From 5ace5f5a6a8c5d254f7e8ce4414edb1a42f2f69f Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Mon, 6 Dec 2021 16:31:18 -0600 Subject: [PATCH] gss: Fix dst TGT deleg w/o dns_lookup_realm Setting `dns_lookup_realm = false` in `[libdefaults]` and setting name canon rules that force the empty realm causes destination-TGT delegation to break because the client doesn't know the service's realm. Because MIT and Heimdal check that the (unauthenticated plaintext) sname/realm of the Ticket in the KDC reply matches the sname/srealm in the enc-part of the KDC reply, we know we can trust the realm of the ticket found in the ccache. So use that. --- lib/gssapi/krb5/init_sec_context.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c index 9badd12dd..116fd925b 100644 --- a/lib/gssapi/krb5/init_sec_context.c +++ b/lib/gssapi/krb5/init_sec_context.c @@ -314,7 +314,6 @@ do_delegation (krb5_context context, krb5_auth_context ac, krb5_ccache ccache, krb5_creds *cred, - krb5_const_principal server, krb5_data *fwd_data, uint32_t flagmask, uint32_t *flags) @@ -330,12 +329,12 @@ do_delegation (krb5_context context, goto out; /* We can't generally enforce server.name_type == KRB5_NT_SRV_HST */ - if (server->name.name_string.len < 2) + if (cred->server->name.name_string.len < 2) goto out; - host = krb5_principal_get_comp_string(context, server, 1); + host = krb5_principal_get_comp_string(context, cred->server, 1); #define FWDABLE 1 - kret = krb5_fwd_tgt_creds(context, ac, host, client, server, ccache, + kret = krb5_fwd_tgt_creds(context, ac, host, client, cred->server, ccache, FWDABLE, fwd_data); out: @@ -531,7 +530,7 @@ init_auth_restart if (flagmask & GSS_C_DELEG_FLAG) { do_delegation (context, ctx->deleg_auth_context, - ctx->ccache, ctx->kcred, ctx->target, + ctx->ccache, ctx->kcred, &fwd_data, flagmask, &flags); }