s3:libads: let kerberos_kinit_password_ext() return the canonicalized principal/realm

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit bc473e5cf088a137395842540ed8eb748373a236)

diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 86a1be71bf986d3ba33566120a40143a02ebf7b2..6e6d5b397ffb95279ab090721906254aed0eaee8 100644 (file)
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -170,6 +170,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
                                          request_pac,
                                          add_netbios_addr,
                                          renewable_time,
+                                         NULL, NULL, NULL,
                                          &status);
        if (ret) {
                DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 9fbe7dd0f0714b71ec9e5f2d61eda806fc2f39bf..3e09d70268f01549a5c470259bb259fa049b8113 100644 (file)
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -106,7 +106,7 @@ kerb_prompter(krb5_context ctx, void *data,
   place in default cache location.
   remus@snapserver.com
 */
-int kerberos_kinit_password_ext(const char *principal,
+int kerberos_kinit_password_ext(const char *given_principal,
                                const char *password,
                                int time_offset,
                                time_t *expire_time,
@@ -115,8 +115,12 @@ int kerberos_kinit_password_ext(const char *principal,
                                bool request_pac,
                                bool add_netbios_addr,
                                time_t renewable_time,
+                               TALLOC_CTX *mem_ctx,
+                               char **_canon_principal,
+                               char **_canon_realm,
                                NTSTATUS *ntstatus)
 {
+       TALLOC_CTX *frame = talloc_stackframe();
        krb5_context ctx = NULL;
        krb5_error_code code = 0;
        krb5_ccache cc = NULL;
@@ -125,6 +129,8 @@ int kerberos_kinit_password_ext(const char *principal,
        krb5_creds my_creds;
        krb5_get_init_creds_opt *opt = NULL;
        smb_krb5_addresses *addr = NULL;
+       char *canon_principal = NULL;
+       char *canon_realm = NULL;
 
        ZERO_STRUCT(my_creds);
 
@@ -132,6 +138,7 @@ int kerberos_kinit_password_ext(const char *principal,
        if (code != 0) {
                DBG_ERR("kerberos init context failed (%s)\n",
                        error_message(code));
+               TALLOC_FREE(frame);
                return code;
        }
 
@@ -139,16 +146,16 @@ int kerberos_kinit_password_ext(const char *principal,
                krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
        }
 
-       DEBUG(10,("kerberos_kinit_password: as %s using [%s] as ccache and config [%s]\n",
-                       principal,
-                       cache_name ? cache_name: krb5_cc_default_name(ctx),
-                       getenv("KRB5_CONFIG")));
+       DBG_DEBUG("as %s using [%s] as ccache and config [%s]\n",
+                 given_principal,
+                 cache_name ? cache_name: krb5_cc_default_name(ctx),
+                 getenv("KRB5_CONFIG"));
 
        if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) {
                goto out;
        }
 
-       if ((code = smb_krb5_parse_name(ctx, principal, &me))) {
+       if ((code = smb_krb5_parse_name(ctx, given_principal, &me))) {
                goto out;
        }
 
@@ -195,6 +202,22 @@ int kerberos_kinit_password_ext(const char *principal,
        canon_princ = me;
 #endif /* MIT */
 
+       code = smb_krb5_unparse_name(frame,
+                                    ctx,
+                                    canon_princ,
+                                    &canon_principal);
+       if (code != 0) {
+               goto out;
+       }
+
+       DBG_DEBUG("%s mapped to %s\n", given_principal, canon_principal);
+
+       canon_realm = smb_krb5_principal_get_realm(frame, ctx, canon_princ);
+       if (canon_realm == NULL) {
+               code = ENOMEM;
+               goto out;
+       }
+
        if ((code = krb5_cc_initialize(ctx, cc, canon_princ))) {
                goto out;
        }
@@ -210,6 +233,13 @@ int kerberos_kinit_password_ext(const char *principal,
        if (renew_till_time) {
                *renew_till_time = (time_t) my_creds.times.renew_till;
        }
+
+       if (_canon_principal != NULL) {
+               *_canon_principal = talloc_move(mem_ctx, &canon_principal);
+       }
+       if (_canon_realm != NULL) {
+               *_canon_realm = talloc_move(mem_ctx, &canon_realm);
+       }
  out:
        if (ntstatus) {
                /* fast path */
@@ -239,6 +269,7 @@ int kerberos_kinit_password_ext(const char *principal,
        if (ctx) {
                krb5_free_context(ctx);
        }
+       TALLOC_FREE(frame);
        return code;
 }
 
