From 3797e465439ec146cde2b041a553c6dcf1eb9683 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 25 Mar 2011 12:36:14 +0100 Subject: HEIMDAL:kdc: pass the correct principal name for the resulting service ticket Depending on S4U2Proxy the principal name for the resulting ticket is not the principal of the client ticket. metze --- source4/heimdal/kdc/krb5tgs.c | 74 +++++++++++++++++++++---------------------- 1 file changed, 36 insertions(+), 38 deletions(-) (limited to 'source4/heimdal') diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 5cfe7c8791..522eeda71b 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -1465,10 +1465,9 @@ tgs_build_reply(krb5_context context, const struct sockaddr *from_addr) { krb5_error_code ret; - krb5_principal cp = NULL, sp = NULL; - krb5_principal client_principal = NULL; + krb5_principal cp = NULL, sp = NULL, tp = NULL; krb5_principal krbtgt_principal = NULL; - char *spn = NULL, *cpn = NULL; + char *spn = NULL, *cpn = NULL, *tpn = NULL; hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL; HDB *clientdb, *s4u2self_impersonated_clientdb; krb5_realm ref_realm = NULL; @@ -1720,16 +1719,16 @@ server_lookup: krb5_free_principal(context, krbtgt_principal); if (ret) { krb5_error_code ret2; - char *tpn, *tpn2; - ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn); - ret2 = krb5_unparse_name(context, krbtgt->entry.principal, &tpn2); + char *ktpn, *ktpn2; + ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn); + ret2 = krb5_unparse_name(context, krbtgt_principal, &ktpn2); kdc_log(context, config, 0, "Request with wrong krbtgt: %s, %s not found in our database", - (ret == 0) ? tpn : "", (ret2 == 0) ? tpn2 : ""); + (ret == 0) ? ktpn : "", (ret2 == 0) ? ktpn2 : ""); if(ret == 0) - free(tpn); + free(ktpn); if(ret2 == 0) - free(tpn2); + free(ktpn2); ret = KRB5KRB_AP_ERR_NOT_US; goto out; } @@ -1741,13 +1740,13 @@ server_lookup: * this) before the strcmp() */ if (strcmp(krb5_principal_get_realm(context, server->entry.principal), krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) { - char *tpn; - ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &tpn); + char *ktpn; + ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &ktpn); kdc_log(context, config, 0, "Request with wrong krbtgt: %s", - (ret == 0) ? tpn : ""); + (ret == 0) ? ktpn : ""); if(ret == 0) - free(tpn); + free(ktpn); ret = KRB5KRB_AP_ERR_NOT_US; } @@ -1824,7 +1823,9 @@ server_lookup: * Process request */ - client_principal = cp; + /* by default the tgt principal matches the client principal */ + tp = cp; + tpn = cpn; if (client) { const PA_DATA *sdata; @@ -1835,7 +1836,6 @@ server_lookup: krb5_crypto crypto; krb5_data datack; PA_S4U2Self self; - char *selfcpn = NULL; const char *str; ret = decode_PA_S4U2Self(sdata->padata_value.data, @@ -1878,14 +1878,14 @@ server_lookup: } ret = _krb5_principalname2krb5_principal(context, - &client_principal, + &tp, self.name, self.realm); free_PA_S4U2Self(&self); if (ret) goto out; - ret = krb5_unparse_name(context, client_principal, &selfcpn); + ret = krb5_unparse_name(context, tp, &tpn); if (ret) goto out; @@ -1893,7 +1893,7 @@ server_lookup: if(rspac.data) { krb5_pac p = NULL; krb5_data_free(&rspac); - ret = _kdc_db_fetch(context, config, client_principal, HDB_F_GET_CLIENT | HDB_F_CANON, + ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | HDB_F_CANON, NULL, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client); if (ret) { const char *msg; @@ -1907,14 +1907,16 @@ server_lookup: if (ret == HDB_ERR_NOENTRY) ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 1, "S2U4Self principal to impersonate %s not found in database: %s", cpn, msg); + kdc_log(context, config, 1, + "S2U4Self principal to impersonate %s not found in database: %s", + tpn, msg); krb5_free_error_message(context, msg); goto out; } ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p); if (ret) { kdc_log(context, config, 0, "PAC generation failed for -- %s", - selfcpn); + tpn); goto out; } if (p != NULL) { @@ -1925,7 +1927,7 @@ server_lookup: krb5_pac_free(context, p); if (ret) { kdc_log(context, config, 0, "PAC signing failed for -- %s", - selfcpn); + tpn); goto out; } } @@ -1940,8 +1942,7 @@ server_lookup: kdc_log(context, config, 0, "S4U2Self: %s is not allowed " "to impersonate to service " "(tried for user %s to service %s)", - cpn, selfcpn, spn); - free(selfcpn); + cpn, tpn, spn); goto out; } @@ -1957,8 +1958,7 @@ server_lookup: str = ""; } kdc_log(context, config, 0, "s4u2self %s impersonating %s to " - "service %s %s", cpn, selfcpn, spn, str); - free(selfcpn); + "service %s %s", cpn, tpn, spn, str); } } @@ -1974,7 +1974,6 @@ server_lookup: int ad_signedpath = 0; Key *clientkey; Ticket *t; - char *str; /* * Require that the KDC have issued the service's krbtgt (not @@ -2024,19 +2023,18 @@ server_lookup: } ret = _krb5_principalname2krb5_principal(context, - &client_principal, + &tp, adtkt.cname, adtkt.crealm); if (ret) goto out; - ret = krb5_unparse_name(context, client_principal, &str); + ret = krb5_unparse_name(context, tp, &tpn); if (ret) goto out; - ret = verify_flags(context, config, &adtkt, str); + ret = verify_flags(context, config, &adtkt, tpn); if (ret) { - free(str); goto out; } @@ -2046,7 +2044,7 @@ server_lookup: ret = check_KRB5SignedPath(context, config, krbtgt, - cp, + tp, &adtkt, NULL, &ad_signedpath); @@ -2058,15 +2056,13 @@ server_lookup: "KRB5SignedPath check from service %s failed " "for delegation to %s for client %s " "from %s failed with %s", - spn, str, cpn, from, msg); + spn, tpn, cpn, from, msg); krb5_free_error_message(context, msg); - free(str); goto out; } kdc_log(context, config, 0, "constrained delegation for %s " - "from %s to %s", str, cpn, spn); - free(str); + "from %s to %s", tpn, cpn, spn); } /* @@ -2137,7 +2133,7 @@ server_lookup: ret = tgs_make_reply(context, config, b, - client_principal, + tp, tgt, replykey, rk_is_subkey, @@ -2159,6 +2155,8 @@ server_lookup: reply); out: + if (tpn != cpn) + free(tpn); free(spn); free(cpn); @@ -2173,8 +2171,8 @@ out: if(s4u2self_impersonated_client) _kdc_free_ent(context, s4u2self_impersonated_client); - if (client_principal && client_principal != cp) - krb5_free_principal(context, client_principal); + if (tp && tp != cp) + krb5_free_principal(context, tp); if (cp) krb5_free_principal(context, cp); if (sp) -- cgit