diff options
| -rw-r--r-- | source4/heimdal/kdc/kerberos5.c | 20 | ||||
| -rw-r--r-- | source4/kdc/kdc.c | 16 | ||||
| -rw-r--r-- | source4/kdc/pac-glue.c | 21 |
3 files changed, 52 insertions, 5 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index 3577a14e5f..ccfa35b638 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -758,11 +758,27 @@ check_addresses(krb5_context context, krb5_error_code ret; krb5_address addr; krb5_boolean result; - + krb5_boolean only_netbios = TRUE; + int i; + if(config->check_ticket_addresses == 0) return TRUE; - if(addresses == NULL) + if(addresses == NULL) + return config->allow_null_ticket_addresses; + + for (i = 0; i < addresses->len; ++i) { + if (addresses->val[i].addr_type != KRB5_ADDRESS_NETBIOS) { + only_netbios = FALSE; + } + } + + /* Windows sends it's netbios name, which I can only assume is + * used for the 'allowed workstations' check. This is painful, but + * we still want to check IP addresses if they happen to be + * present. */ + + if(only_netbios) return config->allow_null_ticket_addresses; ret = krb5_sockaddr2address (context, from, &addr); diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c index 4e7865b5f9..f220357708 100644 --- a/source4/kdc/kdc.c +++ b/source4/kdc/kdc.c @@ -388,6 +388,19 @@ void kpasswdd_tcp_accept(struct stream_connection *conn) kdcconn->kdc = kdc; kdcconn->process = kpasswdd_process; conn->private = kdcconn; + kdcconn->packet = packet_init(kdcconn); + if (kdcconn->packet == NULL) { + stream_terminate_connection(conn, "kdc_tcp_accept: out of memory"); + return; + } + packet_set_private(kdcconn->packet, kdcconn); + packet_set_socket(kdcconn->packet, conn->socket); + packet_set_callback(kdcconn->packet, kdc_tcp_recv); + packet_set_full_request(kdcconn->packet, packet_full_request_u32); + packet_set_error_handler(kdcconn->packet, kdc_tcp_recv_error); + packet_set_event_context(kdcconn->packet, conn->event.ctx); + packet_set_fde(kdcconn->packet, conn->event.fde); + packet_set_serialise(kdcconn->packet); } static const struct stream_server_ops kpasswdd_tcp_stream_ops = { @@ -556,9 +569,6 @@ static void kdc_task_init(struct task_server *task) } krb5_kdc_default_config(kdc->config); - /* NAT and the like make this pointless, and painful */ - kdc->config->check_ticket_addresses = FALSE; - initialize_krb5_error_table(); ret = smb_krb5_init_context(kdc, &kdc->smb_krb5_context); diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 03b53fa3af..bd4d3e6a2f 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -324,6 +324,8 @@ krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData TALLOC_CTX *tmp_ctx = talloc_new(entry_ex->private); struct hdb_ldb_private *private = talloc_get_type(entry_ex->private, struct hdb_ldb_private); char *name, *workstation = NULL; + int i; + if (!tmp_ctx) { return ENOMEM; } @@ -331,7 +333,26 @@ krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData ret = krb5_unparse_name(context, entry_ex->entry.principal, &name); if (ret != 0) { talloc_free(tmp_ctx); + return ret; } + + for (i=0; i < addresses->len; i++) { + if (addresses->val->addr_type == KRB5_ADDRESS_NETBIOS) { + workstation = talloc_strndup(tmp_ctx, addresses->val->address.data, MIN(addresses->val->address.length, 15)); + if (workstation) { + break; + } + } + } + + /* Strip space padding */ + if (workstation) { + i = MIN(strlen(workstation), 15); + for (; i > 0 && workstation[i - 1] == ' '; i--) { + workstation[i - 1] = '\0'; + } + } + nt_status = authsam_account_ok(tmp_ctx, private->samdb, MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT, |