heimdal Fetch the client before the PAC check, but after obtaining krbtgt_out
By checking the client principal here, we compare the realm based on the normalised realm, but do so early enough to validate the PAC (and regenerate it if required). Andrew Bartlett Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This commit is contained in:
Andrew Bartlett
committed by
Love Hornquist Astrand
Love Hornquist Astrand
parent
2542e40fed
commit
64a326d33b
@@ -1637,37 +1637,6 @@ server_lookup:
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
|
|
||||||
NULL, &clientdb, &client);
|
|
||||||
if(ret == HDB_ERR_NOT_FOUND_HERE) {
|
|
||||||
kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy", cp);
|
|
||||||
goto out;
|
|
||||||
} else if(ret){
|
|
||||||
const char *krbtgt_realm, *msg;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* If the client belongs to the same realm as our krbtgt, it
|
|
||||||
* should exist in the local database.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
krbtgt_realm =
|
|
||||||
krb5_principal_get_comp_string(context,
|
|
||||||
krbtgt->entry.principal, 1);
|
|
||||||
|
|
||||||
if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
|
|
||||||
if (ret == HDB_ERR_NOENTRY)
|
|
||||||
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
|
||||||
kdc_log(context, config, 1, "Client no longer in database: %s",
|
|
||||||
cpn);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
msg = krb5_get_error_message(context, ret);
|
|
||||||
kdc_log(context, config, 1, "Client not found in database: %s", msg);
|
|
||||||
krb5_free_error_message(context, msg);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Select enctype, return key and kvno.
|
* Select enctype, return key and kvno.
|
||||||
*/
|
*/
|
||||||
@@ -1788,6 +1757,36 @@ server_lookup:
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
|
||||||
|
NULL, &clientdb, &client);
|
||||||
|
if(ret == HDB_ERR_NOT_FOUND_HERE) {
|
||||||
|
/* This is OK, we are just trying to find out if they have
|
||||||
|
* been disabled or deleted in the meantime, missing secrets
|
||||||
|
* is OK */
|
||||||
|
} else if(ret){
|
||||||
|
const char *krbtgt_realm, *msg;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If the client belongs to the same realm as our krbtgt, it
|
||||||
|
* should exist in the local database.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
krbtgt_realm = krb5_principal_get_realm(context, krbtgt_out->entry.principal);
|
||||||
|
|
||||||
|
if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
|
||||||
|
if (ret == HDB_ERR_NOENTRY)
|
||||||
|
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
||||||
|
kdc_log(context, config, 1, "Client no longer in database: %s",
|
||||||
|
cpn);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
msg = krb5_get_error_message(context, ret);
|
||||||
|
kdc_log(context, config, 1, "Client not found in database: %s", msg);
|
||||||
|
krb5_free_error_message(context, msg);
|
||||||
|
}
|
||||||
|
|
||||||
ret = check_PAC(context, config, cp,
|
ret = check_PAC(context, config, cp,
|
||||||
client, server, krbtgt, ekey, &tkey_check->key, &tkey_sign->key,
|
client, server, krbtgt, ekey, &tkey_check->key, &tkey_sign->key,
|
||||||
tgt, &rspac, &signedpath);
|
tgt, &rspac, &signedpath);
|
||||||
|
|||||||
Reference in New Issue
Block a user