From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 12 Nov 2025 03:22:05 +0000 (+1300)
Subject: s4:kdc: do not match principal + '$' if smb.conf says not to
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b9e22e696861100fe154394a006c9eba6bf397d;p=thirdparty%2Fsamba.git

s4:kdc: do not match principal + '$' if smb.conf says not to

With this patch we honour

 kdc name match implicit dollar without canonicalization = no

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
---

diff --git a/selftest/knownfail.d/krb5-no-dollar b/selftest/knownfail.d/krb5-no-dollar
index eec4a2816ac..4c417779a69 100644
--- a/selftest/knownfail.d/krb5-no-dollar
+++ b/selftest/knownfail.d/krb5-no-dollar
@@ -1,14 +1,4 @@
-^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.removedollar\.normal\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.removedollar\.normal\(ad_dc_ntvfs:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.removedollar\.normal\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.removedollar\.normal\(ad_dc_ntvfs:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.removedollar\.normal\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.removedollar\.normal\(ad_dc_ntvfs:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.removedollar\.normal\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.removedollar\.normal\(ad_dc_ntvfs:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.removedollar\.s4u2self\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.removedollar\.s4u2self\(ad_dc_ntvfs:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.removedollar\.s4u2self\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.removedollar\.s4u2self\(ad_dc_ntvfs:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.removedollar\.s4u2self\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.removedollar\.s4u2self\(ad_dc_ntvfs:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.removedollar\.s4u2self\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.removedollar\.s4u2self\(ad_dc_ntvfs:local\)
-^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_enterprise_principal_step_5\(ad_dc_ntvfs\)
-^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_nt_principal_step_2\(ad_dc_ntvfs\)
-^samba\.tests\.krb5\.alias_tests\.samba\.tests\.krb5\.alias_tests\.AliasTests\.test_create_alias_delete\(ad_dc_ntvfs\)
-^samba\.tests\.krb5\.alias_tests\.samba\.tests\.krb5\.alias_tests\.AliasTests\.test_create_alias_rename\(ad_dc_ntvfs\)
-^samba\.tests\.krb5\.alias_tests\.samba\.tests\.krb5\.alias_tests\.AliasTests\.test_dc_alias_delete\(ad_dc_ntvfs\)
-^samba\.tests\.krb5\.alias_tests\.samba\.tests\.krb5\.alias_tests\.AliasTests\.test_dc_alias_rename\(ad_dc_ntvfs\)
+^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.canon\.enterprise\.lc\-user\.no\-win2k\.removedollar\.s4u2self\.canon\.enterprise\.lc\-user\.no\-win2k\.removedollar\.s4u2self\(ad_dc_ntvfs:local\)
+^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.canon\.enterprise\.uc\-user\.no\-win2k\.removedollar\.s4u2self\.canon\.enterprise\.uc\-user\.no\-win2k\.removedollar\.s4u2self\(ad_dc_ntvfs:local\)
+^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.canon\.enterprise\.lc\-user\.win2k\.removedollar\.s4u2self\.canon\.enterprise\.lc\-user\.win2k\.removedollar\.s4u2self\(ad_dc_ntvfs:local\)
+^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.canon\.enterprise\.uc\-user\.win2k\.removedollar\.s4u2self\.canon\.enterprise\.uc\-user\.win2k\.removedollar\.s4u2self\(ad_dc_ntvfs:local\)
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 136f080350d..c8436d94acb 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -3386,7 +3386,8 @@ static krb5_error_code samba_kdc_lookup_client(krb5_context context,
 						const char **attrs,
 						const uint32_t dsdb_flags,
 						struct ldb_dn **realm_dn,
-						struct ldb_message **msg)
+						struct ldb_message **msg,
+						unsigned sdb_flags)
 {
 	NTSTATUS nt_status;
 	char *principal_string = NULL;
@@ -3450,6 +3451,52 @@ static krb5_error_code samba_kdc_lookup_client(krb5_context context,
 			return ret;
 		}
 
+		if (! (sdb_flags & SDB_F_CANON)) {
+			/*
+			 * The client has not requested canonicalisation,
+			 * and the principal has not been found.
+			 *
+			 * At this point the only thing we are going
+			 * to do is search for the account with a
+			 * trailing '$', which we don't want to do if
+			 * smb.conf has
+			 *
+			 *  kdc name match implicit dollar without canonicalization = no
+			 *
+			 * in which case we can just return early.
+			 *
+			 * Note, you might have expected a check
+			 * against
+			 *
+			 *   sdb_flags & (SDB_F_CANON|SDB_F_FORCE_CANON)
+			 *
+			 * but that is incorrect here. The
+			 * SDB_F_FORCE_CANON is telling us to
+			 * canonicalise as we choose for the MIT kdc;
+			 * that server will decide whether to use the
+			 * canonicalized name or the original. All we
+			 * are doing here is ruling out appending '$'
+			 * as a matching strategy when the client has
+			 * not requested canonicalization.
+			 *
+			 * If the MIT server wants to indicate the
+			 * client has requested canonicalization, it
+			 * sets the KRB5_KDB_FLAG_REFERRAL_OK flag,
+			 * which we have converted into SDB_F_CANON
+			 * (in mit_samba.c).
+			 */
+			bool implicit_dollar_fallback = \
+				lpcfg_kdc_name_match_implicit_dollar_without_canonicalization(
+					kdc_db_ctx->lp_ctx);
+			if (! implicit_dollar_fallback) {
+				DBG_ERR("NOT falling back to %s$\n",
+					fallback_account);
+				TALLOC_FREE(fallback_account);
+				krb5_free_principal(context, fallback_principal);
+				return SDB_ERR_NOENTRY;
+			}
+		}
+
 		len = strlen(fallback_account);
 		if (len == 0 || fallback_account[len - 1] == '$') {
 			/* there is already a $, so no fallback */
@@ -3618,7 +3665,7 @@ static krb5_error_code samba_kdc_fetch_client(krb5_context context,
 		 */
 		ret = samba_kdc_lookup_client(context, kdc_db_ctx,
 					      mem_ctx, principal, user_attrs, DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS,
-					      &realm_dn, &msg);
+					      &realm_dn, &msg, flags);
 		if (ret != 0) {
 			return ret;
 		}
@@ -3972,7 +4019,7 @@ static krb5_error_code samba_kdc_lookup_server(krb5_context context,
 		 */
 		return samba_kdc_lookup_client(context, kdc_db_ctx,
 					       mem_ctx, principal, server_attrs, DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS,
-					       realm_dn, msg);
+					       realm_dn, msg, flags);
 	} else {
 		/*
 		 * This case is for:
@@ -4705,7 +4752,8 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
 
 	ret = samba_kdc_lookup_client(context, kdc_db_ctx,
 				      mem_ctx, certificate_principal,
-				      ms_upn_check_attrs, 0, &realm_dn, &msg);
+				      ms_upn_check_attrs, 0, &realm_dn, &msg,
+				      SDB_F_CANON);
 
 	if (ret != 0) {
 		talloc_free(mem_ctx);