summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/krb5
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-09-22 18:39:49 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:19:14 -0500
commit83558e822b9b1ea64ae89b77b2d815d19211d996 (patch)
tree2d627bc8675ab721d55b822bbdd7934ec00f6b5c /source4/heimdal/lib/krb5
parentdaf51dfe26378e80d14c0b608c70a41b7e017e69 (diff)
downloadsamba-83558e822b9b1ea64ae89b77b2d815d19211d996.tar.gz
samba-83558e822b9b1ea64ae89b77b2d815d19211d996.tar.bz2
samba-83558e822b9b1ea64ae89b77b2d815d19211d996.zip
r18826: Allow 'enterprise' principal names to log in.
These principals do not need to be in the same realm as the rest of the ticket, the full principal name is in the first componet of the ASN.1. Samba4's backend will handle getting this to the 'right' place. Andrew Bartlett (This used to be commit 90b01b8af21609e2e5c8b6bd8cab8bd393844acf)
Diffstat (limited to 'source4/heimdal/lib/krb5')
-rw-r--r--source4/heimdal/lib/krb5/asn1_glue.c20
-rw-r--r--source4/heimdal/lib/krb5/get_in_tkt.c6
-rw-r--r--source4/heimdal/lib/krb5/krb5-private.h1
-rw-r--r--source4/heimdal/lib/krb5/rd_cred.c5
-rw-r--r--source4/heimdal/lib/krb5/rd_req.c12
5 files changed, 30 insertions, 14 deletions
diff --git a/source4/heimdal/lib/krb5/asn1_glue.c b/source4/heimdal/lib/krb5/asn1_glue.c
index 01b5d3ee44..8f7b886e80 100644
--- a/source4/heimdal/lib/krb5/asn1_glue.c
+++ b/source4/heimdal/lib/krb5/asn1_glue.c
@@ -47,13 +47,23 @@ _krb5_principal2principalname (PrincipalName *p,
}
krb5_error_code KRB5_LIB_FUNCTION
-_krb5_principalname2krb5_principal (krb5_principal *principal,
+_krb5_principalname2krb5_principal (krb5_context context,
+ krb5_principal *principal,
const PrincipalName from,
const Realm realm)
{
- krb5_principal p = malloc(sizeof(*p));
- copy_PrincipalName(&from, &p->name);
- p->realm = strdup(realm);
- *principal = p;
+ if (from.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+ if (from.name_string.len != 1) {
+ return KRB5_PARSE_MALFORMED;
+ }
+ return krb5_parse_name(context,
+ from.name_string.val[0],
+ principal);
+ } else {
+ krb5_principal p = malloc(sizeof(*p));
+ copy_PrincipalName(&from, &p->name);
+ p->realm = strdup(realm);
+ *principal = p;
+ }
return 0;
}
diff --git a/source4/heimdal/lib/krb5/get_in_tkt.c b/source4/heimdal/lib/krb5/get_in_tkt.c
index 24d6c29f52..5c488d1ddc 100644
--- a/source4/heimdal/lib/krb5/get_in_tkt.c
+++ b/source4/heimdal/lib/krb5/get_in_tkt.c
@@ -137,7 +137,8 @@ _krb5_extract_ticket(krb5_context context,
time_t tmp_time;
krb5_timestamp sec_now;
- ret = _krb5_principalname2krb5_principal (&tmp_principal,
+ ret = _krb5_principalname2krb5_principal (context,
+ &tmp_principal,
rep->kdc_rep.cname,
rep->kdc_rep.crealm);
if (ret)
@@ -170,7 +171,8 @@ _krb5_extract_ticket(krb5_context context,
/* compare server */
- ret = _krb5_principalname2krb5_principal (&tmp_principal,
+ ret = _krb5_principalname2krb5_principal (context,
+ &tmp_principal,
rep->kdc_rep.ticket.sname,
rep->kdc_rep.ticket.realm);
if (ret)
diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h
index 17b282f1d8..9ba288e22b 100644
--- a/source4/heimdal/lib/krb5/krb5-private.h
+++ b/source4/heimdal/lib/krb5/krb5-private.h
@@ -372,6 +372,7 @@ _krb5_principal2principalname (
krb5_error_code KRB5_LIB_FUNCTION
_krb5_principalname2krb5_principal (
+ krb5_context /* context */,
krb5_principal */*principal*/,
const PrincipalName /*from*/,
const Realm /*realm*/);
diff --git a/source4/heimdal/lib/krb5/rd_cred.c b/source4/heimdal/lib/krb5/rd_cred.c
index 520b3a1418..01b5188bae 100644
--- a/source4/heimdal/lib/krb5/rd_cred.c
+++ b/source4/heimdal/lib/krb5/rd_cred.c
@@ -265,7 +265,7 @@ krb5_rd_cred(krb5_context context,
krb5_abortx(context, "internal error in ASN.1 encoder");
copy_EncryptionKey (&kci->key, &creds->session);
if (kci->prealm && kci->pname)
- _krb5_principalname2krb5_principal (&creds->client,
+ _krb5_principalname2krb5_principal (context, &creds->client,
*kci->pname,
*kci->prealm);
if (kci->flags)
@@ -279,7 +279,8 @@ krb5_rd_cred(krb5_context context,
if (kci->renew_till)
creds->times.renew_till = *kci->renew_till;
if (kci->srealm && kci->sname)
- _krb5_principalname2krb5_principal (&creds->server,
+ _krb5_principalname2krb5_principal (context,
+ &creds->server,
*kci->sname,
*kci->srealm);
if (kci->caddr)
diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c
index 0d4635b964..c0bb710a59 100644
--- a/source4/heimdal/lib/krb5/rd_req.c
+++ b/source4/heimdal/lib/krb5/rd_req.c
@@ -376,10 +376,12 @@ krb5_verify_ap_req2(krb5_context context,
if(ret)
goto out;
- ret = _krb5_principalname2krb5_principal(&t->server, ap_req->ticket.sname,
+ ret = _krb5_principalname2krb5_principal(context,
+ &t->server, ap_req->ticket.sname,
ap_req->ticket.realm);
if (ret) goto out;
- ret = _krb5_principalname2krb5_principal(&t->client, t->ticket.cname,
+ ret = _krb5_principalname2krb5_principal(context,
+ &t->client, t->ticket.cname,
t->ticket.crealm);
if (ret) goto out;
@@ -400,10 +402,10 @@ krb5_verify_ap_req2(krb5_context context,
krb5_principal p1, p2;
krb5_boolean res;
- _krb5_principalname2krb5_principal(&p1,
+ _krb5_principalname2krb5_principal(context, &p1,
ac->authenticator->cname,
ac->authenticator->crealm);
- _krb5_principalname2krb5_principal(&p2,
+ _krb5_principalname2krb5_principal(context, &p2,
t->ticket.cname,
t->ticket.crealm);
res = krb5_principal_compare (context, p1, p2);
@@ -605,7 +607,7 @@ krb5_rd_req_return_keyblock(krb5_context context,
return ret;
if(server == NULL){
- _krb5_principalname2krb5_principal(&service,
+ _krb5_principalname2krb5_principal(context, &service,
ap_req.ticket.sname,
ap_req.ticket.realm);
server = service;