auth:kerberos: Do not fail if PAC account name doesn’t match ticket principal name

Andrew Bartlett says:

“These days, we can trust that the PAC has been validated by the library, and I
think also that nobody could have put in a false PAC anyway (the KDC should stop
clients setting pre-auth data of that type), so the validation step that fails
isn't doing as much as it did 20 years ago. So I think we could simply patch
[this] check to accept the canonical name and know that we just are working with
that option [‘krb5 acceptor report canonical client name’] having been set.”

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 4c61cfe838ffccb218f4499563c46645ada3ad9a..321c6cafb379f6f9ef81c5000b92abc76c2d940b 100644 (file)
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -405,9 +405,6 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
                                  "in ticket [%s]\n",
                                  logon_name->account_name,
                                  client_principal_string));
-                       SAFE_FREE(client_principal_string);
-                       status = NT_STATUS_ACCESS_DENIED;
-                       goto out;
                }
                SAFE_FREE(client_principal_string);
 

diff --git a/selftest/knownfail_heimdal_kdc.d/broken-client-principal b/selftest/knownfail_heimdal_kdc.d/broken-client-principal
new file mode 100644 (file)
index 0000000..49e6bbb
--- /dev/null
+++ b/selftest/knownfail_heimdal_kdc.d/broken-client-principal
@@ -0,0 +1,2 @@
+# Test for a broken client principal.
+^samba4\.local\.pac\.saved\ check\(none\)$