From: Andreas Schneider Date: Wed, 6 Aug 2025 14:33:21 +0000 (+0200) Subject: auth:creds: Make sure to uppercase the realm of a principal X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5879410caf9303a378f3d90365e60928a735e65a;p=thirdparty%2Fsamba.git auth:creds: Make sure to uppercase the realm of a principal BUG: https://bugzilla.samba.org/show_bug.cgi?id=15893 Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy --- diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index 777bf53430d..f7b95957124 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -379,9 +379,31 @@ _PUBLIC_ char *cli_credentials_get_principal_and_obtained(struct cli_credentials if (cred->principal_obtained == CRED_CALLBACK && !cred->callback_running) { + const char *princ = NULL; + cred->callback_running = true; - cred->principal = cred->principal_cb(cred); + princ = cred->principal_cb(cred); cred->callback_running = false; + + cred->principal = NULL; + if (princ != NULL) { + char *p = NULL; + + cred->principal = talloc_strdup(cred, princ); + if (cred->principal == NULL) { + return NULL; + } + + p = strchr(cred->principal, '@'); + if (p != NULL) { + p += 1; + + for (; p[0] != '\0'; p++) { + *p = toupper(p[0]); + } + } + } + if (cred->principal_obtained == CRED_CALLBACK) { cred->principal_obtained = CRED_CALLBACK_RESULT; cli_credentials_invalidate_ccache(cred, cred->principal_obtained); @@ -459,6 +481,15 @@ _PUBLIC_ bool cli_credentials_set_principal(struct cli_credentials *cred, if (cred->principal == NULL) { return false; } + + p = strchr(cred->principal, '@'); + if (p != NULL) { + p += 1; + + for (; p[0] != '\0'; p++) { + *p = toupper(p[0]); + } + } } cred->principal_obtained = obtained; cli_credentials_invalidate_ccache(cred, cred->principal_obtained); @@ -1077,8 +1108,6 @@ _PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials, } if ((p = strchr_m(uname,'@'))) { - char *x = NULL; - /* * We also need to set username and domain * in order to undo the effect of @@ -1087,11 +1116,6 @@ _PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials, cli_credentials_set_username(credentials, uname, obtained); cli_credentials_set_domain(credentials, "", obtained); - /* Make sure the realm is uppercase */ - for (x = p + 1; x[0] != '\0'; x++) { - *x = toupper_m(*x); - } - cli_credentials_set_principal(credentials, uname, obtained); *p = 0; cli_credentials_set_realm(credentials, p+1, obtained); diff --git a/python/samba/tests/credentials.py b/python/samba/tests/credentials.py index bc132681c48..1835d9b7b59 100644 --- a/python/samba/tests/credentials.py +++ b/python/samba/tests/credentials.py @@ -361,7 +361,7 @@ class CredentialsTests(samba.tests.TestCaseInTempDir): self.assertEqual(creds.get_username(), "env_user") self.assertEqual(creds.get_domain(), lp.get("workgroup").upper()) self.assertEqual(creds.get_realm(), realm.upper()) - self.assertEqual(creds.get_principal(), "unknown@realm.example.com") + self.assertEqual(creds.get_principal(), "unknown@REALM.EXAMPLE.COM") creds.parse_string("domain\\user") self.assertEqual(creds.get_username(), "user") self.assertEqual(creds.get_domain(), "DOMAIN") @@ -385,7 +385,7 @@ class CredentialsTests(samba.tests.TestCaseInTempDir): self.assertEqual(creds.get_username(), "env_user") self.assertEqual(creds.get_domain(), lp.get("workgroup").upper()) self.assertEqual(creds.get_realm(), realm.upper()) - self.assertEqual(creds.get_principal(), "unknown@realm.example.com") + self.assertEqual(creds.get_principal(), "unknown@REALM.EXAMPLE.COM") creds.parse_string("domain\\user") self.assertEqual(creds.get_username(), "user") self.assertEqual(creds.get_domain(), "DOMAIN")