diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2021-06-23 11:35:01 +1200 |
|---|---|---|
| committer | Joseph Sutton <jsutton@samba.org> | 2022-01-19 20:50:35 +0000 |
| commit | 8329e8d46917d67f0cb51c3a004e323a87fa1499 (patch) | |
| tree | 127ee54bdfe7a1a2206c45db50aafff450c6a857 | |
| parent | eb5c3bb951391879f844199fe4de6076b4c98217 (diff) | |
| download | samba-8329e8d46917d67f0cb51c3a004e323a87fa1499.tar.gz | |
s4:kdc: Set entry.flags.force_canonicalize to override the new Heimdal behaviour
This is needed to give hdb_samba4 the full control over the returned
principal, rather than the new code in the Heimdal KDC.
Including changes selected from code by Stefan Metzmacher <metze@samba.org>
in his Heimdal upgrade branch.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
| -rw-r--r-- | source4/kdc/db-glue.c | 7 | ||||
| -rw-r--r-- | source4/kdc/sdb.h | 2 | ||||
| -rw-r--r-- | source4/kdc/sdb_to_hdb.c | 2 |
3 files changed, 9 insertions, 2 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 06b8eeec41d..b059d8c7e61 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -966,6 +966,13 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, /* First try and figure out the flags based on the userAccountControl */ entry_ex->entry.flags = uf2SDBFlags(context, userAccountControl, ent_type); + /* + * Take control of the returned principal here, rather than + * allowing the Heimdal code to do it as we have specific + * behaviour around the forced realm to honour + */ + entry_ex->entry.flags.force_canonicalize = true; + /* Windows 2008 seems to enforce this (very sensible) rule by * default - don't allow offline attacks on a user's password * by asking for a ticket to them as a service (encrypted with diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h index 17f06cf81a8..19d9b920278 100644 --- a/source4/kdc/sdb.h +++ b/source4/kdc/sdb.h @@ -76,7 +76,7 @@ struct SDBFlags { unsigned int _unused27:1; unsigned int _unused28:1; unsigned int _unused29:1; - unsigned int _unused30:1; + unsigned int force_canonicalize:1; unsigned int do_not_store:1; }; diff --git a/source4/kdc/sdb_to_hdb.c b/source4/kdc/sdb_to_hdb.c index 4ae3f26a947..e5cc84a7e63 100644 --- a/source4/kdc/sdb_to_hdb.c +++ b/source4/kdc/sdb_to_hdb.c @@ -63,7 +63,7 @@ static void sdb_flags_to_hdb_flags(const struct SDBFlags *s, h->_unused27 = s->_unused27; h->_unused28 = s->_unused28; h->_unused29 = s->_unused29; - h->_unused30 = s->_unused30; + h->force_canonicalize = s->force_canonicalize; h->do_not_store = s->do_not_store; } |