ret = KRB5KRB_ERR_GENERIC;
e_text = "No client in request";
} else {
-
- if (b->cname->name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
- if (b->cname->name_string.len != 1) {
- kdc_log(context, config, 0,
- "AS-REQ malformed canon request from %s, "
- "enterprise name with %d name components",
- from, b->cname->name_string.len);
- ret = KRB5_PARSE_MALFORMED;
- goto out;
- }
- ret = krb5_parse_name(context, b->cname->name_string.val[0],
- &client_princ);
- if (ret)
- goto out;
- } else {
- ret = _krb5_principalname2krb5_principal (context,
- &client_princ,
- *(b->cname),
- b->realm);
- if (ret)
- goto out;
- }
+ ret = _krb5_principalname2krb5_principal (context,
+ &client_princ,
+ *(b->cname),
+ b->realm);
+ if (ret)
+ goto out;
ret = krb5_unparse_name(context, client_princ, &client_name);
}
}
for(i = 0; i < config->num_db; i++) {
+ krb5_principal enterprise_principal = NULL;
+ if (!(config->db[i]->hdb_capability_flags & HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL)
+ && principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+ if (principal->name.name_string.len != 1) {
+ ret = KRB5_PARSE_MALFORMED;
+ krb5_set_error_message(context, ret,
+ "malformed request: "
+ "enterprise name with %d name components",
+ principal->name.name_string.len);
+ return ret;
+ }
+ ret = krb5_parse_name(context, principal->name.name_string.val[0],
+ &enterprise_principal);
+ if (ret)
+ return ret;
+
+ principal = enterprise_principal;
+ }
+
ret = config->db[i]->hdb_open(context, config->db[i], O_RDONLY, 0);
if (ret) {
kdc_log(context, config, 0, "Failed to open database: %s",
krb5_get_err_text(context, ret));
continue;
}
+
ret = config->db[i]->hdb_fetch(context,
config->db[i],
principal,
flags | HDB_F_DECRYPT,
ent);
+ krb5_free_principal(context, enterprise_principal);
+
config->db[i]->hdb_close(context, config->db[i]);
if(ret == 0) {
if (db)
#define HDB_F_GET_ANY 28 /* fetch any of client,server,krbtgt */
#define HDB_F_CANON 32 /* want canonicalition */
+#define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
+
/* key usage for master key */
#define HDB_KU_MKEY 0x484442
int hdb_master_key_set;
hdb_master_key hdb_master_key;
int hdb_openp;
-
+ int hdb_capability_flags;
/**
* Open (or create) the a Kerberos database.
*
krb5_error_code (*hdb_destroy)(krb5_context, struct HDB*);
}HDB;
-#define HDB_INTERFACE_VERSION 4
+#define HDB_INTERFACE_VERSION 5
struct hdb_so_method {
int version;
(*db)->hdb_master_key_set = 0;
(*db)->hdb_db = NULL;
+ (*db)->hdb_capability_flags = 0;
nt_status = auth_system_session_info(*db, lp_ctx, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
echo $PASSWORD > ./tmppassfile
#testit "kinit with keytab" $samba4kinit --keytab=$PREFIX/dc/private/secrets.keytab $SERVER\$@$REALM || failed=`expr $failed + 1`
testit "kinit with password" $samba4kinit --password-file=./tmppassfile --request-pac $USERNAME@$REALM || failed=`expr $failed + 1`
+testit "kinit with password (enterprise style)" $samba4kinit --enterprise --password-file=./tmppassfile --request-pac $USERNAME@$REALM || failed=`expr $failed + 1`
+testit "kinit with password (windows style)" $samba4kinit --windows --password-file=./tmppassfile --request-pac $USERNAME@$REALM || failed=`expr $failed + 1`
testit "kinit with pkinit" $samba4kinit --request-pac --renewable --pk-user=FILE:$PREFIX/dc/private/tls/admincert.pem,$PREFIX/dc/private/tls/adminkey.pem $USERNAME@$REALM || failed=`expr $failed + 1`
testit "kinit renew ticket" $samba4kinit --request-pac -R
git.samba.org / nivanova / samba-autobuild / .git / commitdiff