git.samba.org - samba.git/commit

author	Stefan Metzmacher <metze@samba.org>
	Sat, 11 Nov 2006 12:52:04 +0000 (12:52 +0000)
committer	Gerald (Jerry) Carter <jerry@samba.org>
	Wed, 10 Oct 2007 19:25:26 +0000 (14:25 -0500)
commit	3ba2a9dfcf71b55e8bfe481395015ad666b4e12c
tree	1933800144b82ac8124b4d2124d8e486abe90474	tree
parent	71846e31fde5618d9ece84c471ffb499dae43cfe	commit \| diff

r19662: windows 2003 kdc's only rewrite the realm to the full form,
when the client is using the netbios domain name as realm.

we should match this and not rewrite the principal.

This matches what windows give:

metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./kinit administrator@SERNOXDOM4
administrator@SERNOXDOM4's Password:

metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./klist
Credentials cache: FILE:/tmp/krb5cc_10000
Principal: administrator@SERNOXDOM4.MX.BASE

Issued Expires Principal
Nov 11 13:37:52 Nov 11 23:37:52 krbtgt/SERNOXDOM4@SERNOXDOM4.MX.BASE

Note:
I need to disable the principal checks in heimdal's
_krb5_extract_ticket() for the kinit to work.

Any ideas how to change heimdal to support this.

For the service principal we should use
the realm and principal in req->kdc_rep.enc_part
instead of the unencrypted req->kdc.ticket.sname
and req->kdc.ticket.realm to have a trusted value.

I'm not sure what we can do with the client realm...

metze
(This used to be commit cfee02143f06ed6ff5832e95fa69634f5dd883da)