From: Isaac Boukris Date: Wed, 25 Dec 2019 23:23:21 +0000 (+0100) Subject: Remove KRB5_KDB_FLAG_ALIAS_OK X-Git-Tag: krb5-1.18-beta1~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ac8865a22138ab0c657208c41be8fd6bc7968148;p=thirdparty%2Fkrb5.git Remove KRB5_KDB_FLAG_ALIAS_OK It is simpler and more consistent with Windows to let the KDB module always return aliases, and use KDC logic (already present) to decide whether to use the requested or canonical principal name in the ticket. With the removal of this flag, "kinit alias" (without the -C flag) against the LDAP KDB module will issue a ticket for the alias name, instead of failing with a "client not found" error. [ghudson@mit.edu: edited comments; wrote commit message] ticket: 8859 (new) --- diff --git a/src/include/kdb.h b/src/include/kdb.h index fc9400b984..7f1362dd51 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -121,8 +121,6 @@ #define KRB5_KDB_FLAG_USER_TO_USER 0x00000800 /* Cross-realm */ #define KRB5_KDB_FLAG_CROSS_REALM 0x00001000 -/* Allow in-realm aliases */ -#define KRB5_KDB_FLAG_ALIAS_OK 0x00002000 /* Issuing referral */ #define KRB5_KDB_FLAG_ISSUING_REFERRAL 0x00004000 @@ -1047,15 +1045,9 @@ typedef struct _kdb_vftabl { * part of the realm being served, and a referral or alternate TGT will * be issued instead. * - * KRB5_KDB_FLAG_ALIAS_OK: Set by the KDC for server principal lookups and - * for AS request client principal lookups with canonicalization - * requested; also set by the admin interface. Determines whether the - * module should return in-realm aliases. - * - * A module can return in-realm aliases if KRB5_KDB_FLAG_ALIAS_OK is set, - * or if search_for->type is KRB5_NT_ENTERPRISE_PRINCIPAL. To return an - * in-realm alias, fill in a different value for entries->princ than the - * one requested. + * A module may return an in-realm alias by setting (*entry)->princ to the + * canonical name. The KDC will decide based on the request whether to use + * the requested name or the canonical name in the issued ticket. * * A module can return a referral to another realm if * KRB5_KDB_FLAG_CANONICALIZE is set, or if diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index fcff99f5c4..87dd7e9934 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -596,11 +596,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, * of cross realm TGS entries. */ setflag(state->c_flags, KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY); - /* Enterprise principals are implicitly alias-ok. */ - if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE) || - state->request->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL) { - setflag(state->c_flags, KRB5_KDB_FLAG_ALIAS_OK); - } + if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) { setflag(state->c_flags, KRB5_KDB_FLAG_CANONICALIZE); } @@ -639,7 +635,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, au_state->stage = SRVC_PRINC; s_flags = 0; - setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK); if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) { setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE); } diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 0524075c9f..dfb5205795 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -238,7 +238,6 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, /* XXX make sure server here has the proper realm...taken from AP_REQ header? */ - setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK); if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) { setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE); setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE); diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 3016ace0dd..a303bfd3ad 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -489,7 +489,7 @@ match_client(krb5_context context, krb5_kdcpreauth_rock rock, krb5_principal_compare(context, princ, client)) return TRUE; - if (krb5_db_get_principal(context, princ, KRB5_KDB_FLAG_ALIAS_OK, &ent)) + if (krb5_db_get_principal(context, princ, 0, &ent)) return FALSE; match = krb5_principal_compare(context, ent->princ, client); krb5_db_free_principal(context, ent); diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 198233407a..d0fd5d7e1f 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -403,9 +403,8 @@ kdc_rd_ap_req(kdc_realm_t *kdc_active_realm, match_enctype = 0; } - retval = kdc_get_server_key(kdc_context, apreq->ticket, - KRB5_KDB_FLAG_ALIAS_OK, match_enctype, server, - NULL, NULL); + retval = kdc_get_server_key(kdc_context, apreq->ticket, 0, match_enctype, + server, NULL, NULL); if (retval) return retval; diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c index f4b8aef2bd..0ddfa4c077 100644 --- a/src/lib/kadm5/srv/server_kdb.c +++ b/src/lib/kadm5/srv/server_kdb.c @@ -264,8 +264,7 @@ kdb_get_entry(kadm5_server_handle_t handle, *kdb_ptr = NULL; - ret = krb5_db_get_principal(handle->context, principal, - KRB5_KDB_FLAG_ALIAS_OK, &kdb); + ret = krb5_db_get_principal(handle->context, principal, 0, &kdb); if (ret == KRB5_KDB_NOENTRY) return(KADM5_UNK_PRINC); if (ret) diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index 9001fb797c..a3fc0bffee 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -1038,8 +1038,7 @@ krb5_db_rename_principal(krb5_context kcontext, krb5_principal source, logging(kcontext)) return KRB5_PLUGIN_OP_NOTSUPP; - status = krb5_db_get_principal(kcontext, target, KRB5_KDB_FLAG_ALIAS_OK, - &entry); + status = krb5_db_get_principal(kcontext, target, 0, &entry); if (status == 0) { krb5_db_free_principal(kcontext, entry); return KRB5_KDB_INUSE; diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index 231a0d8b4a..526ddd2681 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -524,8 +524,7 @@ krb5_db_def_rename_principal(krb5_context kcontext, if (source == NULL || target == NULL) return EINVAL; - ret = krb5_db_get_principal(kcontext, source, KRB5_KDB_FLAG_ALIAS_OK, - &kdb); + ret = krb5_db_get_principal(kcontext, source, 0, &kdb); if (ret) goto cleanup; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index ee9c02814e..564093fbde 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -189,15 +189,12 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) { if (values[0] && strcmp(values[0], user) != 0) { /* We matched an alias, not the canonical name. */ - if (flags & KRB5_KDB_FLAG_ALIAS_OK) { - st = krb5_ldap_parse_principal_name(values[0], &cname); - if (st != 0) - goto cleanup; - st = krb5_parse_name(context, cname, &cprinc); - if (st != 0) - goto cleanup; - } else /* No canonicalization, so don't return aliases. */ - found = FALSE; + st = krb5_ldap_parse_principal_name(values[0], &cname); + if (st != 0) + goto cleanup; + st = krb5_parse_name(context, cname, &cprinc); + if (st != 0) + goto cleanup; } ldap_value_free(values); if (!found) diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c index 3a1d1ba696..69a4663f20 100644 --- a/src/plugins/kdb/test/kdb_test.c +++ b/src/plugins/kdb/test/kdb_test.c @@ -351,14 +351,12 @@ test_get_principal(krb5_context context, krb5_const_principal search_for, &search_name)); canon = get_string(h, "alias", search_name, NULL); if (canon != NULL) { - if (!(flags & KRB5_KDB_FLAG_ALIAS_OK) && - search_for->type != KRB5_NT_ENTERPRISE_PRINCIPAL) { - ret = KRB5_KDB_NOENTRY; - goto cleanup; - } check(krb5_parse_name(context, canon, &princ)); if (!krb5_realm_compare(context, search_for, princ)) { - if (flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) { + /* Out of realm */ + if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) && + ((flags & KRB5_KDB_FLAG_CANONICALIZE) || + search_for->type == KRB5_NT_ENTERPRISE_PRINCIPAL)) { /* Return a client referral by creating an entry with only the * principal set. */ *entry = ealloc(sizeof(**entry)); @@ -486,9 +484,7 @@ test_get_s4u_x509_principal(krb5_context context, const krb5_data *client_cert, &princ_name)); canon = get_string(h, "alias", princ_name, NULL); krb5_free_unparsed_name(context, princ_name); - if (canon != NULL && - ((flags & KRB5_KDB_FLAG_ALIAS_OK) || - princ->type == KRB5_NT_ENTERPRISE_PRINCIPAL)) { + if (canon != NULL) { check(krb5_parse_name(context, canon, &canon_princ)); match = krb5_principal_compare(context, canon_princ, (*entry)->princ); krb5_free_principal(context, canon_princ); diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py index 7271fcbbd3..9fff20404c 100755 --- a/src/tests/t_kdb.py +++ b/src/tests/t_kdb.py @@ -383,8 +383,9 @@ realm.klist(realm.user_princ, 'alias@KRBTEST.COM') # Test client principal aliases, with and without preauth. realm.kinit('canon', password('canon')) -realm.kinit('alias', password('canon'), expected_code=1, - expected_msg='not found in Kerberos database') +realm.kinit('alias', password('canon')) +realm.run([kvno, 'alias']) +realm.klist('alias@KRBTEST.COM', 'alias@KRBTEST.COM') realm.kinit('alias', password('canon'), ['-C']) realm.run([kvno, 'alias']) realm.klist('canon@KRBTEST.COM', 'alias@KRBTEST.COM')