From Andrew Bartlet via heimdal-bugs@h5l.org

s4:heimdal Allow KRB5_NT_ENTERPRISE names in all DB lookups

    The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail
    list user principal name) in an AS-REQ.  Evidence from the wild
    (Win2k8 reportadely) indicates that this is instead valid for all
    types of requests.

    While this is now handled in heimdal/kdc/misc.c, a flag is now defined
    in Heimdal's hdb so that we can take over this handling in future (once we start
    using a system Heimdal, and if we find out there is more to be done
    here).

    Andrew

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25293 ec53bebd-3082-4978-b11e-865c3cabbd6b

kdc/kerberos5.c

@@ -926,28 +926,12 @@ _kdc_as_rep(krb5_context context,
 	ret = KRB5KRB_ERR_GENERIC;
 	e_text = "No client in request";
     } else {
-
+	ret = _krb5_principalname2krb5_principal (context,
-	if (b->cname->name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+						  &client_princ,
-	    if (b->cname->name_string.len != 1) {
+						  *(b->cname),
-		kdc_log(context, config, 0,
+						  b->realm);
-			"AS-REQ malformed canon request from %s, "
+	if (ret)
-			"enterprise name with %d name components",
+	    goto out;
-			from, b->cname->name_string.len);
-		ret = KRB5_PARSE_MALFORMED;
-		goto out;
-	    }
-	    ret = krb5_parse_name(context, b->cname->name_string.val[0],
-				  &client_princ);
-	    if (ret)
-		goto out;
-	} else {
-	    ret = _krb5_principalname2krb5_principal (context,
-						      &client_princ,
-						      *(b->cname),
-						      b->realm);
-	    if (ret)
-		goto out;
-	}
 
 	ret = krb5_unparse_name(context, client_princ, &client_name);
     }

kdc/misc.c

@@ -56,17 +56,39 @@ _kdc_db_fetch(krb5_context context,
     }
 
     for(i = 0; i < config->num_db; i++) {
+	krb5_principal enterprise_principal = NULL;
+	if (!(config->db[i]->hdb_capability_flags & HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL) 
+	    && principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+	    if (principal->name.name_string.len != 1) {
+		ret = KRB5_PARSE_MALFORMED;
+		krb5_set_error_message(context, ret,
+				       "malformed request: "
+				       "enterprise name with %d name components",
+				       principal->name.name_string.len);
+		return ret;
+	    }
+	    ret = krb5_parse_name(context, principal->name.name_string.val[0],
+				  &enterprise_principal);
+	    if (ret)
+		return ret;
+
+	    principal = enterprise_principal;
+	}
+
 	ret = config->db[i]->hdb_open(context, config->db[i], O_RDONLY, 0);
 	if (ret) {
 	    kdc_log(context, config, 0, "Failed to open database: %s",
 		    krb5_get_err_text(context, ret));
 	    continue;
 	}
+
 	ret = config->db[i]->hdb_fetch(context,
 				       config->db[i],
 				       principal,
 				       flags | HDB_F_DECRYPT,
 				       ent);
+	krb5_free_principal(context, enterprise_principal);
+
 	config->db[i]->hdb_close(context, config->db[i]);
 	if(ret == 0) {
 	    if (db)

lib/hdb/hdb.h

@@ -54,6 +54,8 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_F_GET_ANY		28	/* fetch any of client,server,krbtgt */
 #define HDB_F_CANON		32	/* want canonicalition */
 
+#define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
+
 /* key usage for master key */
 #define HDB_KU_MKEY	0x484442
 
@@ -80,7 +82,7 @@ typedef struct HDB{
     int hdb_master_key_set;
     hdb_master_key hdb_master_key;
     int hdb_openp;
-
+    int hdb_capability_flags;
     /**
      * Open (or create) the a Kerberos database.
      *
@@ -184,7 +186,7 @@ typedef struct HDB{
     krb5_error_code (*hdb_destroy)(krb5_context, struct HDB*);
 }HDB;
 
-#define HDB_INTERFACE_VERSION	4
+#define HDB_INTERFACE_VERSION	5
 
 struct hdb_so_method {
     int version;