svn commit: samba r19663 - in
branches/SAMBA_4_0/source/heimdal/lib/krb5: .
metze at samba.org
metze at samba.org
Sat Nov 11 14:00:25 GMT 2006
Author: metze
Date: 2006-11-11 14:00:24 +0000 (Sat, 11 Nov 2006)
New Revision: 19663
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=19663
Log:
merge changes from lorikeet heimdal:
support for netbios domain based realms
metze
Modified:
branches/SAMBA_4_0/source/heimdal/lib/krb5/get_in_tkt.c
Changeset:
Modified: branches/SAMBA_4_0/source/heimdal/lib/krb5/get_in_tkt.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/krb5/get_in_tkt.c 2006-11-11 12:52:04 UTC (rev 19662)
+++ branches/SAMBA_4_0/source/heimdal/lib/krb5/get_in_tkt.c 2006-11-11 14:00:24 UTC (rev 19663)
@@ -131,12 +131,21 @@
krb5_const_pointer decryptarg)
{
krb5_error_code ret;
- krb5_principal tmp_principal;
+ krb5_principal tmp_principal, srv_principal = NULL;
int tmp;
size_t len;
time_t tmp_time;
krb5_timestamp sec_now;
+/*
+ * HACK:
+ * this is really a ugly hack, to support using the Netbios Domain Name
+ * as realm against windows KDC's, they always return the full realm
+ * based on the DNS Name.
+ */
+allow_server_mismatch = 1;
+ignore_cname = 1;
+
ret = _krb5_principalname2krb5_principal (context,
&tmp_principal,
rep->kdc_rep.cname,
@@ -168,45 +177,64 @@
krb5_abortx(context, "internal error in ASN.1 encoder");
creds->second_ticket.length = 0;
creds->second_ticket.data = NULL;
+
+ /* decrypt */
+ if (decrypt_proc == NULL)
+ decrypt_proc = decrypt_tkt;
+
+ ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep);
+ if (ret)
+ goto out;
+
+#if 0
+ /* XXX should this decode be here, or in the decrypt_proc? */
+ ret = krb5_decode_keyblock(context, &rep->enc_part.key, 1);
+ if(ret)
+ goto out;
+#endif
+
/* compare server */
ret = _krb5_principalname2krb5_principal (context,
- &tmp_principal,
+ &srv_principal,
rep->kdc_rep.ticket.sname,
rep->kdc_rep.ticket.realm);
if (ret)
goto out;
+
+ ret = _krb5_principalname2krb5_principal (context,
+ &tmp_principal,
+ rep->enc_part.sname,
+ rep->enc_part.srealm);
+ if (ret)
+ goto out;
+
+ /*
+ * see if the service principal matches in the ticket
+ * and in the enc_part
+ */
+ tmp = krb5_principal_compare (context, tmp_principal, srv_principal);
+ krb5_free_principal (context, tmp_principal);
+ if (!tmp) {
+ ret = KRB5KRB_AP_ERR_MODIFIED;
+ krb5_clear_error_string (context);
+ goto out;
+ }
+
if(allow_server_mismatch){
krb5_free_principal(context, creds->server);
- creds->server = tmp_principal;
- tmp_principal = NULL;
+ creds->server = srv_principal;
+ srv_principal = NULL;
}else{
- tmp = krb5_principal_compare (context, tmp_principal, creds->server);
- krb5_free_principal (context, tmp_principal);
+ tmp = krb5_principal_compare (context, srv_principal, creds->server);
if (!tmp) {
ret = KRB5KRB_AP_ERR_MODIFIED;
krb5_clear_error_string (context);
goto out;
}
}
-
- /* decrypt */
- if (decrypt_proc == NULL)
- decrypt_proc = decrypt_tkt;
-
- ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep);
- if (ret)
- goto out;
-
-#if 0
- /* XXX should this decode be here, or in the decrypt_proc? */
- ret = krb5_decode_keyblock(context, &rep->enc_part.key, 1);
- if(ret)
- goto out;
-#endif
-
/* compare nonces */
if (nonce != rep->enc_part.nonce) {
@@ -301,6 +329,8 @@
out:
memset (rep->enc_part.key.keyvalue.data, 0,
rep->enc_part.key.keyvalue.length);
+ if (srv_principal)
+ krb5_free_principal (context, srv_principal);
return ret;
}
More information about the samba-cvs
mailing list