s3:libads: Return canonical principal and realm from kerberos_return_pac()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index c048510d480fc4fb4bf03e3ddc90c7a85c6ab700..bf9a2335445720130ebd399e995f861619d23218 100644 (file)
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -57,6 +57,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
                             time_t renewable_time,
                             const char *impersonate_princ_s,
                             const char *local_service,
+                            char **_canon_principal,
+                            char **_canon_realm,
                             struct PAC_DATA_CTR **_pac_data_ctr)
 {
        krb5_error_code ret;
@@ -75,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
        struct auth4_context *auth_context;
        struct loadparm_context *lp_ctx;
        struct PAC_DATA_CTR *pac_data_ctr = NULL;
+       char *canon_principal = NULL;
+       char *canon_realm = NULL;
 
        TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
        NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
@@ -88,6 +92,14 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
                goto out;
        }
 
+       if (_canon_principal != NULL) {
+               *_canon_principal = NULL;
+       }
+
+       if (_canon_realm != NULL) {
+               *_canon_realm = NULL;
+       }
+
        if (cache_name) {
                cc = cache_name;
        }
@@ -109,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
                                          request_pac,
                                          add_netbios_addr,
                                          renewable_time,
-                                         NULL, NULL, NULL,
+                                         tmp_ctx,
+                                         &canon_principal,
+                                         &canon_realm,
                                          &status);
        if (ret) {
                DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
@@ -243,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
        }
 
        *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
+       if (_canon_principal != NULL) {
+               *_canon_principal = talloc_move(mem_ctx, &canon_principal);
+       }
+       if (_canon_realm != NULL) {
+               *_canon_realm = talloc_move(mem_ctx, &canon_realm);
+       }
 
 out:
        talloc_free(tmp_ctx);

diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index 3d7b5bc074b6aa7ef59648ce3ae058416140f5f2..807381248c82462db04840ba50849f93e8643f92 100644 (file)
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
                             time_t renewable_time,
                             const char *impersonate_princ_s,
                             const char *local_service,
+                            char **_canon_principal,
+                            char **_canon_realm,
                             struct PAC_DATA_CTR **pac_data_ctr);
 
 /* The following definitions come from libads/krb5_setpw.c  */

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index d1fc3289184c901d68f6b39cac1a0bdb327f16fc..d666f7fc3ec9a70b18931de00074eddfdbe97da2 100644 (file)
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2976,6 +2976,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch
                                     2592000, /* one month */
                                     impersonate_princ_s,
                                     local_service,
+                                    NULL,
+                                    NULL,
                                     pac_data_ctr);
        if (!NT_STATUS_IS_OK(status)) {
                d_printf(_("failed to query kerberos PAC: %s\n"),

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index dfbaf52d482091c4ffd7e47db42f8cff08a8bd80..3ceaec6977f72cff4b955fb75e91e2dc021d93e9 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -789,6 +789,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
                                     WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
                                     NULL,
                                     local_service,
+                                    NULL,
+                                    NULL,
                                     &pac_data_ctr);
        if (user_ccache_file != NULL) {
                gain_root_privilege();