diff options
| author | Sumit Bose <sbose@redhat.com> | 2012-10-23 21:30:17 +0200 |
|---|---|---|
| committer | Sumit Bose <sbose@redhat.com> | 2012-10-26 10:32:05 +0200 |
| commit | d3dca30d3a6feba062d0299718d1a9fcdc8b9d17 (patch) | |
| tree | 008de45d9668d85600ac2a57ed8bd460ffb95594 /src/providers/krb5/krb5_child_handler.c | |
| parent | cac29dc2ece94180de33b52c113865bbab49b252 (diff) | |
| download | sssd-d3dca30d3a6feba062d0299718d1a9fcdc8b9d17.tar.gz sssd-d3dca30d3a6feba062d0299718d1a9fcdc8b9d17.tar.xz sssd-d3dca30d3a6feba062d0299718d1a9fcdc8b9d17.zip | |
krb5_child: send back the client principal
In general Kerberos is case sensitive but the KDC of Active Directory
typically handles request case in-sensitive. In the case where we guess
a user principal by combining the user name and the realm and are not
sure about the cases of the letters used in the user name we might get a
valid ticket from the AD KDC but are not able to access it with the
Kerberos client library because we assume a wrong case.
The client principal in the returned credentials will always have the
right cases. To be able to update the cache user principal name the
krb5_child will return the principal for further processing.
Diffstat (limited to 'src/providers/krb5/krb5_child_handler.c')
| -rw-r--r-- | src/providers/krb5/krb5_child_handler.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index f0fe81b6f..e792db3f7 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -441,6 +441,8 @@ parse_krb5_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, ssize_t len, uint32_t *expiration; uint32_t *msg_subtype; struct krb5_child_response *res; + const char *upn = NULL; + size_t upn_len; if ((size_t) len < sizeof(int32_t)) { DEBUG(SSSDBG_CRIT_FAILURE, ("message too short.\n")); @@ -505,6 +507,11 @@ parse_krb5_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, ssize_t len, tgtt.authtime, tgtt.starttime, tgtt.endtime, tgtt.renew_till)); } + if (msg_type == SSS_KRB5_INFO_UPN) { + upn = (char *) buf + p; + upn_len = msg_len; + } + if (msg_type == SSS_PAM_USER_INFO) { msg_subtype = (uint32_t *)&buf[p]; if (*msg_subtype == SSS_PAM_USER_INFO_EXPIRE_WARN) @@ -549,6 +556,15 @@ parse_krb5_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, ssize_t len, } } + if (upn != NULL) { + res->correct_upn = talloc_strndup(res, upn, upn_len); + if (res->correct_upn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_strndup failed.\n")); + talloc_free(res); + return ENOMEM; + } + } + *_res = res; return EOK; } |