heimdal Fix handling of backwards cross-realm detection for Samba4

Samba4 may modify the case of the realm in a returned entry, but will no longer modify the case of the prinicipal components. The easy way to keep this test passing is to consider also what we need to do to get the krbtgt account for the PAC signing - and to use krbtgt/<this>/@REALM component to fetch the real krbtgt, and to use that resutl for realm comparion. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Nov 15 08:47:44 UTC 2010 on sn-devel-104
author: Andrew Bartlett <abartlet@samba.org> 2010-11-15 18:43:51 +1100
committer: Andrew Bartlett <abartlet@samba.org> 2010-11-15 08:47:44 +0000
commit: 1e29ee3a70151ca830f5523834d1f669fd8d0a82 (patch)
tree: b8072e4e557b6c24fde4012e72381b692826889f /source4/heimdal
parent: 63583037842417f117f8f3db8f576e1e83d42522 (diff)
download: samba-1e29ee3a70151ca830f5523834d1f669fd8d0a82.tar.gz
samba-1e29ee3a70151ca830f5523834d1f669fd8d0a82.tar.bz2
samba-1e29ee3a70151ca830f5523834d1f669fd8d0a82.zip
1 files changed, 48 insertions, 18 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 60fb4dc2cd..9131e5baf0 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1465,6 +1465,7 @@ tgs_build_reply(krb5_context context,
     krb5_error_code ret;
     krb5_principal cp = NULL, sp = NULL;
     krb5_principal client_principal = NULL;
+    krb5_principal krbtgt_principal = NULL;
     char *spn = NULL, *cpn = NULL;
     hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL;
     HDB *clientdb, *s4u2self_impersonated_clientdb;
@@ -1715,21 +1716,6 @@ server_lookup:
      * backward.
      */
 
-    if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
-	       krb5_principal_get_comp_string(context,
-					      krbtgt->entry.principal,
-					      1)) != 0) {
-	char *tpn;
-	ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
-	kdc_log(context, config, 0,
-		"Request with wrong krbtgt: %s",
-		(ret == 0) ? tpn : "<unknown>");
-	if(ret == 0)
-	    free(tpn);
-	ret = KRB5KRB_AP_ERR_NOT_US;
-	goto out;
-    }
-
     /*
      * Validate authoriation data
      */
@@ -1742,14 +1728,58 @@ server_lookup:
 	goto out;
     }
 
-    /* Now refetch the krbtgt, but get the current kvno (the sign check may have been on an old kvno) */
-    ret = _kdc_db_fetch(context, config, krbtgt->entry.principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
+    /* Now refetch the primary krbtgt, and get the current kvno (the
+     * sign check may have been on an old kvno, and the server may
+     * have been an incoming trust) */
+    ret = krb5_make_principal(context, &krbtgt_principal, 
+			      krb5_principal_get_comp_string(context,
+							     krbtgt->entry.principal,
+							     1),
+			      KRB5_TGS_NAME, 
+			      krb5_principal_get_comp_string(context,
+							     krbtgt->entry.principal,
+							     1), NULL);
+    if(ret) {
+	kdc_log(context, config, 0,
+		    "Failed to generate krbtgt principal");
+	goto out;
+    }
+
+    ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
+    krb5_free_principal(context, krbtgt_principal);
     if (ret) {
+	krb5_error_code ret2;
+	char *tpn, *tpn2;
+	ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
+	ret2 = krb5_unparse_name(context, krbtgt->entry.principal, &tpn2);
 	kdc_log(context, config, 0,
-		    "Failed to find krbtgt in DB for krbtgt PAC signature");
+		"Request with wrong krbtgt: %s, %s not found in our database",
+		(ret == 0) ? tpn : "<unknown>", (ret2 == 0) ? tpn2 : "<unknown>");
+	if(ret == 0)
+	    free(tpn);
+	if(ret2 == 0)
+	    free(tpn2);
+	ret = KRB5KRB_AP_ERR_NOT_US;
 	goto out;
     }
 
+    /* The first realm is the realm of the service, the second is
+     * krbtgt/<this>/@REALM component of the krbtgt DN the request was
+     * encrypted to.  The redirection via the krbtgt_out entry allows
+     * the DB to possibly correct the case of the realm (Samba4 does
+     * this) before the strcmp() */
+    if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
+	       krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
+	char *tpn;
+	ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &tpn);
+	kdc_log(context, config, 0,
+		"Request with wrong krbtgt: %s",
+		(ret == 0) ? tpn : "<unknown>");
+	if(ret == 0)
+	    free(tpn);
+	ret = KRB5KRB_AP_ERR_NOT_US;
+    }
+
     ret = hdb_enctype2key(context, &krbtgt_out->entry,
 			  krbtgt_etype, &tkey_sign);
     if(ret) {
author	Andrew Bartlett <abartlet@samba.org>	2010-11-15 18:43:51 +1100
committer	Andrew Bartlett <abartlet@samba.org>	2010-11-15 08:47:44 +0000
commit	1e29ee3a70151ca830f5523834d1f669fd8d0a82 (patch)
tree	b8072e4e557b6c24fde4012e72381b692826889f /source4/heimdal
parent	63583037842417f117f8f3db8f576e1e83d42522 (diff)
download	samba-1e29ee3a70151ca830f5523834d1f669fd8d0a82.tar.gz samba-1e29ee3a70151ca830f5523834d1f669fd8d0a82.tar.bz2 samba-1e29ee3a70151ca830f5523834d1f669fd8d0a82.zip