diff options
| author | Stefan Metzmacher <metze@samba.org> | 2006-11-11 12:52:04 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:25:26 -0500 |
| commit | 3ba2a9dfcf71b55e8bfe481395015ad666b4e12c (patch) | |
| tree | 1933800144b82ac8124b4d2124d8e486abe90474 /source4 | |
| parent | 71846e31fde5618d9ece84c471ffb499dae43cfe (diff) | |
| download | samba-3ba2a9dfcf71b55e8bfe481395015ad666b4e12c.tar.gz samba-3ba2a9dfcf71b55e8bfe481395015ad666b4e12c.tar.bz2 samba-3ba2a9dfcf71b55e8bfe481395015ad666b4e12c.zip | |
r19662: windows 2003 kdc's only rewrite the realm to the full form,
when the client is using the netbios domain name as realm.
we should match this and not rewrite the principal.
This matches what windows give:
metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./kinit administrator@SERNOXDOM4
administrator@SERNOXDOM4's Password:
metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./klist
Credentials cache: FILE:/tmp/krb5cc_10000
Principal: administrator@SERNOXDOM4.MX.BASE
Issued Expires Principal
Nov 11 13:37:52 Nov 11 23:37:52 krbtgt/SERNOXDOM4@SERNOXDOM4.MX.BASE
Note:
I need to disable the principal checks in heimdal's
_krb5_extract_ticket() for the kinit to work.
Any ideas how to change heimdal to support this.
For the service principal we should use
the realm and principal in req->kdc_rep.enc_part
instead of the unencrypted req->kdc.ticket.sname
and req->kdc.ticket.realm to have a trusted value.
I'm not sure what we can do with the client realm...
metze
(This used to be commit cfee02143f06ed6ff5832e95fa69634f5dd883da)
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/kdc/hdb-ldb.c | 28 |
1 files changed, 1 insertions, 27 deletions
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c index 8fd69aecb1..00c89f9c0a 100644 --- a/source4/kdc/hdb-ldb.c +++ b/source4/kdc/hdb-ldb.c @@ -632,7 +632,6 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, struct ldb_message **realm_ref_msg = NULL; const struct ldb_dn *realm_dn; - krb5_principal alloc_principal = NULL; if (principal->name.name_string.len != 2 || (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) { /* Not a krbtgt */ @@ -642,33 +641,8 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, /* krbtgt case. Either us or a trusted realm */ if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db, mem_ctx, principal->name.name_string.val[1], &realm_ref_msg) == 0)) { - /* us */ - /* Cludge, cludge cludge. If the realm part of krbtgt/realm, - * is in our db, then direct the caller at our primary - * krgtgt */ - - const char *dnsdomain = ldb_msg_find_attr_as_string(realm_ref_msg[0], "dnsRoot", NULL); - char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain); - if (!realm_fixed) { - krb5_set_error_string(context, "strupper_talloc: out of memory"); - return ENOMEM; - } - - ret = krb5_copy_principal(context, principal, &alloc_principal); - if (ret) { - return ret; - } - - free(alloc_principal->name.name_string.val[1]); - alloc_principal->name.name_string.val[1] = strdup(realm_fixed); - talloc_free(realm_fixed); - if (!alloc_principal->name.name_string.val[1]) { - krb5_set_error_string(context, "LDB_fetch: strdup() failed!"); - return ENOMEM; - } - principal = alloc_principal; + /* us */ realm_dn = samdb_result_dn(mem_ctx, realm_ref_msg[0], "nCName", NULL); - } else { /* we should lookup trusted domains */ return HDB_ERR_NOENTRY; |