summaryrefslogtreecommitdiff
path: root/source4/heimdal
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-11-15 18:43:51 +1100
committerAndrew Bartlett <abartlet@samba.org>2010-11-15 08:47:44 +0000
commit1e29ee3a70151ca830f5523834d1f669fd8d0a82 (patch)
treeb8072e4e557b6c24fde4012e72381b692826889f /source4/heimdal
parent63583037842417f117f8f3db8f576e1e83d42522 (diff)
downloadsamba-1e29ee3a70151ca830f5523834d1f669fd8d0a82.tar.gz
samba-1e29ee3a70151ca830f5523834d1f669fd8d0a82.tar.bz2
samba-1e29ee3a70151ca830f5523834d1f669fd8d0a82.zip
heimdal Fix handling of backwards cross-realm detection for Samba4
Samba4 may modify the case of the realm in a returned entry, but will no longer modify the case of the prinicipal components. The easy way to keep this test passing is to consider also what we need to do to get the krbtgt account for the PAC signing - and to use krbtgt/<this>/@REALM component to fetch the real krbtgt, and to use that resutl for realm comparion. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Nov 15 08:47:44 UTC 2010 on sn-devel-104
Diffstat (limited to 'source4/heimdal')
-rw-r--r--source4/heimdal/kdc/krb5tgs.c66
1 files changed, 48 insertions, 18 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 60fb4dc2cd..9131e5baf0 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1465,6 +1465,7 @@ tgs_build_reply(krb5_context context,
krb5_error_code ret;
krb5_principal cp = NULL, sp = NULL;
krb5_principal client_principal = NULL;
+ krb5_principal krbtgt_principal = NULL;
char *spn = NULL, *cpn = NULL;
hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL;
HDB *clientdb, *s4u2self_impersonated_clientdb;
@@ -1715,21 +1716,6 @@ server_lookup:
* backward.
*/
- if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
- krb5_principal_get_comp_string(context,
- krbtgt->entry.principal,
- 1)) != 0) {
- char *tpn;
- ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
- kdc_log(context, config, 0,
- "Request with wrong krbtgt: %s",
- (ret == 0) ? tpn : "<unknown>");
- if(ret == 0)
- free(tpn);
- ret = KRB5KRB_AP_ERR_NOT_US;
- goto out;
- }
-
/*
* Validate authoriation data
*/
@@ -1742,14 +1728,58 @@ server_lookup:
goto out;
}
- /* Now refetch the krbtgt, but get the current kvno (the sign check may have been on an old kvno) */
- ret = _kdc_db_fetch(context, config, krbtgt->entry.principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
+ /* Now refetch the primary krbtgt, and get the current kvno (the
+ * sign check may have been on an old kvno, and the server may
+ * have been an incoming trust) */
+ ret = krb5_make_principal(context, &krbtgt_principal,
+ krb5_principal_get_comp_string(context,
+ krbtgt->entry.principal,
+ 1),
+ KRB5_TGS_NAME,
+ krb5_principal_get_comp_string(context,
+ krbtgt->entry.principal,
+ 1), NULL);
+ if(ret) {
+ kdc_log(context, config, 0,
+ "Failed to generate krbtgt principal");
+ goto out;
+ }
+
+ ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
+ krb5_free_principal(context, krbtgt_principal);
if (ret) {
+ krb5_error_code ret2;
+ char *tpn, *tpn2;
+ ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
+ ret2 = krb5_unparse_name(context, krbtgt->entry.principal, &tpn2);
kdc_log(context, config, 0,
- "Failed to find krbtgt in DB for krbtgt PAC signature");
+ "Request with wrong krbtgt: %s, %s not found in our database",
+ (ret == 0) ? tpn : "<unknown>", (ret2 == 0) ? tpn2 : "<unknown>");
+ if(ret == 0)
+ free(tpn);
+ if(ret2 == 0)
+ free(tpn2);
+ ret = KRB5KRB_AP_ERR_NOT_US;
goto out;
}
+ /* The first realm is the realm of the service, the second is
+ * krbtgt/<this>/@REALM component of the krbtgt DN the request was
+ * encrypted to. The redirection via the krbtgt_out entry allows
+ * the DB to possibly correct the case of the realm (Samba4 does
+ * this) before the strcmp() */
+ if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
+ krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
+ char *tpn;
+ ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &tpn);
+ kdc_log(context, config, 0,
+ "Request with wrong krbtgt: %s",
+ (ret == 0) ? tpn : "<unknown>");
+ if(ret == 0)
+ free(tpn);
+ ret = KRB5KRB_AP_ERR_NOT_US;
+ }
+
ret = hdb_enctype2key(context, &krbtgt_out->entry,
krbtgt_etype, &tkey_sign);
if(ret) {