r19662: windows 2003 kdc's only rewrite the realm to the full form,
authorStefan Metzmacher <metze@samba.org>
Sat, 11 Nov 2006 12:52:04 +0000 (12:52 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 19:25:26 +0000 (14:25 -0500)
when the client is using the netbios domain name as realm.

we should match this and not rewrite the principal.

This matches what windows give:

metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./kinit administrator@SERNOXDOM4
administrator@SERNOXDOM4's Password:

metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./klist
Credentials cache: FILE:/tmp/krb5cc_10000
Principal: administrator@SERNOXDOM4.MX.BASE

Issued           Expires          Principal
Nov 11 13:37:52  Nov 11 23:37:52  krbtgt/SERNOXDOM4@SERNOXDOM4.MX.BASE

Note:
I need to disable the principal checks in heimdal's
_krb5_extract_ticket() for the kinit to work.

Any ideas how to change heimdal to support this.

For the service principal we should use
the realm and principal in req->kdc_rep.enc_part
instead of the unencrypted req->kdc.ticket.sname
and req->kdc.ticket.realm to have a trusted value.

I'm not sure what we can do with the client realm...

metze

source/kdc/hdb-ldb.c

index 8fd69aecb1b7f0992ed70ca26f988e9c4f7680c4..00c89f9c0afa46f569c0188af31014098989e598 100644 (file)
@@ -632,7 +632,6 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
        struct ldb_message **realm_ref_msg = NULL;
        const struct ldb_dn *realm_dn;
 
-       krb5_principal alloc_principal = NULL;
        if (principal->name.name_string.len != 2
            || (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) {
                /* Not a krbtgt */
@@ -642,33 +641,8 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
        /* krbtgt case.  Either us or a trusted realm */
        if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
                              mem_ctx, principal->name.name_string.val[1], &realm_ref_msg) == 0)) {
-               /* us */
-               /* Cludge, cludge cludge.  If the realm part of krbtgt/realm,
-                * is in our db, then direct the caller at our primary
-                * krgtgt */
-               
-               const char *dnsdomain = ldb_msg_find_attr_as_string(realm_ref_msg[0], "dnsRoot", NULL);
-               char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain);
-               if (!realm_fixed) {
-                       krb5_set_error_string(context, "strupper_talloc: out of memory");
-                       return ENOMEM;
-               }
-               
-               ret = krb5_copy_principal(context, principal, &alloc_principal);
-               if (ret) {
-                       return ret;
-               }
-
-               free(alloc_principal->name.name_string.val[1]);
-               alloc_principal->name.name_string.val[1] = strdup(realm_fixed);
-               talloc_free(realm_fixed);
-               if (!alloc_principal->name.name_string.val[1]) {
-                       krb5_set_error_string(context, "LDB_fetch: strdup() failed!");
-                       return ENOMEM;
-               }
-               principal = alloc_principal;
+               /* us */                
                realm_dn = samdb_result_dn(mem_ctx, realm_ref_msg[0], "nCName", NULL);
-               
        } else {
                /* we should lookup trusted domains */
                return HDB_ERR_NOENTRY;