r19662: windows 2003 kdc's only rewrite the realm to the full form,
authorStefan Metzmacher <metze@samba.org>
Sat, 11 Nov 2006 12:52:04 +0000 (12:52 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 19:25:26 +0000 (14:25 -0500)
commitcfee02143f06ed6ff5832e95fa69634f5dd883da
tree4d34cd1fa26b69a2c4ea8801d2e6092d5df8e71d
parent1e518c3e675e6952044bc0fdf2537be432c0c56f
r19662: windows 2003 kdc's only rewrite the realm to the full form,
when the client is using the netbios domain name as realm.

we should match this and not rewrite the principal.

This matches what windows give:

metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./kinit administrator@SERNOXDOM4
administrator@SERNOXDOM4's Password:

metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./klist
Credentials cache: FILE:/tmp/krb5cc_10000
Principal: administrator@SERNOXDOM4.MX.BASE

Issued           Expires          Principal
Nov 11 13:37:52  Nov 11 23:37:52  krbtgt/SERNOXDOM4@SERNOXDOM4.MX.BASE

Note:
I need to disable the principal checks in heimdal's
_krb5_extract_ticket() for the kinit to work.

Any ideas how to change heimdal to support this.

For the service principal we should use
the realm and principal in req->kdc_rep.enc_part
instead of the unencrypted req->kdc.ticket.sname
and req->kdc.ticket.realm to have a trusted value.

I'm not sure what we can do with the client realm...

metze
source/kdc/hdb-ldb.c