From 98070b5eaaf4ac1d0562a5df69eaa0da96c12bc9 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Sun, 2 Jan 2022 22:22:15 +1100 Subject: [PATCH] Revert "heimdal: handle referrals for 3 part DRSUAPI SPNs" Active Directory/Samba-specific referral policy should be implemented by a windc plugin, not in the main KDC code. It looks like it probably isn't necessary at all if Samba wishes to bypass Heimdal's referral handling. This reverts commit 6f0cafa6cf5957ee549e46e899e8bc83eeca52c2. --- kdc/krb5tgs.c | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index 534eae564..887c9a05b 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -922,23 +922,7 @@ need_referral(krb5_context context, krb5_kdc_configuration *config, if (server->name.name_string.len == 1) name = server->name.name_string.val[0]; - else if (server->name.name_string.len == 3) { - /* - This is used to give referrals for the - E3514235-4B06-11D1-AB04-00C04FC2DCD2/NTDSGUID/DNSDOMAIN - SPN form, which is used for inter-domain communication in AD - */ - name = server->name.name_string.val[2]; - kdc_log(context, config, 4, "Giving 3 part referral for %s", name); - *realms = malloc(sizeof(char *)*2); - if (*realms == NULL) { - krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); - return FALSE; - } - (*realms)[0] = strdup(name); - (*realms)[1] = NULL; - return TRUE; - } else if (server->name.name_string.len > 1) + else if (server->name.name_string.len > 1) name = server->name.name_string.val[1]; else return FALSE;