diff options
author | Stefan Metzmacher <metze@samba.org> | 2019-09-13 16:04:30 +0200 |
---|---|---|
committer | Günther Deschner <gd@samba.org> | 2019-09-24 18:30:37 +0000 |
commit | 0bced73bed481a8846a6b3e68be85941914390ba (patch) | |
tree | bcb709df63fab0228ee8e73f2c65d4f9127d05af | |
parent | 6ed18c12c57efb2a010e0ce5196c51b48e57a4b9 (diff) | |
download | samba-0bced73bed481a8846a6b3e68be85941914390ba.tar.gz |
s3:libads/kerberos: always use the canonicalized principal after kinit
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
-rw-r--r-- | source3/libads/kerberos.c | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 3e09d70268f..559ec3b7f53 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -167,7 +167,10 @@ int kerberos_kinit_password_ext(const char *given_principal, krb5_get_init_creds_opt_set_forwardable(opt, True); /* Turn on canonicalization for lower case realm support */ -#ifndef SAMBA4_USES_HEIMDAL /* MIT */ +#ifdef SAMBA4_USES_HEIMDAL + krb5_get_init_creds_opt_set_win2k(ctx, opt, true); + krb5_get_init_creds_opt_set_canonicalize(ctx, opt, true); +#else /* MIT */ krb5_get_init_creds_opt_set_canonicalize(opt, true); #endif /* MIT */ #if 0 @@ -196,11 +199,7 @@ int kerberos_kinit_password_ext(const char *given_principal, goto out; } -#ifndef SAMBA4_USES_HEIMDAL /* MIT */ canon_princ = my_creds.client; -#else - canon_princ = me; -#endif /* MIT */ code = smb_krb5_unparse_name(frame, ctx, |