oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

hdb: force canonicalization of enterprise principal names

Browse Source 
Whilst Windows does not canonicalize enterprise principal names if the
canonicalize flag is unset, the original specification in
draft-ietf-krb-wg-kerberos-referrals-03.txt says we should. Non-Windows
deployments of Heimdals are unlikely to understand enterprise principal names
in tickets, and are also unlikely to set the canonicalize flag, so this makes
sense. (It was also the behavior prior to moving the name canonicalization
logic into the KDC.)
This commit is contained in:
Luke Howard
2019-01-06 18:03:07 +11:00
parent 4ea5cc2eff
commit 9750f2d915
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
lib/hdb/common.c
View File

@@ -119,7 +119,6 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
if (ret)
return ret;
principal = enterprise_principal;
flags |= HDB_F_CANON; /* enterprise implies canonicalization */
}
hdb_principal2key(context, principal, &key);
@@ -192,6 +191,14 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
}
}
}
if (enterprise_principal) {
/*
* Whilst Windows does not canonicalize enterprise principal names if
* the canonicalize flag is unset, the original specification in
* draft-ietf-krb-wg-kerberos-referrals-03.txt says we should.
*/
entry->entry.flags.force_canonicalize = 1;
}
return 0;
}