#define KRB5_KDB_FLAG_USER_TO_USER 0x00000800
/* Cross-realm */
#define KRB5_KDB_FLAG_CROSS_REALM 0x00001000
-/* Allow in-realm aliases */
-#define KRB5_KDB_FLAG_ALIAS_OK 0x00002000
/* Issuing referral */
#define KRB5_KDB_FLAG_ISSUING_REFERRAL 0x00004000
* part of the realm being served, and a referral or alternate TGT will
* be issued instead.
*
- * KRB5_KDB_FLAG_ALIAS_OK: Set by the KDC for server principal lookups and
- * for AS request client principal lookups with canonicalization
- * requested; also set by the admin interface. Determines whether the
- * module should return in-realm aliases.
- *
- * A module can return in-realm aliases if KRB5_KDB_FLAG_ALIAS_OK is set,
- * or if search_for->type is KRB5_NT_ENTERPRISE_PRINCIPAL. To return an
- * in-realm alias, fill in a different value for entries->princ than the
- * one requested.
+ * A module may return an in-realm alias by setting (*entry)->princ to the
+ * canonical name. The KDC will decide based on the request whether to use
+ * the requested name or the canonical name in the issued ticket.
*
* A module can return a referral to another realm if
* KRB5_KDB_FLAG_CANONICALIZE is set, or if
* of cross realm TGS entries.
*/
setflag(state->c_flags, KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY);
- /* Enterprise principals are implicitly alias-ok. */
- if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE) ||
- state->request->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
- setflag(state->c_flags, KRB5_KDB_FLAG_ALIAS_OK);
- }
+
if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) {
setflag(state->c_flags, KRB5_KDB_FLAG_CANONICALIZE);
}
au_state->stage = SRVC_PRINC;
s_flags = 0;
- setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) {
setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
}
/* XXX make sure server here has the proper realm...taken from AP_REQ
header? */
- setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
krb5_principal_compare(context, princ, client))
return TRUE;
- if (krb5_db_get_principal(context, princ, KRB5_KDB_FLAG_ALIAS_OK, &ent))
+ if (krb5_db_get_principal(context, princ, 0, &ent))
return FALSE;
match = krb5_principal_compare(context, ent->princ, client);
krb5_db_free_principal(context, ent);
match_enctype = 0;
}
- retval = kdc_get_server_key(kdc_context, apreq->ticket,
- KRB5_KDB_FLAG_ALIAS_OK, match_enctype, server,
- NULL, NULL);
+ retval = kdc_get_server_key(kdc_context, apreq->ticket, 0, match_enctype,
+ server, NULL, NULL);
if (retval)
return retval;
*kdb_ptr = NULL;
- ret = krb5_db_get_principal(handle->context, principal,
- KRB5_KDB_FLAG_ALIAS_OK, &kdb);
+ ret = krb5_db_get_principal(handle->context, principal, 0, &kdb);
if (ret == KRB5_KDB_NOENTRY)
return(KADM5_UNK_PRINC);
if (ret)
logging(kcontext))
return KRB5_PLUGIN_OP_NOTSUPP;
- status = krb5_db_get_principal(kcontext, target, KRB5_KDB_FLAG_ALIAS_OK,
- &entry);
+ status = krb5_db_get_principal(kcontext, target, 0, &entry);
if (status == 0) {
krb5_db_free_principal(kcontext, entry);
return KRB5_KDB_INUSE;
if (source == NULL || target == NULL)
return EINVAL;
- ret = krb5_db_get_principal(kcontext, source, KRB5_KDB_FLAG_ALIAS_OK,
- &kdb);
+ ret = krb5_db_get_principal(kcontext, source, 0, &kdb);
if (ret)
goto cleanup;
if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) {
if (values[0] && strcmp(values[0], user) != 0) {
/* We matched an alias, not the canonical name. */
- if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
- st = krb5_ldap_parse_principal_name(values[0], &cname);
- if (st != 0)
- goto cleanup;
- st = krb5_parse_name(context, cname, &cprinc);
- if (st != 0)
- goto cleanup;
- } else /* No canonicalization, so don't return aliases. */
- found = FALSE;
+ st = krb5_ldap_parse_principal_name(values[0], &cname);
+ if (st != 0)
+ goto cleanup;
+ st = krb5_parse_name(context, cname, &cprinc);
+ if (st != 0)
+ goto cleanup;
}
ldap_value_free(values);
if (!found)
&search_name));
canon = get_string(h, "alias", search_name, NULL);
if (canon != NULL) {
- if (!(flags & KRB5_KDB_FLAG_ALIAS_OK) &&
- search_for->type != KRB5_NT_ENTERPRISE_PRINCIPAL) {
- ret = KRB5_KDB_NOENTRY;
- goto cleanup;
- }
check(krb5_parse_name(context, canon, &princ));
if (!krb5_realm_compare(context, search_for, princ)) {
- if (flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) {
+ /* Out of realm */
+ if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) &&
+ ((flags & KRB5_KDB_FLAG_CANONICALIZE) ||
+ search_for->type == KRB5_NT_ENTERPRISE_PRINCIPAL)) {
/* Return a client referral by creating an entry with only the
* principal set. */
*entry = ealloc(sizeof(**entry));
&princ_name));
canon = get_string(h, "alias", princ_name, NULL);
krb5_free_unparsed_name(context, princ_name);
- if (canon != NULL &&
- ((flags & KRB5_KDB_FLAG_ALIAS_OK) ||
- princ->type == KRB5_NT_ENTERPRISE_PRINCIPAL)) {
+ if (canon != NULL) {
check(krb5_parse_name(context, canon, &canon_princ));
match = krb5_principal_compare(context, canon_princ, (*entry)->princ);
krb5_free_principal(context, canon_princ);
# Test client principal aliases, with and without preauth.
realm.kinit('canon', password('canon'))
-realm.kinit('alias', password('canon'), expected_code=1,
- expected_msg='not found in Kerberos database')
+realm.kinit('alias', password('canon'))
+realm.run([kvno, 'alias'])
+realm.klist('alias@KRBTEST.COM', 'alias@KRBTEST.COM')
realm.kinit('alias', password('canon'), ['-C'])
realm.run([kvno, 'alias'])
realm.klist('canon@KRBTEST.COM', 'alias@KRBTEST.COM')
projects / thirdparty / krb5.git / commitdiff
