diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2015-01-22 14:11:52 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2015-01-23 05:42:08 +0100 |
| commit | 9fc3f1e3d6854f399e2b2322b8ab1a714353ba12 (patch) | |
| tree | 6e521712a33974e70cd10961ba50c1ff2921973e /source4/kdc | |
| parent | 170ee3071b7b51af0b6a89b7abf944ec3b08c014 (diff) | |
| download | samba-9fc3f1e3d6854f399e2b2322b8ab1a714353ba12.tar.gz samba-9fc3f1e3d6854f399e2b2322b8ab1a714353ba12.tar.xz samba-9fc3f1e3d6854f399e2b2322b8ab1a714353ba12.zip | |
kdc: Fix Samba's KDC to only change the principal in the right cases
If we are set to canonicalize, we get back the fixed UPPER
case realm, and the real username (ie matching LDAP
samAccountName)
Otherwise, if we are set to enterprise, we
get back the whole principal as-sent
Finally, if we are not set to canonicalize, we get back the
fixed UPPER case realm, but the as-sent username
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/kdc')
| -rw-r--r-- | source4/kdc/db-glue.c | 32 |
1 files changed, 23 insertions, 9 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index fae2703428..ee8450159b 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -625,10 +625,22 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, userAccountControl |= msDS_User_Account_Control_Computed; } + /* + * If we are set to canonicalize, we get back the fixed UPPER + * case realm, and the real username (ie matching LDAP + * samAccountName) + * + * Otherwise, if we are set to enterprise, we + * get back the whole principal as-sent + * + * Finally, if we are not set to canonicalize, we get back the + * fixed UPPER case realm, but the as-sent username + */ + entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal))); if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); - } else if (principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) { + } else if (flags & HDB_F_CANON) { krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); } else { ret = copy_Principal(principal, entry_ex->entry.principal); @@ -637,14 +649,16 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, goto out; } - /* While we have copied the client principal, tests - * show that Win2k3 returns the 'corrected' realm, not - * the client-specified realm. This code attempts to - * replace the client principal's realm with the one - * we determine from our records */ - - /* this has to be with malloc() */ - krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx)); + if (principal->name.name_type != KRB5_NT_ENTERPRISE_PRINCIPAL) { + /* While we have copied the client principal, tests + * show that Win2k3 returns the 'corrected' realm, not + * the client-specified realm. This code attempts to + * replace the client principal's realm with the one + * we determine from our records */ + + /* this has to be with malloc() */ + krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx)); + } } /* First try and figure out the flags based on the userAccountControl */ |