From Andrew Bartlet via heimdal-bugs@h5l.org

s4:heimdal Allow KRB5_NT_ENTERPRISE names in all DB lookups

    The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail
    list user principal name) in an AS-REQ.  Evidence from the wild
    (Win2k8 reportadely) indicates that this is instead valid for all
    types of requests.

    While this is now handled in heimdal/kdc/misc.c, a flag is now defined
    in Heimdal's hdb so that we can take over this handling in future (once we start
    using a system Heimdal, and if we find out there is more to be done
    here).

    Andrew

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25293 ec53bebd-3082-4978-b11e-865c3cabbd6b

kdc/misc.c

@@ -56,17 +56,39 @@ _kdc_db_fetch(krb5_context context,
     }
 
     for(i = 0; i < config->num_db; i++) {
+	krb5_principal enterprise_principal = NULL;
+	if (!(config->db[i]->hdb_capability_flags & HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL) 
+	    && principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+	    if (principal->name.name_string.len != 1) {
+		ret = KRB5_PARSE_MALFORMED;
+		krb5_set_error_message(context, ret,
+				       "malformed request: "
+				       "enterprise name with %d name components",
+				       principal->name.name_string.len);
+		return ret;
+	    }
+	    ret = krb5_parse_name(context, principal->name.name_string.val[0],
+				  &enterprise_principal);
+	    if (ret)
+		return ret;
+
+	    principal = enterprise_principal;
+	}
+
 	ret = config->db[i]->hdb_open(context, config->db[i], O_RDONLY, 0);
 	if (ret) {
 	    kdc_log(context, config, 0, "Failed to open database: %s",
 		    krb5_get_err_text(context, ret));
 	    continue;
 	}
+
 	ret = config->db[i]->hdb_fetch(context,
 				       config->db[i],
 				       principal,
 				       flags | HDB_F_DECRYPT,
 				       ent);
+	krb5_free_principal(context, enterprise_principal);
+
 	config->db[i]->hdb_close(context, config->db[i]);
 	if(ret == 0) {
 	    if (db)