From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 13 Sep 2019 14:04:30 +0000 (+0200)
Subject: s4:auth: kinit_to_ccache() should always use the canonicalized principal
X-Git-Tag: talloc-2.3.1~704
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=162b4199493c1f179e775a325a19ae7a136c418b;p=thirdparty%2Fsamba.git

s4:auth: kinit_to_ccache() should always use the canonicalized principal

We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.

There's no reason to have a different logic between MIT and Heimdal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
---

diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index bbb5c8791ca..ffef24f285c 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -313,6 +313,8 @@ done:
 	 */
 	krb5_get_init_creds_opt_set_win2k(smb_krb5_context->krb5_context,
 					  krb_options, true);
+	krb5_get_init_creds_opt_set_canonicalize(smb_krb5_context->krb5_context,
+						 krb_options, true);
 #else /* MIT */
 	krb5_get_init_creds_opt_set_canonicalize(krb_options, true);
 #endif