s3:winbindd: implement the "winbind use krb5 enterprise principals" logic

We can use enterprise principals (e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM)
and delegate the routing decisions to the KDCs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 6c646bcd8d67733b29f38ec8908b51d04a1faf1d..28b77fc2e931c16cbffdebea83b7d8b92356ade9 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -419,6 +419,15 @@ struct winbindd_domain *find_auth_domain(uint8_t flags,
                return find_domain_from_name_noinit(domain_name);
        }
 
+       if (lp_winbind_use_krb5_enterprise_principals()) {
+               /*
+                * If we use enterprise principals
+                * we always go trough our primary domain
+                * and follow the WRONG_REALM replies.
+                */
+               flags &= ~WBFLAG_PAM_CONTACT_TRUSTDOM;
+       }
+
        /* we can auth against trusted domains */
        if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
                domain = find_domain_from_name_noinit(domain_name);
@@ -723,7 +732,20 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
                return NT_STATUS_INVALID_PARAMETER;
        }
 
-       principal_s = talloc_asprintf(mem_ctx, "%s@%s", name_user, realm);
+       if (lp_winbind_use_krb5_enterprise_principals() &&
+           name_namespace[0] != '\0')
+       {
+               principal_s = talloc_asprintf(mem_ctx,
+                                             "%s@%s@%s",
+                                             name_user,
+                                             name_namespace,
+                                             realm);
+       } else {
+               principal_s = talloc_asprintf(mem_ctx,
+                                             "%s@%s",
+                                             name_user,
+                                             realm);
+       }
        if (principal_s == NULL) {
                return NT_STATUS_NO_MEMORY;
        }
@@ -1290,30 +1312,16 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
 
        /* what domain should we contact? */
 
-       if ( IS_DC ) {
-               contact_domain = find_domain_from_name(name_namespace);
-               if (contact_domain == NULL) {
-                       DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
-                                 state->request->data.auth.user, name_domain, name_user, name_domain));
-                       result = NT_STATUS_NO_SUCH_USER;
-                       goto done;
-               }
-
+       if (lp_winbind_use_krb5_enterprise_principals()) {
+               contact_domain = find_auth_domain(0, name_namespace);
        } else {
-               if (is_myname(name_domain)) {
-                       DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
-                       result =  NT_STATUS_NO_SUCH_USER;
-                       goto done;
-               }
-
                contact_domain = find_domain_from_name(name_namespace);
-               if (contact_domain == NULL) {
-                       DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
-                                 state->request->data.auth.user, name_domain, name_user, name_domain));
-
-                       result =  NT_STATUS_NO_SUCH_USER;
-                       goto done;
-               }
+       }
+       if (contact_domain == NULL) {
+               DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
+                         state->request->data.auth.user, name_domain, name_user, name_namespace));
+               result = NT_STATUS_NO_SUCH_USER;
+               goto done;
        }
 
        if (contact_domain->initialized &&
@@ -1326,7 +1334,8 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
        }
 
        if (!contact_domain->active_directory) {
-               DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
+               DEBUG(3,("krb5 auth requested but domain (%s) is not Active Directory\n",
+                     contact_domain->name));
                return NT_STATUS_INVALID_LOGON_TYPE;
        }
 try_login: