diff options
author | Simo Sorce <ssorce@redhat.com> | 2012-03-27 14:24:12 -0400 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2012-04-03 09:28:50 -0400 |
commit | c007ac0d70ff7a3a4867a0316735e8cab9e34021 (patch) | |
tree | 81f99bbef96c8445725f1be23eabad9a1292a976 | |
parent | b55c98f1c5b0d46aba3f1792ebd8ecc059173b6a (diff) | |
download | freeipa.git-c007ac0d70ff7a3a4867a0316735e8cab9e34021.tar.gz freeipa.git-c007ac0d70ff7a3a4867a0316735e8cab9e34021.tar.xz freeipa.git-c007ac0d70ff7a3a4867a0316735e8cab9e34021.zip |
Fix MS-PAC checks when using s4u2proxy
We were using the wrong principal in the s4u2proxy case.
Fixes: https://fedorahosted.org/freeipa/ticket/2504
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 7f2e5866..c59dcbb3 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -762,11 +762,13 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, krb5_pac pac = NULL; krb5_data pac_data; - /* Prefer canonicalised name from client entry */ - if (client != NULL) { - ks_client_princ = client->princ; - } else { + /* When using s4u2proxy client_princ actually refers to the proxied user + * while client->princ to the proxy service asking for the TGS on behalf + * of the proxied user. So always use client_princ in preference */ + if (client_princ != NULL) { ks_client_princ = client_princ; + } else { + ks_client_princ = client->princ; } is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); |