From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 13 Sep 2019 14:04:30 +0000 (+0200)
Subject: s3:libads/kerberos: always use the canonicalized principal after kinit
X-Git-Tag: talloc-2.3.1~706
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0bced73bed481a8846a6b3e68be85941914390ba;p=thirdparty%2Fsamba.git

s3:libads/kerberos: always use the canonicalized principal after kinit

We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.

There's no reason to have a different logic between MIT and Heimdal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
---

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 3e09d70268f..559ec3b7f53 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -167,7 +167,10 @@ int kerberos_kinit_password_ext(const char *given_principal,
 	krb5_get_init_creds_opt_set_forwardable(opt, True);
 
 	/* Turn on canonicalization for lower case realm support */
-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
+#ifdef SAMBA4_USES_HEIMDAL
+	krb5_get_init_creds_opt_set_win2k(ctx, opt, true);
+	krb5_get_init_creds_opt_set_canonicalize(ctx, opt, true);
+#else /* MIT */
 	krb5_get_init_creds_opt_set_canonicalize(opt, true);
 #endif /* MIT */
 #if 0
@@ -196,11 +199,7 @@ int kerberos_kinit_password_ext(const char *given_principal,
 		goto out;
 	}
 
-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
 	canon_princ = my_creds.client;
-#else
-	canon_princ = me;
-#endif /* MIT */
 
 	code = smb_krb5_unparse_name(frame,
 				     ctx,