From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 23 Oct 2018 09:52:41 +0000 (+0300)
Subject: Start S4U2Self realm lookup at server realm
X-Git-Tag: krb5-1.17-beta1~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a7020d32cf4c7692aec1903e7818d779713ecd43;p=thirdparty%2Fkrb5.git

Start S4U2Self realm lookup at server realm

When looking up the realm of an enterprise principal, start with the
realm of the server instead of the realm attached to the enterprise
name, as specified in [MS-SFU] 3.1.5.1.1.1.

[ghudson@mit.edu: simplified out client_data+client into just client;
edited commit message]

ticket: 8757 (new)
---

diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index 91c02aa34d..d2fdcb3f16 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -63,8 +63,7 @@ s4u_identify_user(krb5_context context,
     krb5_creds creds;
     int use_master = 0;
     krb5_get_init_creds_opt *opts = NULL;
-    krb5_principal_data client_data;
-    krb5_principal client;
+    krb5_principal_data client;
     krb5_s4u_userid userid;
 
     *canon_user = NULL;
@@ -102,19 +101,19 @@ s4u_identify_user(krb5_context context,
     krb5_get_init_creds_opt_set_canonicalize(opts, 1);
     krb5_get_init_creds_opt_set_preauth_list(opts, ptypes, 1);
 
-    if (in_creds->client != NULL)
-        client = in_creds->client;
-    else {
-        client_data.magic = KV5M_PRINCIPAL;
-        client_data.realm = in_creds->server->realm;
+    if (in_creds->client != NULL) {
+        client = *in_creds->client;
+        client.realm = in_creds->server->realm;
+    } else {
+        client.magic = KV5M_PRINCIPAL;
+        client.realm = in_creds->server->realm;
         /* should this be NULL, empty or a fixed string? XXX */
-        client_data.data = NULL;
-        client_data.length = 0;
-        client_data.type = KRB5_NT_ENTERPRISE_PRINCIPAL;
-        client = &client_data;
+        client.data = NULL;
+        client.length = 0;
+        client.type = KRB5_NT_ENTERPRISE_PRINCIPAL;
     }
 
-    code = k5_get_init_creds(context, &creds, client, NULL, NULL, 0, NULL,
+    code = k5_get_init_creds(context, &creds, &client, NULL, NULL, 0, NULL,
                              opts, krb5_get_as_key_noop, &userid, &use_master,
                              NULL);
     if (code == 0 || code == KRB5_PREAUTH_FAILED) {