git.ipfire.org Git - thirdparty/krb5.git/commit

author	Greg Hudson <ghudson@mit.edu>
	Mon, 7 Jun 2021 17:27:29 +0000 (13:27 -0400)
committer	Greg Hudson <ghudson@mit.edu>
	Wed, 9 Jun 2021 00:53:06 +0000 (20:53 -0400)
commit	c077d0c6430c4ac163443aacc03d14d206a4cbb8
tree	d7e701e8ad04d7323f232c65d141e42c84acb447	tree
parent	4e186b2789b3613362845b126bf386fa89c26709	commit \| diff

Fix some principal realm canonicalization cases

The no_hostrealm and subst_defrealm flags in struct canonprinc were
only applied when dns_canonicalize_hostname=fallback; in the other
cases, the initial krb5_sname_to_principal() result is treated as
canonical.  For no_hostrealm this limitation doesn't currently matter,
because all uses pass a principal with no realm as input.  However,
subst_defrealm is used to convert the referral realm to the default
realm in krb5_get_init_creds_keytab(), krb5_cc_cache_match(), and
gss_acquire_cred() when it needs to check the desired name against a
specified ccache.

In k5_canonprinc(), if the input principal is a
krb5_sname_to_principal() result and fallback isn't in effect, apply
subst_defrealm.  Document in os-proto.h that no_hostrealm doesn't
remove an existing realm and that krb5_sname_to_principal() may
already have looked one up.

ticket: 9011 (new)

src/lib/krb5/os/os-proto.h		diff \| blob \| blame \| history
src/lib/krb5/os/sn2princ.c		diff \| blob \| blame \| history