From 939cdbe4ad413519ec2e9b91ef4a1f2eeec36955 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Sun, 15 Aug 2021 13:50:21 +1000 Subject: [PATCH] krb5: always canonicalize GSS federated name When using WELLKNOWN/FEDERATED in GSS-API pre-authentication, always replace with the cname in the AS-REP. --- lib/krb5/init_creds_pw.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c index dc1eaf54c..515bbbd21 100644 --- a/lib/krb5/init_creds_pw.c +++ b/lib/krb5/init_creds_pw.c @@ -1489,15 +1489,17 @@ gss_pa_data_to_key(krb5_context context, if (ret) goto out; - if (krb5_principal_is_federated(context, creds->client)) { - /* replace the wellknown federated name with the initiator name */ + if (krb5_principal_is_federated(context, ctx->cred.client)) { + /* + * The well-known federated name will be replaced with the cname + * in the AS-REP, but save the locally mapped initiator name in the + * cred for logging. + */ krb5_free_principal(context, creds->client); creds->client = cname; cname = NULL; - /* allow the KDC to canonicalize the name */ - if (ctx->flags.canonicalize) - ctx->ic_flags |= KRB5_INIT_CREDS_NO_C_CANON_CHECK; + ctx->ic_flags |= KRB5_INIT_CREDS_NO_C_CANON_CHECK; } out: