svn commit: samba r19662 - in branches/SAMBA_4_0/source/kdc: .

metze at samba.org metze at samba.org
Sat Nov 11 12:52:04 GMT 2006


Author: metze
Date: 2006-11-11 12:52:04 +0000 (Sat, 11 Nov 2006)
New Revision: 19662

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=19662

Log:
windows 2003 kdc's only rewrite the realm to the full form,
when the client is using the netbios domain name as realm.

we should match this and not rewrite the principal.

This matches what windows give:

metze at SERNOX:~/prefix/lorikeet-heimdal/bin> ./kinit administrator at SERNOXDOM4
administrator at SERNOXDOM4's Password:

metze at SERNOX:~/prefix/lorikeet-heimdal/bin> ./klist
Credentials cache: FILE:/tmp/krb5cc_10000
Principal: administrator at SERNOXDOM4.MX.BASE
	
Issued           Expires          Principal
Nov 11 13:37:52  Nov 11 23:37:52  krbtgt/SERNOXDOM4 at SERNOXDOM4.MX.BASE

Note:
I need to disable the principal checks in heimdal's
_krb5_extract_ticket() for the kinit to work.

Any ideas how to change heimdal to support this.

For the service principal we should use
the realm and principal in req->kdc_rep.enc_part
instead of the unencrypted req->kdc.ticket.sname
and req->kdc.ticket.realm to have a trusted value.

I'm not sure what we can do with the client realm...

metze
Modified:
   branches/SAMBA_4_0/source/kdc/hdb-ldb.c


Changeset:
Modified: branches/SAMBA_4_0/source/kdc/hdb-ldb.c
===================================================================
--- branches/SAMBA_4_0/source/kdc/hdb-ldb.c	2006-11-11 11:00:19 UTC (rev 19661)
+++ branches/SAMBA_4_0/source/kdc/hdb-ldb.c	2006-11-11 12:52:04 UTC (rev 19662)
@@ -632,7 +632,6 @@
 	struct ldb_message **realm_ref_msg = NULL;
 	const struct ldb_dn *realm_dn;
 
-	krb5_principal alloc_principal = NULL;
 	if (principal->name.name_string.len != 2
 	    || (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) {
 		/* Not a krbtgt */
@@ -642,33 +641,8 @@
 	/* krbtgt case.  Either us or a trusted realm */
 	if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
 			      mem_ctx, principal->name.name_string.val[1], &realm_ref_msg) == 0)) {
-		/* us */
-		/* Cludge, cludge cludge.  If the realm part of krbtgt/realm,
-		 * is in our db, then direct the caller at our primary
-		 * krgtgt */
-		
-		const char *dnsdomain = ldb_msg_find_attr_as_string(realm_ref_msg[0], "dnsRoot", NULL);
-		char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain);
-		if (!realm_fixed) {
-			krb5_set_error_string(context, "strupper_talloc: out of memory");
-			return ENOMEM;
-		}
-		
-		ret = krb5_copy_principal(context, principal, &alloc_principal);
-		if (ret) {
-			return ret;
-		}
-
-		free(alloc_principal->name.name_string.val[1]);
-		alloc_principal->name.name_string.val[1] = strdup(realm_fixed);
-		talloc_free(realm_fixed);
-		if (!alloc_principal->name.name_string.val[1]) {
-			krb5_set_error_string(context, "LDB_fetch: strdup() failed!");
-			return ENOMEM;
-		}
-		principal = alloc_principal;
+		/* us */		
 		realm_dn = samdb_result_dn(mem_ctx, realm_ref_msg[0], "nCName", NULL);
-		
 	} else {
 		/* we should lookup trusted domains */
 		return HDB_ERR_NOENTRY;



More information about the samba-cvs mailing list