diff options
author | Andrew Bartlett <abartlet@samba.org> | 2006-09-22 18:39:49 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:19:14 -0500 |
commit | 83558e822b9b1ea64ae89b77b2d815d19211d996 (patch) | |
tree | 2d627bc8675ab721d55b822bbdd7934ec00f6b5c /source4/heimdal/lib/krb5 | |
parent | daf51dfe26378e80d14c0b608c70a41b7e017e69 (diff) | |
download | samba-83558e822b9b1ea64ae89b77b2d815d19211d996.tar.gz samba-83558e822b9b1ea64ae89b77b2d815d19211d996.tar.bz2 samba-83558e822b9b1ea64ae89b77b2d815d19211d996.zip |
r18826: Allow 'enterprise' principal names to log in.
These principals do not need to be in the same realm as the rest of
the ticket, the full principal name is in the first componet of the
ASN.1.
Samba4's backend will handle getting this to the 'right' place.
Andrew Bartlett
(This used to be commit 90b01b8af21609e2e5c8b6bd8cab8bd393844acf)
Diffstat (limited to 'source4/heimdal/lib/krb5')
-rw-r--r-- | source4/heimdal/lib/krb5/asn1_glue.c | 20 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/get_in_tkt.c | 6 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/krb5-private.h | 1 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/rd_cred.c | 5 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/rd_req.c | 12 |
5 files changed, 30 insertions, 14 deletions
diff --git a/source4/heimdal/lib/krb5/asn1_glue.c b/source4/heimdal/lib/krb5/asn1_glue.c index 01b5d3ee44..8f7b886e80 100644 --- a/source4/heimdal/lib/krb5/asn1_glue.c +++ b/source4/heimdal/lib/krb5/asn1_glue.c @@ -47,13 +47,23 @@ _krb5_principal2principalname (PrincipalName *p, } krb5_error_code KRB5_LIB_FUNCTION -_krb5_principalname2krb5_principal (krb5_principal *principal, +_krb5_principalname2krb5_principal (krb5_context context, + krb5_principal *principal, const PrincipalName from, const Realm realm) { - krb5_principal p = malloc(sizeof(*p)); - copy_PrincipalName(&from, &p->name); - p->realm = strdup(realm); - *principal = p; + if (from.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) { + if (from.name_string.len != 1) { + return KRB5_PARSE_MALFORMED; + } + return krb5_parse_name(context, + from.name_string.val[0], + principal); + } else { + krb5_principal p = malloc(sizeof(*p)); + copy_PrincipalName(&from, &p->name); + p->realm = strdup(realm); + *principal = p; + } return 0; } diff --git a/source4/heimdal/lib/krb5/get_in_tkt.c b/source4/heimdal/lib/krb5/get_in_tkt.c index 24d6c29f52..5c488d1ddc 100644 --- a/source4/heimdal/lib/krb5/get_in_tkt.c +++ b/source4/heimdal/lib/krb5/get_in_tkt.c @@ -137,7 +137,8 @@ _krb5_extract_ticket(krb5_context context, time_t tmp_time; krb5_timestamp sec_now; - ret = _krb5_principalname2krb5_principal (&tmp_principal, + ret = _krb5_principalname2krb5_principal (context, + &tmp_principal, rep->kdc_rep.cname, rep->kdc_rep.crealm); if (ret) @@ -170,7 +171,8 @@ _krb5_extract_ticket(krb5_context context, /* compare server */ - ret = _krb5_principalname2krb5_principal (&tmp_principal, + ret = _krb5_principalname2krb5_principal (context, + &tmp_principal, rep->kdc_rep.ticket.sname, rep->kdc_rep.ticket.realm); if (ret) diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h index 17b282f1d8..9ba288e22b 100644 --- a/source4/heimdal/lib/krb5/krb5-private.h +++ b/source4/heimdal/lib/krb5/krb5-private.h @@ -372,6 +372,7 @@ _krb5_principal2principalname ( krb5_error_code KRB5_LIB_FUNCTION _krb5_principalname2krb5_principal ( + krb5_context /* context */, krb5_principal */*principal*/, const PrincipalName /*from*/, const Realm /*realm*/); diff --git a/source4/heimdal/lib/krb5/rd_cred.c b/source4/heimdal/lib/krb5/rd_cred.c index 520b3a1418..01b5188bae 100644 --- a/source4/heimdal/lib/krb5/rd_cred.c +++ b/source4/heimdal/lib/krb5/rd_cred.c @@ -265,7 +265,7 @@ krb5_rd_cred(krb5_context context, krb5_abortx(context, "internal error in ASN.1 encoder"); copy_EncryptionKey (&kci->key, &creds->session); if (kci->prealm && kci->pname) - _krb5_principalname2krb5_principal (&creds->client, + _krb5_principalname2krb5_principal (context, &creds->client, *kci->pname, *kci->prealm); if (kci->flags) @@ -279,7 +279,8 @@ krb5_rd_cred(krb5_context context, if (kci->renew_till) creds->times.renew_till = *kci->renew_till; if (kci->srealm && kci->sname) - _krb5_principalname2krb5_principal (&creds->server, + _krb5_principalname2krb5_principal (context, + &creds->server, *kci->sname, *kci->srealm); if (kci->caddr) diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c index 0d4635b964..c0bb710a59 100644 --- a/source4/heimdal/lib/krb5/rd_req.c +++ b/source4/heimdal/lib/krb5/rd_req.c @@ -376,10 +376,12 @@ krb5_verify_ap_req2(krb5_context context, if(ret) goto out; - ret = _krb5_principalname2krb5_principal(&t->server, ap_req->ticket.sname, + ret = _krb5_principalname2krb5_principal(context, + &t->server, ap_req->ticket.sname, ap_req->ticket.realm); if (ret) goto out; - ret = _krb5_principalname2krb5_principal(&t->client, t->ticket.cname, + ret = _krb5_principalname2krb5_principal(context, + &t->client, t->ticket.cname, t->ticket.crealm); if (ret) goto out; @@ -400,10 +402,10 @@ krb5_verify_ap_req2(krb5_context context, krb5_principal p1, p2; krb5_boolean res; - _krb5_principalname2krb5_principal(&p1, + _krb5_principalname2krb5_principal(context, &p1, ac->authenticator->cname, ac->authenticator->crealm); - _krb5_principalname2krb5_principal(&p2, + _krb5_principalname2krb5_principal(context, &p2, t->ticket.cname, t->ticket.crealm); res = krb5_principal_compare (context, p1, p2); @@ -605,7 +607,7 @@ krb5_rd_req_return_keyblock(krb5_context context, return ret; if(server == NULL){ - _krb5_principalname2krb5_principal(&service, + _krb5_principalname2krb5_principal(context, &service, ap_req.ticket.sname, ap_req.ticket.realm); server = service; |