diff options
author | Stefan Metzmacher <metze@samba.org> | 2016-12-15 11:04:02 +0100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2016-12-20 01:11:24 +0100 |
commit | dab9456cfc4f42e4a7d95443e02460e59816ecbd (patch) | |
tree | e13f74fc9b8f47ab3f17348690a60eb93945f48d /auth/credentials | |
parent | 7c344fbbe0568734beb982bb6e0f3c81e6eb5843 (diff) | |
download | samba-dab9456cfc4f42e4a7d95443e02460e59816ecbd.tar.gz |
auth/credentials: handle situations without a configured (default) realm
We should not have cli_credentials_get_realm() return "" without a
configured (default) realm in smb.conf.
Note that the existing tests with creds.get_realm() == lp.get("realm")
also work with "" as string.
At the same time we should never let cli_credentials_get_principal()
return "@REALM.EXAMPLE.COM" nor "username@".
If cli_credentials_parse_string() gets "OTHERDOMAIN\username"
we must not use cli_credentials_get_realm() to generate
a principal unless cli_credentials_get_domain() returns
also "OTHERDOMAIN". What we need to do is using
username@OTHERDOMAIN as principal, whild we still
use cli_credentials_get_realm to get a default kdc,
(which may route us to the correct kdc with WRONG_REALM
messages).
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'auth/credentials')
-rw-r--r-- | auth/credentials/credentials.c | 43 |
1 files changed, 34 insertions, 9 deletions
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index e0244287ad5..a0f91e92b73 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -213,16 +213,37 @@ _PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_crede if (cred->principal_obtained < cred->username_obtained || cred->principal_obtained < MAX(cred->domain_obtained, cred->realm_obtained)) { + const char *effective_username = NULL; + const char *effective_realm = NULL; + enum credentials_obtained effective_obtained; + + effective_username = cli_credentials_get_username(cred); + if (effective_username == NULL || strlen(effective_username) == 0) { + *obtained = cred->username_obtained; + return NULL; + } + if (cred->domain_obtained > cred->realm_obtained) { - *obtained = MIN(cred->domain_obtained, cred->username_obtained); - return talloc_asprintf(mem_ctx, "%s@%s", - cli_credentials_get_username(cred), - cli_credentials_get_domain(cred)); + effective_realm = cli_credentials_get_domain(cred); + effective_obtained = MIN(cred->domain_obtained, + cred->username_obtained); } else { - *obtained = MIN(cred->realm_obtained, cred->username_obtained); + effective_realm = cli_credentials_get_realm(cred); + effective_obtained = MIN(cred->realm_obtained, + cred->username_obtained); + } + + if (effective_realm == NULL || strlen(effective_realm) == 0) { + effective_realm = cli_credentials_get_domain(cred); + effective_obtained = MIN(cred->domain_obtained, + cred->username_obtained); + } + + if (effective_realm != NULL && strlen(effective_realm) != 0) { + *obtained = effective_obtained; return talloc_asprintf(mem_ctx, "%s@%s", - cli_credentials_get_username(cred), - cli_credentials_get_realm(cred)); + effective_username, + effective_realm); } } *obtained = cred->principal_obtained; @@ -816,6 +837,7 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred, struct loadparm_context *lp_ctx) { const char *sep = NULL; + const char *realm = lpcfg_realm(lp_ctx); cli_credentials_set_username(cred, "", CRED_UNINITIALISED); if (lpcfg_parm_is_cmdline(lp_ctx, "workgroup")) { @@ -828,10 +850,13 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred, } else { cli_credentials_set_workstation(cred, lpcfg_netbios_name(lp_ctx), CRED_UNINITIALISED); } + if (realm != NULL && strlen(realm) == 0) { + realm = NULL; + } if (lpcfg_parm_is_cmdline(lp_ctx, "realm")) { - cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED); + cli_credentials_set_realm(cred, realm, CRED_SPECIFIED); } else { - cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_UNINITIALISED); + cli_credentials_set_realm(cred, realm, CRED_UNINITIALISED); } sep = lpcfg_winbind_separator(lp_ctx); |