@@ -328,6 +359,9 @@ int kerberos_kinit_password(const char *principal,
                                           False,
                                           False,
                                           0,
+                                          NULL,
+                                          NULL,
+                                          NULL,
                                           NULL);
 }
 

diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index f92cabd757ebf3d755bba4835af1f0f7c682a6f0..433bce9e0ec6d08dcffffebaf65b9c78e3c92630 100644 (file)
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -45,7 +45,7 @@ struct PAC_DATA_CTR {
 
 /* The following definitions come from libads/kerberos.c  */
 
-int kerberos_kinit_password_ext(const char *principal,
+int kerberos_kinit_password_ext(const char *given_principal,
                                const char *password,
                                int time_offset,
                                time_t *expire_time,
@@ -54,6 +54,9 @@ int kerberos_kinit_password_ext(const char *principal,
                                bool request_pac,
                                bool add_netbios_addr,
                                time_t renewable_time,
+                               TALLOC_CTX *mem_ctx,
+                               char **_canon_principal,
+                               char **_canon_realm,
                                NTSTATUS *ntstatus);
 int ads_kdestroy(const char *cc_name);
 

diff --git a/source3/libads/kerberos_util.c b/source3/libads/kerberos_util.c
index 68c0f302239b61b0ace96de836478e541bc212c2..bfe53820aff66192a5d739906a86af68586c394d 100644 (file)
--- a/source3/libads/kerberos_util.c
+++ b/source3/libads/kerberos_util.c
@@ -66,7 +66,8 @@ int ads_kinit_password(ADS_STRUCT *ads)
                                          ads->auth.time_offset,
                                          &ads->auth.tgt_expire, NULL,
                                          ads->auth.ccache_name, false, false,
-                                         ads->auth.renewable, NULL);
+                                         ads->auth.renewable,
+                                         NULL, NULL, NULL, NULL);
 
        if (ret) {
                DEBUG(0,("kerberos_kinit_password %s failed: %s\n",

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 6b4cd3591b08becdf9efcd4e02be1871342f570a..4a0f59a1e80e07744c7875ef24b2cba32af93777 100644 (file)
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -3353,6 +3353,9 @@ static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **
                                          true,
                                          true,
                                          2592000, /* one month */
+                                         NULL,
+                                         NULL,
+                                         NULL,
                                          &status);
        if (ret) {
                d_printf(_("failed to kinit password: %s\n"),

diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
index 85ad426446ae820beea9e3ecf7c419a4c387ad59..5baecf906b940a9dcba577e4b9f2e40ae69e87b8 100644 (file)
--- a/source3/winbindd/winbindd_cred_cache.c
+++ b/source3/winbindd/winbindd_cred_cache.c
@@ -146,6 +146,9 @@ rekinit:
                                                          False, /* no PAC required anymore */
                                                          True,
                                                          WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+                                                         NULL,
+                                                         NULL,
+                                                         NULL,
                                                          NULL);
                        gain_root_privilege();
 
@@ -343,6 +346,9 @@ static void krb5_ticket_gain_handler(struct tevent_context *event_ctx,
                                          False, /* no PAC required anymore */
                                          True,
                                          WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+                                         NULL,
+                                         NULL,
+                                         NULL,
                                          NULL);
        gain_root_privilege();