summaryrefslogtreecommitdiff
path: root/source4/kdc
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2006-11-11 12:52:04 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:25:26 -0500
commit3ba2a9dfcf71b55e8bfe481395015ad666b4e12c (patch)
tree1933800144b82ac8124b4d2124d8e486abe90474 /source4/kdc
parent71846e31fde5618d9ece84c471ffb499dae43cfe (diff)
downloadsamba-3ba2a9dfcf71b55e8bfe481395015ad666b4e12c.tar.gz
r19662: windows 2003 kdc's only rewrite the realm to the full form,
when the client is using the netbios domain name as realm. we should match this and not rewrite the principal. This matches what windows give: metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./kinit administrator@SERNOXDOM4 administrator@SERNOXDOM4's Password: metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./klist Credentials cache: FILE:/tmp/krb5cc_10000 Principal: administrator@SERNOXDOM4.MX.BASE Issued Expires Principal Nov 11 13:37:52 Nov 11 23:37:52 krbtgt/SERNOXDOM4@SERNOXDOM4.MX.BASE Note: I need to disable the principal checks in heimdal's _krb5_extract_ticket() for the kinit to work. Any ideas how to change heimdal to support this. For the service principal we should use the realm and principal in req->kdc_rep.enc_part instead of the unencrypted req->kdc.ticket.sname and req->kdc.ticket.realm to have a trusted value. I'm not sure what we can do with the client realm... metze (This used to be commit cfee02143f06ed6ff5832e95fa69634f5dd883da)
Diffstat (limited to 'source4/kdc')
-rw-r--r--source4/kdc/hdb-ldb.c28
1 files changed, 1 insertions, 27 deletions
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index 8fd69aecb1b..00c89f9c0af 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -632,7 +632,6 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
struct ldb_message **realm_ref_msg = NULL;
const struct ldb_dn *realm_dn;
- krb5_principal alloc_principal = NULL;
if (principal->name.name_string.len != 2
|| (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) {
/* Not a krbtgt */
@@ -642,33 +641,8 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
/* krbtgt case. Either us or a trusted realm */
if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
mem_ctx, principal->name.name_string.val[1], &realm_ref_msg) == 0)) {
- /* us */
- /* Cludge, cludge cludge. If the realm part of krbtgt/realm,
- * is in our db, then direct the caller at our primary
- * krgtgt */
-
- const char *dnsdomain = ldb_msg_find_attr_as_string(realm_ref_msg[0], "dnsRoot", NULL);
- char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain);
- if (!realm_fixed) {
- krb5_set_error_string(context, "strupper_talloc: out of memory");
- return ENOMEM;
- }
-
- ret = krb5_copy_principal(context, principal, &alloc_principal);
- if (ret) {
- return ret;
- }
-
- free(alloc_principal->name.name_string.val[1]);
- alloc_principal->name.name_string.val[1] = strdup(realm_fixed);
- talloc_free(realm_fixed);
- if (!alloc_principal->name.name_string.val[1]) {
- krb5_set_error_string(context, "LDB_fetch: strdup() failed!");
- return ENOMEM;
- }
- principal = alloc_principal;
+ /* us */
realm_dn = samdb_result_dn(mem_ctx, realm_ref_msg[0], "nCName", NULL);
-
} else {
/* we should lookup trusted domains */
return HDB_ERR_NOENTRY;