From 8329e8d46917d67f0cb51c3a004e323a87fa1499 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 23 Jun 2021 11:35:01 +1200
Subject: [PATCH] s4:kdc: Set entry.flags.force_canonicalize to override the
 new Heimdal behaviour

This is needed to give hdb_samba4 the full control over the returned
principal, rather than the new code in the Heimdal KDC.

Including changes selected from code by Stefan Metzmacher <metze@samba.org>
in his Heimdal upgrade branch.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source4/kdc/db-glue.c    | 7 +++++++
 source4/kdc/sdb.h        | 2 +-
 source4/kdc/sdb_to_hdb.c | 2 +-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 06b8eeec41d..b059d8c7e61 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -966,6 +966,13 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 	/* First try and figure out the flags based on the userAccountControl */
 	entry_ex->entry.flags = uf2SDBFlags(context, userAccountControl, ent_type);
 
+	/*
+	 * Take control of the returned principal here, rather than
+	 * allowing the Heimdal code to do it as we have specific
+	 * behaviour around the forced realm to honour
+	 */
+	entry_ex->entry.flags.force_canonicalize = true;
+
 	/* Windows 2008 seems to enforce this (very sensible) rule by
 	 * default - don't allow offline attacks on a user's password
 	 * by asking for a ticket to them as a service (encrypted with
diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
index 17f06cf81a8..19d9b920278 100644
--- a/source4/kdc/sdb.h
+++ b/source4/kdc/sdb.h
@@ -76,7 +76,7 @@ struct SDBFlags {
 	unsigned int _unused27:1;
 	unsigned int _unused28:1;
 	unsigned int _unused29:1;
-	unsigned int _unused30:1;
+	unsigned int force_canonicalize:1;
 	unsigned int do_not_store:1;
 };
 
diff --git a/source4/kdc/sdb_to_hdb.c b/source4/kdc/sdb_to_hdb.c
index 4ae3f26a947..e5cc84a7e63 100644
--- a/source4/kdc/sdb_to_hdb.c
+++ b/source4/kdc/sdb_to_hdb.c
@@ -63,7 +63,7 @@ static void sdb_flags_to_hdb_flags(const struct SDBFlags *s,
 	h->_unused27 = s->_unused27;
 	h->_unused28 = s->_unused28;
 	h->_unused29 = s->_unused29;
-	h->_unused30 = s->_unused30;
+	h->force_canonicalize = s->force_canonicalize;
 	h->do_not_store = s->do_not_store;
 }
 
-- 
2.47.3