summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2011-03-25 12:36:14 +0100
committerStefan Metzmacher <metze@samba.org>2011-05-18 07:46:34 +0200
commit3797e465439ec146cde2b041a553c6dcf1eb9683 (patch)
treed382ddba75e3bba947f1301b7c17f1b564fa7c51 /source4
parentcc0ff48f28d13fd155489e08f75e64ff0e11b1de (diff)
downloadsamba-3797e465439ec146cde2b041a553c6dcf1eb9683.tar.gz
samba-3797e465439ec146cde2b041a553c6dcf1eb9683.tar.bz2
samba-3797e465439ec146cde2b041a553c6dcf1eb9683.zip
HEIMDAL:kdc: pass the correct principal name for the resulting service ticket
Depending on S4U2Proxy the principal name for the resulting ticket is not the principal of the client ticket. metze
Diffstat (limited to 'source4')
-rw-r--r--source4/heimdal/kdc/krb5tgs.c74
1 files changed, 36 insertions, 38 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 5cfe7c8791..522eeda71b 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1465,10 +1465,9 @@ tgs_build_reply(krb5_context context,
const struct sockaddr *from_addr)
{
krb5_error_code ret;
- krb5_principal cp = NULL, sp = NULL;
- krb5_principal client_principal = NULL;
+ krb5_principal cp = NULL, sp = NULL, tp = NULL;
krb5_principal krbtgt_principal = NULL;
- char *spn = NULL, *cpn = NULL;
+ char *spn = NULL, *cpn = NULL, *tpn = NULL;
hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL;
HDB *clientdb, *s4u2self_impersonated_clientdb;
krb5_realm ref_realm = NULL;
@@ -1720,16 +1719,16 @@ server_lookup:
krb5_free_principal(context, krbtgt_principal);
if (ret) {
krb5_error_code ret2;
- char *tpn, *tpn2;
- ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
- ret2 = krb5_unparse_name(context, krbtgt->entry.principal, &tpn2);
+ char *ktpn, *ktpn2;
+ ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
+ ret2 = krb5_unparse_name(context, krbtgt_principal, &ktpn2);
kdc_log(context, config, 0,
"Request with wrong krbtgt: %s, %s not found in our database",
- (ret == 0) ? tpn : "<unknown>", (ret2 == 0) ? tpn2 : "<unknown>");
+ (ret == 0) ? ktpn : "<unknown>", (ret2 == 0) ? ktpn2 : "<unknown>");
if(ret == 0)
- free(tpn);
+ free(ktpn);
if(ret2 == 0)
- free(tpn2);
+ free(ktpn2);
ret = KRB5KRB_AP_ERR_NOT_US;
goto out;
}
@@ -1741,13 +1740,13 @@ server_lookup:
* this) before the strcmp() */
if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
- char *tpn;
- ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &tpn);
+ char *ktpn;
+ ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &ktpn);
kdc_log(context, config, 0,
"Request with wrong krbtgt: %s",
- (ret == 0) ? tpn : "<unknown>");
+ (ret == 0) ? ktpn : "<unknown>");
if(ret == 0)
- free(tpn);
+ free(ktpn);
ret = KRB5KRB_AP_ERR_NOT_US;
}
@@ -1824,7 +1823,9 @@ server_lookup:
* Process request
*/
- client_principal = cp;
+ /* by default the tgt principal matches the client principal */
+ tp = cp;
+ tpn = cpn;
if (client) {
const PA_DATA *sdata;
@@ -1835,7 +1836,6 @@ server_lookup:
krb5_crypto crypto;
krb5_data datack;
PA_S4U2Self self;
- char *selfcpn = NULL;
const char *str;
ret = decode_PA_S4U2Self(sdata->padata_value.data,
@@ -1878,14 +1878,14 @@ server_lookup:
}
ret = _krb5_principalname2krb5_principal(context,
- &client_principal,
+ &tp,
self.name,
self.realm);
free_PA_S4U2Self(&self);
if (ret)
goto out;
- ret = krb5_unparse_name(context, client_principal, &selfcpn);
