auth:creds: Make sure to uppercase the realm of a principal

author Andreas Schneider <asn@samba.org>

Wed, 6 Aug 2025 14:33:21 +0000 (16:33 +0200)

committer Jule Anger <janger@samba.org>

Thu, 28 Aug 2025 09:38:21 +0000 (09:38 +0000)
author Andreas Schneider <asn@samba.org>
Wed, 6 Aug 2025 14:33:21 +0000 (16:33 +0200)
committer Jule Anger <janger@samba.org>
Thu, 28 Aug 2025 09:38:21 +0000 (09:38 +0000)
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c

index 777bf53430ddb42e90a93a5d58eb5e79bbe80399..f7b95957124cc46fbb35f7de229f174c3964873b 100644 (file)
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -379,9 +379,31 @@ _PUBLIC_ char *cli_credentials_get_principal_and_obtained(struct cli_credentials
  
         if (cred->principal_obtained == CRED_CALLBACK &&
             !cred->callback_running) {
+               const char *princ = NULL;
+
                 cred->callback_running = true;
-               cred->principal = cred->principal_cb(cred);
+               princ = cred->principal_cb(cred);
                 cred->callback_running = false;
+
+               cred->principal = NULL;
+               if (princ != NULL) {
+                       char *p = NULL;
+
+                       cred->principal = talloc_strdup(cred, princ);
+                       if (cred->principal == NULL) {
+                               return NULL;
+                       }
+
+                       p = strchr(cred->principal, '@');
+                       if (p != NULL) {
+                               p += 1;
+
+                               for (; p[0] != '\0'; p++) {
+                                       *p = toupper(p[0]);
+                               }
+                       }
+               }
+
                 if (cred->principal_obtained == CRED_CALLBACK) {
                         cred->principal_obtained = CRED_CALLBACK_RESULT;
                         cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
@@ -459,6 +481,15 @@ _PUBLIC_ bool cli_credentials_set_principal(struct cli_credentials *cred,
                         if (cred->principal == NULL) {
                                 return false;
                         }
+
+                       p = strchr(cred->principal, '@');
+                       if (p != NULL) {
+                               p += 1;
+
+                               for (; p[0] != '\0'; p++) {
+                                       *p = toupper(p[0]);
+                               }
+                       }
                 }
                 cred->principal_obtained = obtained;
                 cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
@@ -1077,8 +1108,6 @@ _PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials,
         }
  
         if ((p = strchr_m(uname,'@'))) {
-               char *x = NULL;
-
                 /*
                  * We also need to set username and domain
                  * in order to undo the effect of
@@ -1087,11 +1116,6 @@ _PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials,
                 cli_credentials_set_username(credentials, uname, obtained);
                 cli_credentials_set_domain(credentials, "", obtained);
  
-               /* Make sure the realm is uppercase */
-               for (x = p + 1; x[0] != '\0'; x++) {
-                       *x = toupper_m(*x);
-               }
-
                 cli_credentials_set_principal(credentials, uname, obtained);
                 *p = 0;
                 cli_credentials_set_realm(credentials, p+1, obtained);
diff --git a/python/samba/tests/credentials.py b/python/samba/tests/credentials.py

index bc132681c488fda82e95219db36f3851317fe369..1835d9b7b594fa395d75f9a38804ce5538fc45a1 100644 (file)
--- a/python/samba/tests/credentials.py
+++ b/python/samba/tests/credentials.py
@@ -361,7 +361,7 @@ class CredentialsTests(samba.tests.TestCaseInTempDir):
          self.assertEqual(creds.get_username(), "env_user")
          self.assertEqual(creds.get_domain(), lp.get("workgroup").upper())
          self.assertEqual(creds.get_realm(), realm.upper())
-        self.assertEqual(creds.get_principal(), "unknown@realm.example.com")
+        self.assertEqual(creds.get_principal(), "unknown@REALM.EXAMPLE.COM")
          creds.parse_string("domain\\user")
          self.assertEqual(creds.get_username(), "user")
          self.assertEqual(creds.get_domain(), "DOMAIN")
@@ -385,7 +385,7 @@ class CredentialsTests(samba.tests.TestCaseInTempDir):
          self.assertEqual(creds.get_username(), "env_user")
          self.assertEqual(creds.get_domain(), lp.get("workgroup").upper())
          self.assertEqual(creds.get_realm(), realm.upper())
-        self.assertEqual(creds.get_principal(), "unknown@realm.example.com")
+        self.assertEqual(creds.get_principal(), "unknown@REALM.EXAMPLE.COM")
          creds.parse_string("domain\\user")
          self.assertEqual(creds.get_username(), "user")
          self.assertEqual(creds.get_domain(), "DOMAIN")
author	Andreas Schneider <asn@samba.org>
	Wed, 6 Aug 2025 14:33:21 +0000 (16:33 +0200)
committer	Jule Anger <janger@samba.org>
	Thu, 28 Aug 2025 09:38:21 +0000 (09:38 +0000)
auth/credentials/credentials.c		patch \| blob \| blame \| history
python/samba/tests/credentials.py		patch \| blob \| blame \| history