From e11abf414c4686de67593c4a036bc235b77391a3 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Thu, 20 Dec 2018 16:50:31 +1100 Subject: [PATCH] hdb: support "hard" alias path in AS-REQ (#452) Adds support for "hard" aliases when initially authenticating, that is, allowing a client or server principal to be known by many names without requiring that the client support name canonicalization. In order to avoid changing the behavior for other backends such as Samba, this is implemented in the HDB backend rather than the KDC. To use, add an alias for both the client and TGS ("krbtgt") principals using kadmin. This behavior is unchanged if name canonicalization is enabled. --- lib/hdb/common.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/lib/hdb/common.c b/lib/hdb/common.c index 2c8bb9f30..3b9f09f86 100644 --- a/lib/hdb/common.c +++ b/lib/hdb/common.c @@ -119,6 +119,7 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal, if (ret) return ret; principal = enterprise_principal; + flags |= HDB_F_CANON; /* enterprise implies canonicalization */ } hdb_principal2key(context, principal, &key); @@ -129,7 +130,7 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal, if(ret) return ret; ret = hdb_value2entry(context, &value, &entry->entry); - if (ret == ASN1_BAD_ID && (flags & HDB_F_CANON) == 0) { + if (ret == ASN1_BAD_ID && (flags & (HDB_F_CANON|HDB_F_FOR_AS_REQ)) == 0) { krb5_data_free(&value); return HDB_ERR_NOENTRY; } else if (ret == ASN1_BAD_ID) { @@ -153,6 +154,19 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal, krb5_data_free(&value); return ret; } + + if ((flags & HDB_F_FOR_AS_REQ) && (flags & HDB_F_CANON) == 0) { + krb5_principal tmp; + + /* "hard" alias: return the principal the client asked for */ + ret = krb5_copy_principal(context, principal, &tmp); + if (ret) { + krb5_data_free(&value); + return ret; + } + krb5_free_principal(context, entry->entry.principal); + entry->entry.principal = tmp; + } } krb5_data_free(&value); if ((flags & HDB_F_DECRYPT) && (flags & HDB_F_ALL_KVNOS)) {