svn commit: lorikeet r312 - in trunk/heimdal: kdc lib/hdb
abartlet at samba.org
abartlet at samba.org
Sat May 21 00:28:46 GMT 2005
Author: abartlet
Date: 2005-05-21 00:28:46 +0000 (Sat, 21 May 2005)
New Revision: 312
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=312
Log:
These subtle changes (which I am far from sure of the kerberos
correctness of), allow the KDC to operate with it's dual personality
of long and short names, and to have an implicit inter-realm trust
between them.
(This allows the krbtgt principal to be treated differently in both
AS_REQ and TGS_REQ packets).
We are now at the stage where we need the PAC.
Andrew Bartlett
Modified:
trunk/heimdal/kdc/kerberos5.c
trunk/heimdal/lib/hdb/hdb-ldb.c
Changeset:
Modified: trunk/heimdal/kdc/kerberos5.c
===================================================================
--- trunk/heimdal/kdc/kerberos5.c 2005-05-20 13:25:50 UTC (rev 311)
+++ trunk/heimdal/kdc/kerberos5.c 2005-05-21 00:28:46 UTC (rev 312)
@@ -718,7 +718,7 @@
goto out;
}
- ret = db_fetch(server_princ, HDB_ENT_TYPE_KRBTGT, &server);
+ ret = db_fetch(server_princ, HDB_ENT_TYPE_SERVER, &server);
if(ret){
kdc_log(0, "UNKNOWN -- %s: %s", server_name,
krb5_get_err_text(context, ret));
@@ -1788,7 +1788,7 @@
ap_req.ticket.sname,
ap_req.ticket.realm);
- ret = db_fetch(princ, HDB_ENT_TYPE_KRBTGT, &krbtgt);
+ ret = db_fetch(princ, HDB_ENT_TYPE_SERVER, &krbtgt);
if(ret) {
char *p;
Modified: trunk/heimdal/lib/hdb/hdb-ldb.c
===================================================================
--- trunk/heimdal/lib/hdb/hdb-ldb.c 2005-05-20 13:25:50 UTC (rev 311)
+++ trunk/heimdal/lib/hdb/hdb-ldb.c 2005-05-21 00:28:46 UTC (rev 312)
@@ -288,7 +288,6 @@
ent->flags = uf2HDBFlags(context, userAccountControl, ent_type);
if (ent_type == HDB_ENT_TYPE_KRBTGT) {
- ent->flags.initial = 1;
ent->flags.invalid = 0;
ent->flags.server = 1;
}
@@ -492,6 +491,7 @@
p[0] = '\0';
}
+
switch (ent_type) {
case HDB_ENT_TYPE_KRBTGT:
filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(samAccountName=%s))",
@@ -587,7 +587,11 @@
count = ldb_search(ldb_ctx, realm_dn, LDB_SCOPE_BASE, "(objectClass=domain)",
realm_attrs, &msg);
- *pmsg = talloc_steal(mem_ctx, msg);
+ if (pmsg) {
+ *pmsg = talloc_steal(mem_ctx, msg);
+ } else {
+ talloc_free(msg);
+ }
if (count < 1) {
krb5_warnx(context, "ldb_search: dn: %s not found: %d", realm_dn, count);
@@ -758,6 +762,16 @@
realm_dn = realm_msg[0]->dn;
+ /* Cludge, cludge cludge. If the realm part of krbtgt/realm
+ * is in our db, then direct the caller at our primary
+ * krgtgt */
+ if(principal->name.name_string.len == 2
+ && (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) == 0)
+ && (LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
+ mem_ctx, principal->name.name_string.val[1], NULL) == 0)) {
+ ent_type = HDB_ENT_TYPE_KRBTGT;
+ }
+
ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db,
mem_ctx,
principal, ent_type, realm_dn, &msg);
More information about the samba-cvs
mailing list