diff options
author | Andrew Bartlett <abartlet@samba.org> | 2015-03-11 15:57:06 +1300 |
---|---|---|
committer | Günther Deschner <gd@samba.org> | 2015-03-12 17:13:42 +0100 |
commit | e48d136e3a5c89c9bab8ea898775fad1449d2f96 (patch) | |
tree | 0cc2412ba77511d4c70fe95d4d995ea3fb2355bd /auth/kerberos | |
parent | 89099611fd3a30286fe50dfa57e16452ea6c8940 (diff) | |
download | samba-e48d136e3a5c89c9bab8ea898775fad1449d2f96.tar.gz |
auth/kerberos: Do a string comparison in kerberos_decode_pac() not a principal comparison
This ensures that if an enterprise principal is used, we do the
comparison properly
This matters as in the enterprise case, which can be triggered by MIT
kinit -E, does not use canonicalization, and so the enterprise name,
with the @ in it, is in the logon name.
Otherwise, we get errors like:
Name in PAC [TESTALLOWED@WIN2012R2] does not match principal name in ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Diffstat (limited to 'auth/kerberos')
-rw-r--r-- | auth/kerberos/kerberos_pac.c | 23 |
1 files changed, 12 insertions, 11 deletions
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c index 8f55c8ff6a4..32d9d7fad0e 100644 --- a/auth/kerberos/kerberos_pac.c +++ b/auth/kerberos/kerberos_pac.c @@ -106,7 +106,6 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, DATA_BLOB modified_pac_blob; NTTIME tgs_authtime_nttime; - krb5_principal client_principal_pac = NULL; int i; struct PAC_SIGNATURE_DATA *srv_sig_ptr = NULL; @@ -357,28 +356,30 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, } if (client_principal) { - ret = smb_krb5_parse_name_norealm(context, - logon_name->account_name, - &client_principal_pac); + char *client_principal_string; + ret = krb5_unparse_name_flags(context, client_principal, + KRB5_PRINCIPAL_UNPARSE_NO_REALM|KRB5_PRINCIPAL_UNPARSE_DISPLAY, + &client_principal_string); if (ret) { - DEBUG(2, ("Could not parse name from PAC: [%s]:%s\n", + DEBUG(2, ("Could not unparse name from ticket to match with name from PAC: [%s]:%s\n", logon_name->account_name, error_message(ret))); talloc_free(tmp_ctx); return NT_STATUS_INVALID_PARAMETER; } - bool_ret = smb_krb5_principal_compare_any_realm(context, - client_principal, - client_principal_pac); - - krb5_free_principal(context, client_principal_pac); + bool_ret = strcmp(client_principal_string, logon_name->account_name) == 0; if (!bool_ret) { DEBUG(2, ("Name in PAC [%s] does not match principal name " - "in ticket\n", logon_name->account_name)); + "in ticket [%s]\n", + logon_name->account_name, + client_principal_string)); + SAFE_FREE(client_principal_string); talloc_free(tmp_ctx); return NT_STATUS_ACCESS_DENIED; } + SAFE_FREE(client_principal_string); + } DEBUG(3,("Found account name from PAC: %s [%s]\n", |