diff options
-rw-r--r-- | source4/heimdal/kdc/kerberos5.c | 28 | ||||
-rw-r--r-- | source4/heimdal/kdc/misc.c | 22 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/hdb.h | 6 | ||||
-rw-r--r-- | source4/kdc/hdb-samba4.c | 1 | ||||
-rwxr-xr-x | testprogs/blackbox/test_kinit.sh | 2 |
5 files changed, 35 insertions, 24 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index ac495b1ac7..e364dcc1d1 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -925,28 +925,12 @@ _kdc_as_rep(krb5_context context, ret = KRB5KRB_ERR_GENERIC; e_text = "No client in request"; } else { - - if (b->cname->name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) { - if (b->cname->name_string.len != 1) { - kdc_log(context, config, 0, - "AS-REQ malformed canon request from %s, " - "enterprise name with %d name components", - from, b->cname->name_string.len); - ret = KRB5_PARSE_MALFORMED; - goto out; - } - ret = krb5_parse_name(context, b->cname->name_string.val[0], - &client_princ); - if (ret) - goto out; - } else { - ret = _krb5_principalname2krb5_principal (context, - &client_princ, - *(b->cname), - b->realm); - if (ret) - goto out; - } + ret = _krb5_principalname2krb5_principal (context, + &client_princ, + *(b->cname), + b->realm); + if (ret) + goto out; ret = krb5_unparse_name(context, client_princ, &client_name); } diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c index 8a53fc8827..247cb575de 100644 --- a/source4/heimdal/kdc/misc.c +++ b/source4/heimdal/kdc/misc.c @@ -56,17 +56,39 @@ _kdc_db_fetch(krb5_context context, } for(i = 0; i < config->num_db; i++) { + krb5_principal enterprise_principal = NULL; + if (!(config->db[i]->hdb_capability_flags & HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL) + && principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) { + if (principal->name.name_string.len != 1) { + ret = KRB5_PARSE_MALFORMED; + krb5_set_error_message(context, ret, + "malformed request: " + "enterprise name with %d name components", + principal->name.name_string.len); + return ret; + } + ret = krb5_parse_name(context, principal->name.name_string.val[0], + &enterprise_principal); + if (ret) + return ret; + + principal = enterprise_principal; + } + ret = config->db[i]->hdb_open(context, config->db[i], O_RDONLY, 0); if (ret) { kdc_log(context, config, 0, "Failed to open database: %s", krb5_get_err_text(context, ret)); continue; } + ret = config->db[i]->hdb_fetch(context, config->db[i], principal, flags | HDB_F_DECRYPT, ent); + krb5_free_principal(context, enterprise_principal); + config->db[i]->hdb_close(context, config->db[i]); if(ret == 0) { if (db) diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h index ce219153b3..a5e6514e6c 100644 --- a/source4/heimdal/lib/hdb/hdb.h +++ b/source4/heimdal/lib/hdb/hdb.h @@ -54,6 +54,8 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; #define HDB_F_GET_ANY 28 /* fetch any of client,server,krbtgt */ #define HDB_F_CANON 32 /* want canonicalition */ +#define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 + /* key usage for master key */ #define HDB_KU_MKEY 0x484442 @@ -80,7 +82,7 @@ typedef struct HDB{ int hdb_master_key_set; hdb_master_key hdb_master_key; int hdb_openp; - + int hdb_capability_flags; /** * Open (or create) the a Kerberos database. * @@ -184,7 +186,7 @@ typedef struct HDB{ krb5_error_code (*hdb_destroy)(krb5_context, struct HDB*); }HDB; -#define HDB_INTERFACE_VERSION 4 +#define HDB_INTERFACE_VERSION 5 struct hdb_so_method { int version; diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 367eee5f14..7d731ab13d 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -1425,6 +1425,7 @@ NTSTATUS kdc_hdb_samba4_create(TALLOC_CTX *mem_ctx, (*db)->hdb_master_key_set = 0; (*db)->hdb_db = NULL; + (*db)->hdb_capability_flags = 0; nt_status = auth_system_session_info(*db, lp_ctx, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh index 840002f51e..2349afae7e 100755 --- a/testprogs/blackbox/test_kinit.sh +++ b/testprogs/blackbox/test_kinit.sh @@ -51,6 +51,8 @@ export KRB5CCNAME echo $PASSWORD > ./tmppassfile #testit "kinit with keytab" $samba4kinit --keytab=$PREFIX/dc/private/secrets.keytab $SERVER\$@$REALM || failed=`expr $failed + 1` testit "kinit with password" $samba4kinit --password-file=./tmppassfile --request-pac $USERNAME@$REALM || failed=`expr $failed + 1` +testit "kinit with password (enterprise style)" $samba4kinit --enterprise --password-file=./tmppassfile --request-pac $USERNAME@$REALM || failed=`expr $failed + 1` +testit "kinit with password (windows style)" $samba4kinit --windows --password-file=./tmppassfile --request-pac $USERNAME@$REALM || failed=`expr $failed + 1` testit "kinit with pkinit" $samba4kinit --request-pac --renewable --pk-user=FILE:$PREFIX/dc/private/tls/admincert.pem,$PREFIX/dc/private/tls/adminkey.pem $USERNAME@$REALM || failed=`expr $failed + 1` testit "kinit renew ticket" $samba4kinit --request-pac -R |