svn commit: samba r19663 - in branches/SAMBA_4_0/source/heimdal/lib/krb5: .

Sat Nov 11 14:00:25 GMT 2006

Author: metze
Date: 2006-11-11 14:00:24 +0000 (Sat, 11 Nov 2006)
New Revision: 19663

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=19663

Log:
merge changes from lorikeet heimdal:

support for netbios domain based realms

metze
Modified:
   branches/SAMBA_4_0/source/heimdal/lib/krb5/get_in_tkt.c


Changeset:
Modified: branches/SAMBA_4_0/source/heimdal/lib/krb5/get_in_tkt.c
===================================================================

--- branches/SAMBA_4_0/source/heimdal/lib/krb5/get_in_tkt.c	2006-11-11 12:52:04 UTC (rev 19662)
+++ branches/SAMBA_4_0/source/heimdal/lib/krb5/get_in_tkt.c	2006-11-11 14:00:24 UTC (rev 19663)
@@ -131,12 +131,21 @@
 		     krb5_const_pointer decryptarg)
 {
     krb5_error_code ret;
-    krb5_principal tmp_principal;
+    krb5_principal tmp_principal, srv_principal = NULL;
     int tmp;
     size_t len;
     time_t tmp_time;
     krb5_timestamp sec_now;
 
+/*
+ * HACK:
+ * this is really a ugly hack, to support using the Netbios Domain Name
+ * as realm against windows KDC's, they always return the full realm
+ * based on the DNS Name.
+ */
+allow_server_mismatch = 1;
+ignore_cname = 1;
+
     ret = _krb5_principalname2krb5_principal (context,
 					      &tmp_principal,
 					      rep->kdc_rep.cname,
@@ -168,45 +177,64 @@
 	krb5_abortx(context, "internal error in ASN.1 encoder");
     creds->second_ticket.length = 0;
     creds->second_ticket.data   = NULL;
+    
+    /* decrypt */
 
+    if (decrypt_proc == NULL)
+	decrypt_proc = decrypt_tkt;
+    
+    ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep);
+    if (ret)
+	goto out;
+
+#if 0
+    /* XXX should this decode be here, or in the decrypt_proc? */
+    ret = krb5_decode_keyblock(context, &rep->enc_part.key, 1);
+    if(ret)
+	goto out;
+#endif
+
     /* compare server */
 
     ret = _krb5_principalname2krb5_principal (context,
-					      &tmp_principal,
+					      &srv_principal,
 					      rep->kdc_rep.ticket.sname,
 					      rep->kdc_rep.ticket.realm);
     if (ret)
 	goto out;
+
+    ret = _krb5_principalname2krb5_principal (context,
+					      &tmp_principal,
+					      rep->enc_part.sname,
+					      rep->enc_part.srealm);
+    if (ret)
+	goto out;
+
+    /* 
+     * see if the service principal matches in the ticket
+     * and in the enc_part
+     */
+    tmp = krb5_principal_compare (context, tmp_principal, srv_principal);
+    krb5_free_principal (context, tmp_principal);
+    if (!tmp) {
+	ret = KRB5KRB_AP_ERR_MODIFIED;
+	krb5_clear_error_string (context);
+	goto out;
+    }
+
     if(allow_server_mismatch){
 	krb5_free_principal(context, creds->server);
-	creds->server = tmp_principal;
-	tmp_principal = NULL;
+	creds->server = srv_principal;
+	srv_principal = NULL;
     }else{
-	tmp = krb5_principal_compare (context, tmp_principal, creds->server);
-	krb5_free_principal (context, tmp_principal);
+	tmp = krb5_principal_compare (context, srv_principal, creds->server);
 	if (!tmp) {
 	    ret = KRB5KRB_AP_ERR_MODIFIED;
 	    krb5_clear_error_string (context);
 	    goto out;
 	}
     }
-    
-    /* decrypt */
 
-    if (decrypt_proc == NULL)
-	decrypt_proc = decrypt_tkt;
-    
-    ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep);
-    if (ret)
-	goto out;
-
-#if 0
-    /* XXX should this decode be here, or in the decrypt_proc? */
-    ret = krb5_decode_keyblock(context, &rep->enc_part.key, 1);
-    if(ret)
-	goto out;
-#endif
-
     /* compare nonces */
 
     if (nonce != rep->enc_part.nonce) {
@@ -301,6 +329,8 @@
 out:
     memset (rep->enc_part.key.keyvalue.data, 0,
 	    rep->enc_part.key.keyvalue.length);
+    if (srv_principal)
+        krb5_free_principal (context, srv_principal);
     return ret;
 }
 

