17:05 +0000
commit4041640bd6d7f8747c8229b02dbb847056bdaa35 (patch)
tree8774844573f614c55518b1862ed9c4f06ab30ca6
parent2b7730d291c49a427135ddf62c3aa2ff4b7997e7 (diff)
downloadsamba-4041640bd6d7f8747c8229b02dbb847056bdaa35.tar.gz
samba-4041640bd6d7f8747c8229b02dbb847056bdaa35.tar.bz2
samba-4041640bd6d7f8747c8229b02dbb847056bdaa35.zip
heimdal Fetch the client before the PAC check, but after obtaining krbtgt_out
By checking the client principal here, we compare the realm based on the normalised realm, but do so early enough to validate the PAC (and regenerate it if required). Andrew Bartlett
-rw-r--r--source4/heimdal/kdc/krb5tgs.c61
1 files changed, 30 insertions, 31 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 9131e5baf0..26e3936fe7 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1637,37 +1637,6 @@ server_lookup:
goto out;
}
- ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
- NULL, &clientdb, &client);
- if(ret == HDB_ERR_NOT_FOUND_HERE) {
- kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy", cp);
- goto out;
- } else if(ret){
- const char *krbtgt_realm, *msg;
-
- /*
- * If the client belongs to the same realm as our krbtgt, it
- * should exist in the local database.
- *
- */
-
- krbtgt_realm =
- krb5_principal_get_comp_string(context,
- krbtgt->entry.principal, 1);
-
- if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
- if (ret == HDB_ERR_NOENTRY)
- ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
- kdc_log(context, config, 1, "Client no longer in database: %s",
- cpn);
- goto out;
- }
-
- msg = krb5_get_error_message(context, ret);
- kdc_log(context, config, 1, "Client not found in database: %s", msg);
- krb5_free_error_message(context, msg);
- }
-
/*
* Select enctype, return key and kvno.
*/
@@ -1788,6 +1757,36 @@ server_lookup:
goto out;
}
+ ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
+ NULL, &clientdb, &client);
+ if(ret == HDB_ERR_NOT_FOUND_HERE) {
+ /* This is OK, we are just trying to find out if they have
+ * been disabled or deleted in the meantime, missing secrets
+ * is OK */
+ } else if(ret){
+ const char *krbtgt_realm, *msg;
+
+ /*
+ * If the client belongs to the same realm as our krbtgt, it
+ * should exist in the local database.
+ *
+ */
+
+ krbtgt_realm = krb5_principal_get_realm(context, krbtgt_out->entry.principal);
+
+ if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
+ if (ret == HDB_ERR_NOENTRY)
+ ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+ kdc_log(context, config, 1, "Client no longer in database: %s",
+ cpn);
+ goto out;
+ }
+
+ msg = krb5_get_error_message(context, ret);
+ kdc_log(context, config, 1, "Client not found in database: %s", msg);
+ krb5_free_error_message(context, msg);
+ }
+
ret = check_PAC(context, config, cp,
client, server, krbtgt, ekey, &tkey_check->key, &tkey_sign->key,
tgt, &rspac, &signedpath);