]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
Sign and verify PAC with ticket principal instead of canon principal
authorIsaac Boukris <iboukris@gmail.com>
Thu, 16 Jan 2020 21:00:21 +0000 (22:00 +0100)
committerIsaac Boukris <iboukris@sn-devel-184>
Tue, 10 Mar 2020 13:02:27 +0000 (13:02 +0000)
With MIT library 1.18 the KDC no longer set
KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows
us to not canonicalize them (like in Windows / Heimdal).

However, it now breaks the PAC signature verification as it was
wrongly done using canonical client rather than ticket client name.

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
source4/kdc/mit-kdb/kdb_samba_policies.c

index 586cf81451dbc4e20b93ed407d7af8962b80f724..2eec496fa92a3c328cfd0facecdc56132d5d588c 100644 (file)
@@ -323,7 +323,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
                                            krb5_authdata ***signed_auth_data)
 {
 #endif
-       krb5_const_principal ks_client_princ;
        krb5_authdata **authdata = NULL;
        krb5_boolean is_as_req;
        krb5_error_code code;
@@ -335,13 +334,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
        krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
 #endif
 
-       /* Prefer canonicalised name from client entry */
-       if (client != NULL) {
-               ks_client_princ = client->princ;
-       } else {
-               ks_client_princ = client_princ;
-       }
-
        is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
 
        if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
@@ -354,7 +346,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
        if (!is_as_req) {
                code = ks_verify_pac(context,
                                     flags,
-                                    ks_client_princ,
+                                    client_princ,
                                     client,
                                     server,
                                     krbtgt,
@@ -381,7 +373,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
                goto done;
        }
 
-       code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
+       code = krb5_pac_sign(context, pac, authtime, client_princ,
                        server_key, krbtgt_key, &pac_data);
        if (code != 0) {
                DBG_ERR("krb5_pac_sign failed: %d\n", code);