From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 17 Sep 2019 06:05:09 +0000 (+0200)
Subject: s4:auth: use the correct client realm in gensec_gssapi_update_internal()
X-Git-Tag: talloc-2.3.1~710
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=db8fd3d6a315b140ebd6ccd0dcdfdcf27cd1bb38;p=thirdparty%2Fsamba.git

s4:auth: use the correct client realm in gensec_gssapi_update_internal()

The function gensec_gssapi_client_creds() may call kinit and gets
a TGT for the user. The principal provided by the user may not
be canonicalized. The user may use 'given.last@example.com'
but that may be mapped to glast@AD.EXAMPLE.PRIVATE in the background.

It means we should use client_realm = AD.EXAMPLE.PRIVATE
instead of client_realm = EXAMPLE.COM

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
---

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index afcc9e91bed..3f541885dfd 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -437,8 +437,6 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
 	const char *target_principal = gensec_get_target_principal(gensec_security);
 	const char *hostname = gensec_get_target_hostname(gensec_security);
 	const char *service = gensec_get_target_service(gensec_security);
-	const char *client_realm = cli_credentials_get_realm(cli_creds);
-	const char *server_realm = NULL;
 	gss_OID gss_oid_p = NULL;
 	OM_uint32 time_req = 0;
 	OM_uint32 time_rec = 0;
@@ -457,6 +455,7 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
 		switch (gensec_security->gensec_role) {
 		case GENSEC_CLIENT:
 		{
+			const char *client_realm = NULL;
 #ifdef SAMBA4_USES_HEIMDAL
 			struct gsskrb5_send_to_kdc send_to_kdc;
 			krb5_error_code ret;
@@ -532,6 +531,7 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
 			 * transitive forest trusts, would have to do the
 			 * fallback ourself.
 			 */
+			client_realm = cli_credentials_get_realm(cli_creds);
 #ifndef SAMBA4_USES_HEIMDAL
 			if (gensec_gssapi_state->server_name == NULL) {
 				nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
@@ -575,6 +575,8 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
 			}
 #endif /* !SAMBA4_USES_HEIMDAL */
 			if (gensec_gssapi_state->server_name == NULL) {
+				const char *server_realm = NULL;
+
 				server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state,
 										hostname,
 										client_realm);