oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

krb5: try GSS_KRB5_NT_PRINCIPAL_NAME first for PA

Browse Source 
When importing a Kerberos name for GSS pre-auth, first try to import the name
as GSS_KRB5_NT_PRINCIPAL_NAME. If that fails, fall back to GSS_C_NT_USER_NAME.
This commit is contained in:
Luke Howard
2021-08-15 09:36:35 +10:00
parent f73f08eef1
commit e840681451
1 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/gssapi/preauth/pa_common.c
View File

@@ -138,13 +138,17 @@ _krb5_gss_pa_unparse_name(krb5_context context,
name_buf.length = strlen(name); name_buf.length = strlen(name);
name_buf.value = name; name_buf.value = name;
if (principal->name.name_type == KRB5_NT_PRINCIPAL || if (principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL)
principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL)
name_type = GSS_C_NT_USER_NAME; name_type = GSS_C_NT_USER_NAME;
else else
name_type = GSS_KRB5_NT_PRINCIPAL_NAME; name_type = GSS_KRB5_NT_PRINCIPAL_NAME;
major = gss_import_name(&minor, &name_buf, name_type, namep); major = gss_import_name(&minor, &name_buf, name_type, namep);
if (major == GSS_S_BAD_NAMETYPE &&
gss_oid_equal(name_type, GSS_KRB5_NT_PRINCIPAL_NAME)) {
major = gss_import_name(&minor, &name_buf,
GSS_C_NT_USER_NAME, namep);
}
if (name != principal->name.name_string.val[0]) if (name != principal->name.name_string.val[0])
krb5_xfree(name); krb5_xfree(name);