+ ret = krb5_unparse_name(context, tp, &tpn);
if (ret)
goto out;
@@ -1893,7 +1893,7 @@ server_lookup:
if(rspac.data) {
krb5_pac p = NULL;
krb5_data_free(&rspac);
- ret = _kdc_db_fetch(context, config, client_principal, HDB_F_GET_CLIENT | HDB_F_CANON,
+ ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | HDB_F_CANON,
NULL, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client);
if (ret) {
const char *msg;
@@ -1907,14 +1907,16 @@ server_lookup:
if (ret == HDB_ERR_NOENTRY)
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
msg = krb5_get_error_message(context, ret);
- kdc_log(context, config, 1, "S2U4Self principal to impersonate %s not found in database: %s", cpn, msg);
+ kdc_log(context, config, 1,
+ "S2U4Self principal to impersonate %s not found in database: %s",
+ tpn, msg);
krb5_free_error_message(context, msg);
goto out;
}
ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
if (ret) {
kdc_log(context, config, 0, "PAC generation failed for -- %s",
- selfcpn);
+ tpn);
goto out;
}
if (p != NULL) {
@@ -1925,7 +1927,7 @@ server_lookup:
krb5_pac_free(context, p);
if (ret) {
kdc_log(context, config, 0, "PAC signing failed for -- %s",
- selfcpn);
+ tpn);
goto out;
}
}
@@ -1940,8 +1942,7 @@ server_lookup:
kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
"to impersonate to service "
"(tried for user %s to service %s)",
- cpn, selfcpn, spn);
- free(selfcpn);
+ cpn, tpn, spn);
goto out;
}
@@ -1957,8 +1958,7 @@ server_lookup:
str = "";
}
kdc_log(context, config, 0, "s4u2self %s impersonating %s to "
- "service %s %s", cpn, selfcpn, spn, str);
- free(selfcpn);
+ "service %s %s", cpn, tpn, spn, str);
}
}
@@ -1974,7 +1974,6 @@ server_lookup:
int ad_signedpath = 0;
Key *clientkey;
Ticket *t;
- char *str;
/*
* Require that the KDC have issued the service's krbtgt (not
@@ -2024,19 +2023,18 @@ server_lookup:
}
ret = _krb5_principalname2krb5_principal(context,
- &client_principal,
+ &tp,
adtkt.cname,
adtkt.crealm);
if (ret)
goto out;
- ret = krb5_unparse_name(context, client_principal, &str);
+ ret = krb5_unparse_name(context, tp, &tpn);
if (ret)
goto out;
- ret = verify_flags(context, config, &adtkt, str);
+ ret = verify_flags(context, config, &adtkt, tpn);
if (ret) {
- free(str);
goto out;
}
@@ -2046,7 +2044,7 @@ server_lookup:
ret = check_KRB5SignedPath(context,
config,
krbtgt,
- cp,
+ tp,
&adtkt,
NULL,
&ad_signedpath);
@@ -2058,15 +2056,13 @@ server_lookup:
"KRB5SignedPath check from service %s failed "
"for delegation to %s for client %s "
"from %s failed with %s",
- spn, str, cpn, from, msg);
+ spn, tpn, cpn, from, msg);
krb5_free_error_message(context, msg);
- free(str);
goto out;
}
kdc_log(context, config, 0, "constrained delegation for %s "
- "from %s to %s", str, cpn, spn);
- free(str);
+ "from %s to %s", tpn, cpn, spn);
}
/*
@@ -2137,7 +2133,7 @@ server_lookup:
ret = tgs_make_reply(context,
config,
b,
- client_principal,
+ tp,
tgt,
replykey,
rk_is_subkey,
@@ -2159,6 +2155,8 @@ server_lookup:
reply);
out:
+ if (tpn != cpn)
+ free(tpn);
free(spn);
free(cpn);
@@ -2173,8 +2171,8 @@ out:
if(s4u2self_impersonated_client)
_kdc_free_ent(context, s4u2self_impersonated_client);
- if (client_principal && client_principal != cp)
- krb5_free_principal(context, client_principal);
+ if (tp && tp != cp)
+ krb5_free_principal(context, tp);
if (cp)
krb5_free_principal(context, cp);
if (sp)