From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 26 Nov 2025 20:29:00 +0000 (+1300)
Subject: s4:kdc: honour "kdc require canonicalization = yes"
X-Git-Tag: tdb-1.4.15~74
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2cfb2041deaccb38d144f59527a11673d7a0fd6d;p=thirdparty%2Fsamba.git

s4:kdc: honour "kdc require canonicalization = yes"


Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
---

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 23feecc6dc0..b3cc6899548 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -4429,7 +4429,28 @@ krb5_error_code samba_kdc_fetch(krb5_context context,
 				struct sdb_entry *entry)
 {
 	krb5_error_code ret = SDB_ERR_NOENTRY;
-	TALLOC_CTX *mem_ctx;
+	TALLOC_CTX *mem_ctx = NULL;
+
+	if ((flags & SDB_F_CANON) == 0 &&
+	    (flags & SDB_F_FOR_AS_REQ) &&
+	    (flags & SDB_F_GET_CLIENT)) {
+		/*
+		 * If smb.conf has
+		 *
+		 *    kdc require canonicalization = yes
+		 *
+		 * we refuse any AS REQ cname look-up if the client
+		 * has not set the canonicalize flag.
+		 *
+		 * This will end up as KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
+		 * in the reply.
+		 */
+		bool require_canon = lpcfg_kdc_require_canonicalization(
+			kdc_db_ctx->lp_ctx);
+		if (require_canon) {
+			return EINVAL;
+		}
+	}
 
 	mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_fetch context");
 	if (!mem_ctx) {