s4:mit-kdb: Force canonicalization for looking up principals

author Isaac Boukris <iboukris@gmail.com>

Sat, 19 Sep 2020 12:16:20 +0000 (14:16 +0200)

committer Jule Anger <janger@samba.org>

Sun, 24 Jul 2022 09:42:01 +0000 (11:42 +0200)
author Isaac Boukris <iboukris@gmail.com>
Sat, 19 Sep 2020 12:16:20 +0000 (14:16 +0200)
committer Jule Anger <janger@samba.org>
Sun, 24 Jul 2022 09:42:01 +0000 (11:42 +0200)
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h

index 5ef9d9565f3fe8fe33c9c4c3b0c38b209db23608..dafaffc6c2dc30def2d09a5cdcc99242af2574a3 100644 (file)
--- a/source4/heimdal/lib/hdb/hdb.h
+++ b/source4/heimdal/lib/hdb/hdb.h
@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
  #define HDB_F_ALL_KVNOS                2048    /* we want all the keys, live or not */
  #define HDB_F_FOR_AS_REQ       4096    /* fetch is for a AS REQ */
  #define HDB_F_FOR_TGS_REQ      8192    /* fetch is for a TGS REQ */
+#define HDB_F_FORCE_CANON      16384   /* force canonicalition */
  
  /* hdb_capability_flags */
  #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c

index 3a7e2176653082f0057237f2eed9edad8983b0ba..ac47fe783739def2ea5a51e3d1660b4b01c19589 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -957,11 +957,16 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
                         krb5_clear_error_message(context);
                         goto out;
                 }
-       } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) {
+       } else if ((flags & SDB_F_FORCE_CANON) ||
+                  ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ))) {
                 /*
                  * SDB_F_CANON maps from the canonicalize flag in the
                  * packet, and has a different meaning between AS-REQ
                  * and TGS-REQ.  We only change the principal in the AS-REQ case
+                *
+                * The SDB_F_FORCE_CANON if for new MIT KDC code that wants
+                * the canonical name in all lookups, and takes care to
+                * canonicalize only when appropriate.
                  */
                 ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
                 if (ret) {
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c

index e015c5a52dbe97efc7593ac5b941ea93bfa0e1be..c2a604045d99124ea11d7e691935540f11dd46b3 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -195,6 +195,14 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
                 return ENOMEM;
         }
  
+#if KRB5_KDB_API_VERSION >= 10
+       /*
+        * The MIT KDC code that wants the canonical name in all lookups, and
+        * takes care to canonicalize only when appropriate.
+        */
+       sflags |= SDB_F_FORCE_CANON;
+#endif
+
         if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
                 sflags |= SDB_F_CANON;
         }
diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h

index c929acccce6a25a92283e310a42a248c04262d01..a9115ec23d74456faa139555937627f9f6eef0ef 100644 (file)
--- a/source4/kdc/sdb.h
+++ b/source4/kdc/sdb.h
@@ -116,6 +116,7 @@ struct sdb_entry_ex {
  #define SDB_F_KVNO_SPECIFIED   128     /* we want a particular KVNO */
  #define SDB_F_FOR_AS_REQ       4096    /* fetch is for a AS REQ */
  #define SDB_F_FOR_TGS_REQ      8192    /* fetch is for a TGS REQ */
+#define SDB_F_FORCE_CANON      16384   /* force canonicalition */
  
  void sdb_free_entry(struct sdb_entry_ex *e);
  void free_sdb_entry(struct sdb_entry *s);
author	Isaac Boukris <iboukris@gmail.com>
	Sat, 19 Sep 2020 12:16:20 +0000 (14:16 +0200)
committer	Jule Anger <janger@samba.org>
	Sun, 24 Jul 2022 09:42:01 +0000 (11:42 +0200)
source4/heimdal/lib/hdb/hdb.h		patch \| blob \| blame \| history
source4/kdc/db-glue.c		patch \| blob \| blame \| history
source4/kdc/mit_samba.c		patch \| blob \| blame \| history
source4/kdc/sdb.h		patch \| blob \| blame \| history