From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 20 Sep 2023 23:14:36 +0000 (+1200)
Subject: s4:kdc: Consider a single‐component krbtgt principal to be the TGS
X-Git-Tag: talloc-2.4.2~1005
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ddef0e5e1f63775cd22ee3b3febc6f765abbebf8;p=thirdparty%2Fsamba.git

s4:kdc: Consider a single‐component krbtgt principal to be the TGS

This matches the behaviour of Windows.

NOTE: This commit finally works again!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 80c9f747e1d..116f916234d 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -3454,6 +3454,10 @@ int smb_krb5_principal_is_tgs(krb5_context context,
 	int eq = 1;
 	krb5_error_code ret = 0;
 
+	if (krb5_princ_size(context, principal) > 2) {
+		return 0;
+	}
+
 	ret = smb_krb5_principal_get_comp_string(NULL, context, principal, 0, &p);
 	if (ret == ENOENT) {
 		return 0;
@@ -3461,8 +3465,7 @@ int smb_krb5_principal_is_tgs(krb5_context context,
 		return -1;
 	}
 
-	eq = krb5_princ_size(context, principal) == 2 &&
-	     (strcmp(p, KRB5_TGS_NAME) == 0);
+	eq = strcmp(p, KRB5_TGS_NAME) == 0;
 
 	talloc_free(p);
 
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 8b0e09fceb5..d59a8cff84d 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -135,14 +135,3 @@
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_device_in_network_group_rbcd\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.DeviceRestrictionTests\.test_device_in_network_group\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_device_in_network_group\(ad_dc\)$
-#
-# Singleâcomponent krbtgt principal tests
-#
-^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_krbtgt_single_component_krbtgt\(fl2003dc\)$
-^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_krbtgt_single_component_krbtgt\(fl2008r2dc\)$
-^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_as_req\(ad_dc\)$
-^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_tgs_req\(ad_dc\)$
-^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_requester_sid_as_req\(ad_dc\)$
-^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_requester_sid_tgs_req\(ad_dc\)$
-^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_service_ticket\(ad_dc\)$
-^samba\.tests\.krb5\.kpasswd_tests\.samba\.tests\.krb5\.kpasswd_tests\.KpasswdTests\.test_kpasswd_tgt_single_component_krbtgt\(ad_dc\)$
diff --git a/selftest/knownfail_mit_kdc_1_20 b/selftest/knownfail_mit_kdc_1_20
index aaef3a35a9c..a28c3f521f5 100644
--- a/selftest/knownfail_mit_kdc_1_20
+++ b/selftest/knownfail_mit_kdc_1_20
@@ -132,11 +132,6 @@
 #
 # Singleâcomponent krbtgt principal tests
 #
-^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_krbtgt_single_component_krbtgt\(fl2003dc\)$
-^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_krbtgt_single_component_krbtgt\(fl2008r2dc\)$
 ^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_as_req\(ad_dc\)$
 ^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_tgs_req\(ad_dc\)$
-^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_requester_sid_as_req\(ad_dc\)$
-^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_requester_sid_tgs_req\(ad_dc\)$
 ^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_service_ticket\(ad_dc\)$
-^samba\.tests\.krb5\.kpasswd_tests\.samba\.tests\.krb5\.kpasswd_tests\.KpasswdTests\.test_kpasswd_tgt_single_component_krbtgt\(ad_dc\)$
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 29b60a663c7..af69ee86aac 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -2488,7 +2488,7 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
 	}
 
 	if (lpcfg_is_my_domain_or_realm(lp_ctx, realm_from_princ)
-	    && lpcfg_is_my_domain_or_realm(lp_ctx, realm_princ_comp)) {
+	    && (realm_princ_comp == NULL || lpcfg_is_my_domain_or_realm(lp_ctx, realm_princ_comp))) {
 		/* us, or someone quite like us */
 		/* Kludge, kludge, kludge.  If the realm part of krbtgt/realm,
  		 * is in our db, then direct the caller at our primary