s3:winbindd: implement the "winbind use krb5 enterprise principals" logic

We can use enterprise principals (e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM)
and delegate the routing decisions to the KDCs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit a77be15d28390c5d12202278adbe6b50200a2c1b)

1 files changed, 33 insertions, 24 deletions

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index b81f2722c42..35018fbe284 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -418,6 +418,15 @@ struct winbindd_domain *find_auth_domain(uint8_t flags,
 		return find_domain_from_name_noinit(domain_name);
 	}
 
+	if (lp_winbind_use_krb5_enterprise_principals()) {
+		/*
+		 * If we use enterprise principals
+		 * we always go trough our primary domain
+		 * and follow the WRONG_REALM replies.
+		 */
+		flags &= ~WBFLAG_PAM_CONTACT_TRUSTDOM;
+	}
+
 	/* we can auth against trusted domains */
 	if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
 		domain = find_domain_from_name_noinit(domain_name);
@@ -717,7 +726,20 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	principal_s = talloc_asprintf(mem_ctx, "%s@%s", name_user, realm);
+	if (lp_winbind_use_krb5_enterprise_principals() &&
+	    name_namespace[0] != '\0')
+	{
+		principal_s = talloc_asprintf(mem_ctx,
+					      "%s@%s@%s",
+					      name_user,
+					      name_namespace,
+					      realm);
+	} else {
+		principal_s = talloc_asprintf(mem_ctx,
+					      "%s@%s",
+					      name_user,
+					      realm);
+	}
 	if (principal_s == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
@@ -1284,30 +1306,16 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
 
 	/* what domain should we contact? */
 
-	if ( IS_DC ) {
-		contact_domain = find_domain_from_name(name_namespace);
-		if (contact_domain == NULL) {
-			DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
-				  state->request->data.auth.user, name_domain, name_user, name_domain));
-			result = NT_STATUS_NO_SUCH_USER;
-			goto done;
-		}
-
+	if (lp_winbind_use_krb5_enterprise_principals()) {
+		contact_domain = find_auth_domain(0, name_namespace);
 	} else {
-		if (is_myname(name_domain)) {
-			DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
-			result =  NT_STATUS_NO_SUCH_USER;
-			goto done;
-		}
-
 		contact_domain = find_domain_from_name(name_namespace);
-		if (contact_domain == NULL) {
-			DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
-				  state->request->data.auth.user, name_domain, name_user, name_domain));
-
-			result =  NT_STATUS_NO_SUCH_USER;
-			goto done;
-		}
+	}
+	if (contact_domain == NULL) {
+		DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
+			  state->request->data.auth.user, name_domain, name_user, name_namespace));
+		result = NT_STATUS_NO_SUCH_USER;
+		goto done;
 	}
 
 	if (contact_domain->initialized &&
@@ -1320,7 +1328,8 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
 	}
 
 	if (!contact_domain->active_directory) {
-		DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
+		DEBUG(3,("krb5 auth requested but domain (%s) is not Active Directory\n",
+		      contact_domain->name));
 		return NT_STATUS_INVALID_LOGON_TYPE;
 	}
 try_login: