git.samba.org / metze / samba / wip.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 083fe1c)
s4:kdc: fix samba_kdc_lookup_realm() with krbtgt/OTHER.REALM/OUR.REALM
authorStefan Metzmacher <metze@samba.org>
Thu, 10 Oct 2019 14:22:35 +0000 (16:22 +0200)
committerStefan Metzmacher <metze@samba.org>
Wed, 5 Jul 2023 19:31:42 +0000 (21:31 +0200)
source4/kdc/db-glue.c patch | blob | history

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 5894b47ecd9ed2bfb5deb1e7447c6518afb58c8d..cffbfe9c9bc38a38b5329a92c255837dd9fcd377 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -2728,6 +2728,7 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context,
        unsigned int num_comp;
        bool ok;
        char *upper = NULL;
+       bool get_krbtgt = false;
 
        num_comp = krb5_princ_size(context, principal);
 
@@ -2803,11 +2804,11 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context,
 
                ret = principal_comp_strcmp(context, principal, 0, KRB5_TGS_NAME);
                if (ret == 0) {
-                       /*
-                        * we need to search krbtgt/ locally
-                        */
-                       TALLOC_FREE(frame);
-                       return 0;
+                       if (num_comp != 2) {
+                               TALLOC_FREE(frame);
+                               return SDB_ERR_NOENTRY;
+                       }
+                       get_krbtgt = true;
                }
 
                /*
@@ -2858,6 +2859,25 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context,
                return 0;
        }
 
+       if (get_krbtgt) {
+               ok = strequal(realm, tdo->domain_name.string);
+               if (ok) {
+                       /*
+                        * This principal has to be local
+                        */
+                       TALLOC_FREE(frame);
+                       return 0;
+               }
+               ok = strequal(realm, tdo->netbios_name.string);
+               if (ok) {
+                       /*
+                        * This principal has to be local
+                        */
+                       TALLOC_FREE(frame);
+                       return 0;
+               }
+       }
+
        if (tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
                /*
                 * TODO: handle the routing within the forest
Work in progress branches