kdc: use ticket client name when signing PAC
The principal in the PAC_LOGON_NAME buffer is expected to match the client name in the ticket. Previously we were setting this to the canonical client name, which would have broken PAC validation if the client did not request name canonicalization
This commit is contained in:
Luke Howard
@@ -1821,6 +1821,7 @@ generate_pac(astgs_request_t r, Key *skey)
|
|||||||
krb5_pac p = NULL;
|
krb5_pac p = NULL;
|
||||||
krb5_data data;
|
krb5_data data;
|
||||||
uint16_t rodc_id;
|
uint16_t rodc_id;
|
||||||
|
krb5_principal client;
|
||||||
|
|
||||||
ret = _kdc_pac_generate(r->context, r->client, &p);
|
ret = _kdc_pac_generate(r->context, r->client, &p);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
@@ -1833,12 +1834,21 @@ generate_pac(astgs_request_t r, Key *skey)
|
|||||||
|
|
||||||
rodc_id = r->server->entry.kvno >> 16;
|
rodc_id = r->server->entry.kvno >> 16;
|
||||||
|
|
||||||
|
/* libkrb5 expects ticket and PAC client names to match */
|
||||||
|
ret = _krb5_principalname2krb5_principal(r->context, &client,
|
||||||
|
r->et.cname, r->et.crealm);
|
||||||
|
if (ret) {
|
||||||
|
krb5_pac_free(r->context, p);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
ret = _krb5_pac_sign(r->context, p, r->et.authtime,
|
ret = _krb5_pac_sign(r->context, p, r->et.authtime,
|
||||||
r->client->entry.principal,
|
client,
|
||||||
&skey->key, /* Server key */
|
&skey->key, /* Server key */
|
||||||
&skey->key, /* FIXME: should be krbtgt key */
|
&skey->key, /* FIXME: should be krbtgt key */
|
||||||
rodc_id,
|
rodc_id,
|
||||||
&data);
|
&data);
|
||||||
|
krb5_free_principal(r->context, client);
|
||||||
krb5_pac_free(r->context, p);
|
krb5_pac_free(r->context, p);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
_kdc_r_log(r, 4, "PAC signing failed for -- %s",
|
_kdc_r_log(r, 4, "PAC signing failed for -- %s",
|
||||||
|
|||||||
Reference in New Issue
Block a user