r20406: Metze's change in -r 19662 broke Kerberos logins from Win2k3.
authorAndrew Bartlett <abartlet@samba.org>
Fri, 29 Dec 2006 11:01:37 +0000 (11:01 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 19:30:24 +0000 (14:30 -0500)
The reason is long and complex, but is due to forwardable tickets:

We would extract the forwardable ticket from the GSSAPI payload, and
look for the expiry time of the ticket for krbtgt/REALM@REALM.

However, with -r 19662 the ticket is given to the client as being for
krbtgt/realm@REALM, as it asked for a lower case realm.  Heimdal is
case sensitive for realms, and bails out.  (It should just not store
the forwarded ticket).

We need to co-ordinate changes in the KDC with relaxation of checks in
Heimdal, and a better kerberos behaviour testsuite.

Andrew Bartlett

source/kdc/hdb-ldb.c

index f7bbbb9a9b52af20f72281250a92ec67624aae6d..a05295205b7cab0a20a96319ad4383a69f1c3618 100644 (file)
@@ -630,6 +630,7 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
        struct ldb_message **realm_ref_msg = NULL;
        struct ldb_dn *realm_dn;
 
+       krb5_principal alloc_principal = NULL;
        if (principal->name.name_string.len != 2
            || (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) {
                /* Not a krbtgt */
@@ -640,6 +641,30 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
        if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
                              mem_ctx, principal->name.name_string.val[1], &realm_ref_msg) == 0)) {
                /* us */                
+               /* Cludge, cludge cludge.  If the realm part of krbtgt/realm,
+                * is in our db, then direct the caller at our primary
+                * krgtgt */
+               
+               const char *dnsdomain = ldb_msg_find_attr_as_string(realm_ref_msg[0], "dnsRoot", NULL);
+               char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain);
+               if (!realm_fixed) {
+                       krb5_set_error_string(context, "strupper_talloc: out of memory");
+                       return ENOMEM;
+               }
+               
+               ret = krb5_copy_principal(context, principal, &alloc_principal);
+               if (ret) {
+                       return ret;
+               }
+               free(alloc_principal->name.name_string.val[1]);
+               alloc_principal->name.name_string.val[1] = strdup(realm_fixed);
+               talloc_free(realm_fixed);
+               if (!alloc_principal->name.name_string.val[1]) {
+                       krb5_set_error_string(context, "LDB_fetch: strdup() failed!");
+                       return ENOMEM;
+               }
+               principal = alloc_principal;
                realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db, mem_ctx, realm_ref_msg[0], "nCName", NULL);
        } else {
                /* we should lookup trusted domains */