auth/kerberos: Do a string comparison in kerberos_decode_pac() not a principal comparison

This ensures that if an enterprise principal is used, we do the
comparison properly

This matters as in the enterprise case, which can be triggered by MIT
kinit -E, does not use canonicalization, and so the enterprise name,
with the @ in it, is in the logon name.

Otherwise, we get errors like:
 Name in PAC [TESTALLOWED@WIN2012R2] does not match principal name in ticket

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 8f55c8ff6a4ec2d68b582f85bc242ba4da1088db..32d9d7fad0edb4ab08dd9dde3d4768a81bf343e6 100644 (file)
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -106,7 +106,6 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
        DATA_BLOB modified_pac_blob;
 
        NTTIME tgs_authtime_nttime;
-       krb5_principal client_principal_pac = NULL;
        int i;
 
        struct PAC_SIGNATURE_DATA *srv_sig_ptr = NULL;
@@ -357,28 +356,30 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
        }
 
        if (client_principal) {
-               ret = smb_krb5_parse_name_norealm(context,
-                                                 logon_name->account_name,
-                                                 &client_principal_pac);
+               char *client_principal_string;
+               ret = krb5_unparse_name_flags(context, client_principal,
+                                             KRB5_PRINCIPAL_UNPARSE_NO_REALM|KRB5_PRINCIPAL_UNPARSE_DISPLAY,
+                                             &client_principal_string);
                if (ret) {
-                       DEBUG(2, ("Could not parse name from PAC: [%s]:%s\n",
+                       DEBUG(2, ("Could not unparse name from ticket to match with name from PAC: [%s]:%s\n",
                                  logon_name->account_name, error_message(ret)));
                        talloc_free(tmp_ctx);
                        return NT_STATUS_INVALID_PARAMETER;
                }
 
-               bool_ret = smb_krb5_principal_compare_any_realm(context,
-                                                               client_principal,
-                                                               client_principal_pac);
-
-               krb5_free_principal(context, client_principal_pac);
+               bool_ret = strcmp(client_principal_string, logon_name->account_name) == 0;
 
                if (!bool_ret) {
                        DEBUG(2, ("Name in PAC [%s] does not match principal name "
-                                 "in ticket\n", logon_name->account_name));
+                                 "in ticket [%s]\n",
+                                 logon_name->account_name,
+                                 client_principal_string));
+                       SAFE_FREE(client_principal_string);
                        talloc_free(tmp_ctx);
                        return NT_STATUS_ACCESS_DENIED;
                }
+               SAFE_FREE(client_principal_string);
+
        }
 
        DEBUG(3,("Found account name from PAC: %s [%s]\n",