Catching more principals in ads_keytab_verify_ticket()

Fri Mar 11 09:44:41 GMT 2005

Doug VanLeuven wrote:

>> Even without the global option, updating the static list to include 
>> cifs/<host>.<realm>@<REALM> might help fix bug 2414.  I've got a 
>> patch for just that part right now.
>
>
> This patch adds these variations to samba managed keytabs:
> <global_myname())>.<REALM>@REALM that Michael Brown noticed
> and
> <global_myname())>.<realm>@REALM that I'm seeing from Enterprise 2003 
> Native mode for out-of-realm dns domains.

Ooops.  Forgot to attach the patch.

Doug

-------------- next part --------------
Index: libads/kerberos_keytab.c
===================================================================

--- libads/kerberos_keytab.c	(revision 5575)
+++ libads/kerberos_keytab.c	(working copy)
@@ -440,10 +440,10 @@
 	krb5_kt_cursor cursor;
 	krb5_keytab_entry kt_entry;
 	krb5_kvno kvno;
-	fstring my_fqdn, my_Fqdn, my_name, my_NAME;
+	fstring my_fqdn, my_Fqdn, my_name, my_NAME, my_host_realm;
 	char *p_fqdn;
 	int i, found = 0;
-	char **oldEntries = NULL, *princ_s[18];;
+	char **oldEntries = NULL, *princ_s[26];;
 
 	ret = ads_keytab_add_entry(ads, "host");
 	if (ret) {
@@ -471,6 +471,10 @@
 	if (p_fqdn) {
 		fstrcat(my_Fqdn, p_fqdn);
 	}
+	fstrcpy(my_host_realm, my_name);
+	fstrcat(my_host_realm, ".");
+	fstrcat(my_host_realm, lp_realm());
+	strlower_m(my_host_realm);
 
 	asprintf(&princ_s[0], "%s$@%s", my_name, lp_realm());
 	asprintf(&princ_s[1], "%s$@%s", my_NAME, lp_realm());
@@ -490,6 +494,20 @@
 	asprintf(&princ_s[15], "CIFS/%s@%s", my_NAME, lp_realm());
 	asprintf(&princ_s[16], "CIFS/%s@%s", my_fqdn, lp_realm());
 	asprintf(&princ_s[17], "CIFS/%s@%s", my_Fqdn, lp_realm());
+	asprintf(&princ_s[18], "cifs/%s.%s@%s", my_name, lp_realm(), lp_realm());
+	asprintf(&princ_s[19], "CIFS/%s.%s@%s", my_name, lp_realm(), lp_realm());
+	asprintf(&princ_s[20], "host/%s.%s@%s", my_name, lp_realm(), lp_realm());
+	asprintf(&princ_s[21], "HOST/%s.%s@%s", my_name, lp_realm(), lp_realm());
+	for (i=22; i < 26; i++) {
+		princ_s[i] = NULL;
+	}
+		/* when dnsdomain == realm, don't add duplicate principal */
+	if (strcmp(my_host_realm, my_fqdn) != 0) {
+		asprintf(&princ_s[22], "cifs/%s@%s", my_host_realm, lp_realm());
+		asprintf(&princ_s[23], "CIFS/%s@%s", my_host_realm, lp_realm());
+		asprintf(&princ_s[24], "host/%s@%s", my_host_realm, lp_realm());
+		asprintf(&princ_s[25], "HOST/%s@%s", my_host_realm, lp_realm());
+	}
 
 	for (i = 0; i < sizeof(princ_s) / sizeof(princ_s[0]); i++) {
 		if (princ_s[i] != NULL) {
