svn commit: samba r20406 - in branches/SAMBA_4_0/source/kdc: .

Fri Dec 29 11:01:38 GMT 2006

Author: abartlet
Date: 2006-12-29 11:01:37 +0000 (Fri, 29 Dec 2006)
New Revision: 20406

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=20406

Log:
Metze's change in -r 19662 broke Kerberos logins from Win2k3.

The reason is long and complex, but is due to forwardable tickets:

We would extract the forwardable ticket from the GSSAPI payload, and
look for the expiry time of the ticket for krbtgt/REALM at REALM.

However, with -r 19662 the ticket is given to the client as being for
krbtgt/realm at REALM, as it asked for a lower case realm.  Heimdal is
case sensitive for realms, and bails out.  (It should just not store
the forwarded ticket).

We need to co-ordinate changes in the KDC with relaxation of checks in
Heimdal, and a better kerberos behaviour testsuite.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/kdc/hdb-ldb.c


Changeset:
Modified: branches/SAMBA_4_0/source/kdc/hdb-ldb.c
===================================================================

--- branches/SAMBA_4_0/source/kdc/hdb-ldb.c	2006-12-29 10:35:44 UTC (rev 20405)
+++ branches/SAMBA_4_0/source/kdc/hdb-ldb.c	2006-12-29 11:01:37 UTC (rev 20406)
@@ -630,6 +630,7 @@
 	struct ldb_message **realm_ref_msg = NULL;
 	struct ldb_dn *realm_dn;
 
+	krb5_principal alloc_principal = NULL;
 	if (principal->name.name_string.len != 2
 	    || (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) {
 		/* Not a krbtgt */
@@ -640,6 +641,30 @@
 	if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
 			      mem_ctx, principal->name.name_string.val[1], &realm_ref_msg) == 0)) {
 		/* us */		
+ 		/* Cludge, cludge cludge.  If the realm part of krbtgt/realm,
+ 		 * is in our db, then direct the caller at our primary
+ 		 * krgtgt */
+ 		
+ 		const char *dnsdomain = ldb_msg_find_attr_as_string(realm_ref_msg[0], "dnsRoot", NULL);
+ 		char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain);
+ 		if (!realm_fixed) {
+ 			krb5_set_error_string(context, "strupper_talloc: out of memory");
+ 			return ENOMEM;
+ 		}
+ 		
+ 		ret = krb5_copy_principal(context, principal, &alloc_principal);
+ 		if (ret) {
+ 			return ret;
+ 		}
+ 
+ 		free(alloc_principal->name.name_string.val[1]);
+		alloc_principal->name.name_string.val[1] = strdup(realm_fixed);
+ 		talloc_free(realm_fixed);
+ 		if (!alloc_principal->name.name_string.val[1]) {
+ 			krb5_set_error_string(context, "LDB_fetch: strdup() failed!");
+ 			return ENOMEM;
+ 		}
+ 		principal = alloc_principal;
 		realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db, mem_ctx, realm_ref_msg[0], "nCName", NULL);
 	} else {
 		/* we should lookup trusted domains */

