]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
s4:mit-kdb: Force canonicalization for looking up principals
authorIsaac Boukris <iboukris@gmail.com>
Sat, 19 Sep 2020 12:16:20 +0000 (14:16 +0200)
committerAndreas Schneider <asn@cryptomilk.org>
Mon, 29 Nov 2021 09:32:25 +0000 (09:32 +0000)
See also
https://github.com/krb5/krb5/commit/ac8865a22138ab0c657208c41be8fd6bc7968148

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Nov 29 09:32:26 UTC 2021 on sn-devel-184

selftest/knownfail_mit_kdc
source4/heimdal/lib/hdb/hdb.h
source4/kdc/db-glue.c
source4/kdc/mit_samba.c
source4/kdc/sdb.h

index cc7b501c6bf789939c4d76ceed176d3a9563e74d..c046a46a4f3d41a81f6d29037d0131e6f19907f5 100644 (file)
@@ -379,8 +379,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_allowed_denied
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_denied
@@ -408,8 +406,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_pac
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_sname
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_other_sname
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_req
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_allowed_denied
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_denied
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_no_krbtgt_link
@@ -422,10 +418,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_existing
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_nonexisting
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_cname_host
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_correct_cname
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_correct_realm
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_other_cname
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_wrong_realm
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname_krbtgt
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_srealm
@@ -471,12 +463,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_none
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_true
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_pac_request_false
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_pac_request_none
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_pac_request_true
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_pac_request_false
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_pac_request_none
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_pac_request_true
 #
 # PAC requester SID tests
 #
index 5ef9d9565f3fe8fe33c9c4c3b0c38b209db23608..dafaffc6c2dc30def2d09a5cdcc99242af2574a3 100644 (file)
@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_F_ALL_KVNOS                2048    /* we want all the keys, live or not */
 #define HDB_F_FOR_AS_REQ       4096    /* fetch is for a AS REQ */
 #define HDB_F_FOR_TGS_REQ      8192    /* fetch is for a TGS REQ */
+#define HDB_F_FORCE_CANON      16384   /* force canonicalition */
 
 /* hdb_capability_flags */
 #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
index 274a1f26459ba44ddb5b30e47f58a552c4d1315d..bfde2baf0b59a277b6bb7ba00c3ef1ae955ecdd2 100644 (file)
@@ -922,11 +922,16 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
                        krb5_clear_error_message(context);
                        goto out;
                }
-       } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) {
+       } else if ((flags & SDB_F_FORCE_CANON) ||
+                  ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ))) {
                /*
                 * SDB_F_CANON maps from the canonicalize flag in the
                 * packet, and has a different meaning between AS-REQ
                 * and TGS-REQ.  We only change the principal in the AS-REQ case
+                *
+                * The SDB_F_FORCE_CANON if for new MIT KDC code that wants
+                * the canonical name in all lookups, and takes care to
+                * canonicalize only when appropriate.
                 */
                ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
                if (ret) {
index 4239332f0d9b507941aeea27b2102d30feb3b835..53c137de2fde23e303bdcba8b0c889571e32ba6e 100644 (file)
@@ -221,6 +221,14 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
                return ENOMEM;
        }
 
+#if KRB5_KDB_API_VERSION >= 10
+       /*
+        * The MIT KDC code that wants the canonical name in all lookups, and
+        * takes care to canonicalize only when appropriate.
+        */
+       sflags |= SDB_F_FORCE_CANON;
+#endif
+
        if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
                sflags |= SDB_F_CANON;
        }
index c929acccce6a25a92283e310a42a248c04262d01..a9115ec23d74456faa139555937627f9f6eef0ef 100644 (file)
@@ -116,6 +116,7 @@ struct sdb_entry_ex {
 #define SDB_F_KVNO_SPECIFIED   128     /* we want a particular KVNO */
 #define SDB_F_FOR_AS_REQ       4096    /* fetch is for a AS REQ */
 #define SDB_F_FOR_TGS_REQ      8192    /* fetch is for a TGS REQ */
+#define SDB_F_FORCE_CANON      16384   /* force canonicalition */
 
 void sdb_free_entry(struct sdb_entry_ex *e);
 void free_sdb_entry(struct sdb_entry *s);