From cbb8145d0c58b34b76a579afd81f0e19ec7106b6 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 16 Oct 2023 12:33:15 +1300 Subject: [PATCH] third_party/heimdal kdc: introduce HDB_F_USER2USER_PRINCIPAL (import lorikeet-heimdal-202310152331 (commit a571340c9e1b75d4f5d96f08fcf9fd660d3ba3d4)) This allows HDB backends to do special handling for User2User TGS-REQs. The main reason is to let the HDB_F_GET_SERVER lookup to succeed even for non-computer accounts. In Samba these are typically not returned in HDB_F_GET_SERVER in order to avoid generating tickets with the user password. But for User2User the account password is not used, so it is safe to return the server entry. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett [abartlet@samba.org Adapted to be an import from lorikeet-heimdal as requested] --- third_party/heimdal/kdc/krb5tgs.c | 7 ++++++- third_party/heimdal/lib/hdb/hdb.h | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/third_party/heimdal/kdc/krb5tgs.c b/third_party/heimdal/kdc/krb5tgs.c index 981327a1c47..6ba3efccc4a 100644 --- a/third_party/heimdal/kdc/krb5tgs.c +++ b/third_party/heimdal/kdc/krb5tgs.c @@ -1375,6 +1375,7 @@ tgs_build_reply(astgs_request_t priv, Key *tkey_sign; int flags = HDB_F_FOR_TGS_REQ; + int server_flags; int result; @@ -1396,6 +1397,10 @@ tgs_build_reply(astgs_request_t priv, if (b->kdc_options.canonicalize) flags |= HDB_F_CANON; + server_flags = HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags; + if (b->kdc_options.enc_tkt_in_skey) + server_flags |= HDB_F_USER2USER_PRINCIPAL; + if (s == NULL) { ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; _kdc_set_const_e_text(priv, "No server in request"); @@ -1433,7 +1438,7 @@ server_lookup: _kdc_free_ent(context, serverdb, priv->server); priv->server = NULL; ret = _kdc_db_fetch(context, config, priv->server_princ, - HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags, + server_flags, NULL, &serverdb, &priv->server); priv->serverdb = serverdb; if (ret == HDB_ERR_NOT_FOUND_HERE) { diff --git a/third_party/heimdal/lib/hdb/hdb.h b/third_party/heimdal/lib/hdb/hdb.h index 15208ac48e8..e5d23711a2c 100644 --- a/third_party/heimdal/lib/hdb/hdb.h +++ b/third_party/heimdal/lib/hdb/hdb.h @@ -78,6 +78,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; #define HDB_F_SYNTHETIC_OK 0x10000 /* synthetic principal for PKINIT or GSS preauth OK */ #define HDB_F_GET_FAST_COOKIE 0x20000 /* fetch the FX-COOKIE key (not a normal principal) */ #define HDB_F_ARMOR_PRINCIPAL 0x40000 /* fetch is for the client of an armor ticket */ +#define HDB_F_USER2USER_PRINCIPAL 0x80000 /* fetch is for the server of a user2user tgs-req */ /* hdb_capability_flags */ #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 -- 2.47.3