diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-11-15 13:30:03 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-11-15 08:04:04 +0000 |
commit | 63583037842417f117f8f3db8f576e1e83d42522 (patch) | |
tree | b11c7d61703a41246dcaf9edcf7373dc65cc1f95 /source4 | |
parent | 1409c97899406d48f5b763fc88389bab11e379fc (diff) | |
download | samba-63583037842417f117f8f3db8f576e1e83d42522.tar.gz samba-63583037842417f117f8f3db8f576e1e83d42522.tar.bz2 samba-63583037842417f117f8f3db8f576e1e83d42522.zip |
s4-kdc Fix realm handling in our KDC
we should reset the realm part of the principal, but not the lowercase
realm embedded in the 'krbtgt/realm@REALM'.
Andrew Bartlett
Diffstat (limited to 'source4')
-rw-r--r-- | source4/kdc/db-glue.c | 44 |
1 files changed, 6 insertions, 38 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index eaa97e3a1d..1dec6a55c7 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -553,7 +553,6 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, unsigned int i; krb5_error_code ret = 0; krb5_boolean is_computer = FALSE; - char *realm = strupper_talloc(mem_ctx, lpcfg_realm(lp_ctx)); struct samba_kdc_entry *p; NTTIME acct_expiry; @@ -585,12 +584,6 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, memset(entry_ex, 0, sizeof(*entry_ex)); - if (!realm) { - ret = ENOMEM; - krb5_set_error_message(context, ret, "talloc_strdup: out of memory"); - goto out; - } - p = talloc(mem_ctx, struct samba_kdc_entry); if (!p) { ret = ENOMEM; @@ -618,7 +611,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal))); if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { - krb5_make_principal(context, &entry_ex->entry.principal, realm, samAccountName, NULL); + krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); } else { ret = copy_Principal(principal, entry_ex->entry.principal); if (ret) { @@ -633,7 +626,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, * we determine from our records */ /* this has to be with malloc() */ - krb5_principal_set_realm(context, entry_ex->entry.principal, realm); + krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx)); } /* First try and figure out the flags based on the userAccountControl */ @@ -662,7 +655,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, /* use 'kadmin' for now (needed by mit_samba) */ krb5_make_principal(context, &entry_ex->entry.created_by.principal, - realm, "kadmin", NULL); + lpcfg_realm(lp_ctx), "kadmin", NULL); entry_ex->entry.modified_by = (Event *) malloc(sizeof(Event)); if (entry_ex->entry.modified_by == NULL) { @@ -676,7 +669,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, /* use 'kadmin' for now (needed by mit_samba) */ krb5_make_principal(context, &entry_ex->entry.modified_by->principal, - realm, "kadmin", NULL); + lpcfg_realm(lp_ctx), "kadmin", NULL); } @@ -826,7 +819,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, { struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx; const char *dnsdomain; - char *realm = strupper_talloc(mem_ctx, lpcfg_realm(lp_ctx)); + const char *realm = lpcfg_realm(lp_ctx); DATA_BLOB password_utf16; struct samr_Password password_hash; const struct ldb_val *password_val; @@ -872,7 +865,6 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, } else { /* OUTBOUND */ dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL); /* replace realm */ - talloc_free(realm); realm = strupper_talloc(mem_ctx, dnsdomain); password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing"); } @@ -1100,7 +1092,6 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context, struct ldb_message *msg = NULL; struct ldb_dn *realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb); - krb5_principal alloc_principal = NULL; if (principal->name.name_string.len != 2 || (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) { /* Not a krbtgt */ @@ -1117,7 +1108,6 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context, * krbtgt */ int lret; - char *realm_fixed; if (krbtgt_number == kdc_db_ctx->my_krbtgt_number) { lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, @@ -1151,28 +1141,6 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context, return HDB_ERR_NOENTRY; } - realm_fixed = strupper_talloc(mem_ctx, lpcfg_realm(lp_ctx)); - if (!realm_fixed) { - ret = ENOMEM; - krb5_set_error_message(context, ret, "strupper_talloc: out of memory"); - return ret; - } - - ret = krb5_copy_principal(context, principal, &alloc_principal); - if (ret) { - return ret; - } - - free(alloc_principal->name.name_string.val[1]); - alloc_principal->name.name_string.val[1] = strdup(realm_fixed); - talloc_free(realm_fixed); - if (!alloc_principal->name.name_string.val[1]) { - ret = ENOMEM; - krb5_set_error_message(context, ret, "samba_kdc_fetch: strdup() failed!"); - return ret; - } - principal = alloc_principal; - ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx, principal, SAMBA_KDC_ENT_TYPE_KRBTGT, realm_dn, msg, entry_ex); @@ -1235,7 +1203,6 @@ static krb5_error_code samba_kdc_lookup_server(krb5_context context, struct ldb_message **msg) { krb5_error_code ret; - const char *realm; if (principal->name.name_string.len >= 2) { /* 'normal server' case */ int ldb_ret; @@ -1274,6 +1241,7 @@ static krb5_error_code samba_kdc_lookup_server(krb5_context context, int lret; char *filter = NULL; char *short_princ; + const char *realm; /* server as client principal case, but we must not lookup userPrincipalNames */ *realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb); realm = krb5_principal_get_realm(context, principal); |