* in-realm alias, fill in a different value for entries->princ than the
* one requested.
*
- * A module can return out-of-realm referrals if KRB5_KDB_FLAG_CANONICALIZE
- * is set. For AS request clients (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is
- * also set), the module should do so by simply filling in an out-of-realm
- * name in entries->princ and setting all other fields to NULL. Otherwise,
- * the module should return the entry for the cross-realm TGS of the
- * referred-to realm. For TGS referals, the module can also include
- * tl-data of type KRB5_TL_SERVER_REFERRAL containing ASN.1-encoded Windows
- * referral data as documented in draft-ietf-krb-wg-kerberos-referrals-11
- * appendix A; this will be returned to the client as encrypted padata.
+ * A module can return a referral to another realm if
+ * KRB5_KDB_FLAG_CANONICALIZE is set, or if
+ * KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is set and search_for->type is
+ * KRB5_NT_ENTERPRISE_PRINCIPAL. If KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is
+ * set, the module should return a referral by simply filling in an
+ * out-of-realm name in (*entry)->princ and setting all other fields to
+ * NULL. Otherwise, the module should return the entry for the cross-realm
+ * TGS of the referred-to realm. For TGS referals, the module can also
+ * include tl-data of type KRB5_TL_SERVER_REFERRAL containing ASN.1-encoded
+ * Windows referral data as documented in
+ * draft-ietf-krb-wg-kerberos-referrals-11 appendix A; this will be
+ * returned to the client as encrypted padata.
*/
krb5_error_code (*get_principal)(krb5_context kcontext,
krb5_const_principal search_for,
* of cross realm TGS entries.
*/
setflag(state->c_flags, KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY);
- /*
- * Note that according to the referrals draft we should
- * always canonicalize enterprise principal names.
- */
+ /* Enterprise principals are implicitly alias-ok. */
if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE) ||
state->request->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
- setflag(state->c_flags, KRB5_KDB_FLAG_CANONICALIZE);
setflag(state->c_flags, KRB5_KDB_FLAG_ALIAS_OK);
}
+ if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) {
+ setflag(state->c_flags, KRB5_KDB_FLAG_CANONICALIZE);
+ }
if (include_pac_p(kdc_context, state->request)) {
setflag(state->c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
}
'changetype: modify\n'
'add: krbPrincipalName\n'
'krbPrincipalName: alias@KRBTEST.COM\n'
+ 'krbPrincipalName: ent@abc@KRBTEST.COM\n'
'-\n'
'add: krbCanonicalName\n'
'krbCanonicalName: canon@KRBTEST.COM\n')
realm.run([kadminl, 'getprinc', 'alias'],
expected_msg='Principal: canon@KRBTEST.COM\n')
+realm.run([kadminl, 'getprinc', 'ent\@abc'],
+ expected_msg='Principal: canon@KRBTEST.COM\n')
realm.run([kadminl, 'getprinc', 'canon'],
expected_msg='Principal: canon@KRBTEST.COM\n')
realm.run([kvno, 'alias', 'canon'])
realm.kinit('canon', password('canon'))
realm.kinit('alias', password('canon'), ['-C'])
+# Test enterprise alias with and without canonicalization.
+realm.kinit('ent@abc', password('canon'), ['-E', '-C'])
+realm.run([kvno, 'alias'])
+realm.klist('canon@KRBTEST.COM', 'alias@KRBTEST.COM')
+
+realm.kinit('ent@abc', password('canon'), ['-E'])
+realm.run([kvno, 'alias'])
+realm.klist('ent\@abc@KRBTEST.COM', 'alias@KRBTEST.COM')
+
# Test client name canonicalization in non-krbtgt AS reply
realm.kinit('alias', password('canon'), ['-C', '-S', 'kadmin/changepw'])
projects / thirdparty / krb5.git / commitdiff
