Allow client canonicalization in non-krbtgt AS-REP

If a caller makes an AS-REQ with the canonicalize flag set (or with an
enterprise client principal or the anonymous flag), always allow the
KDC to change the client principal.  Continue to restrict server name
changes to requests for TGS principals.

Also remove the conditional for setting canon_ok for fully anonymous
requests.  Both kinds of anonymous requests change the client
principal or realm, but neither kind changes the server principal or
realm, so this logic is no longer needed now that canon_ok only
applies to server name changes.

[ghudson@mit.edu: clarified commit message; removed anonymous PKINIT
clause]

ticket: 8843 (new)

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index dcf6663cfac69372f7dc4d623bc33fc20e744b2d..870df62a1f1fe81d71d83b613b86fab20ec80882 100644 (file)
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -230,17 +230,12 @@ verify_as_reply(krb5_context            context,
     if (canon_req) {
         canon_ok = IS_TGS_PRINC(request->server) &&
             IS_TGS_PRINC(as_reply->enc_part2->server);
-        if (!canon_ok && (request->kdc_options & KDC_OPT_REQUEST_ANONYMOUS)) {
-            canon_ok = krb5_principal_compare_any_realm(context,
-                                                        as_reply->client,
-                                                        krb5_anonymous_principal());
-        }
     } else
         canon_ok = 0;
 
     if ((!canon_ok &&
-         (!krb5_principal_compare(context, as_reply->client, request->client) ||
-          !krb5_principal_compare(context, as_reply->enc_part2->server, request->server)))
+         !krb5_principal_compare(context, as_reply->enc_part2->server, request->server))
+        || (!canon_req && !krb5_principal_compare(context, as_reply->client, request->client))
         || !krb5_principal_compare(context, as_reply->enc_part2->server, as_reply->ticket->server)
         || (request->nonce != as_reply->enc_part2->nonce)
         /* XXX check for extraneous flags */

diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 7a082a5b9f0a2da7f2e0b4a52039ff72cfd2f1db..cc5d2fc3c81faae067b2ee7a92ac21001fa7782e 100755 (executable)
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -389,6 +389,9 @@ realm.run([kadminl, 'modprinc', '+requires_preauth', 'canon'])
 realm.kinit('canon', password('canon'))
 realm.kinit('alias', password('canon'), ['-C'])
 
+# Test client name canonicalization in non-krbtgt AS reply
+realm.kinit('alias', password('canon'), ['-C', '-S', 'kadmin/changepw'])
+
 mark('LDAP password history')
 
 # Test password history.