oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: fix kx509 service principal match

Browse Source 
Each KDC is a kx509 server.  The service principal must be of the
form

  kca_service/<localhost.domain>@<DEFAULT_REALM>

where localhost.domain is the hostname returned by gethostname()
and <DEFAULT_REALM> is one of the realms for which the KDC has a service
principal "kca_service/<localhost.domain>".

The matching code was broken by a5e77c578e
when krb5_sname_to_principal() began to always return a referral
principal.

Since the second component is a host name update the default principal
type for service "kca_service" to be KRB5_NT_SRV_HST.

Change-Id: I6bd5f90b674ebb7220d8efafa6d339fdc21e1a07
This commit is contained in:
Jeffrey Altman
2017-01-20 17:56:54 -05:00
parent 656e4c4f42
commit ec39b832ff
2 changed files with 51 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/krb5/principal.c
View File

@@ -70,6 +70,8 @@ set_default_princ_type(krb5_principal p, NAME_TYPE defnt)
princ_type(p) = KRB5_NT_SRV_INST;
else if (princ_num_comp(p) > 1 && strcmp(princ_ncomp(p, 0), "host") == 0)
princ_type(p) = KRB5_NT_SRV_HST;
else if (princ_num_comp(p) > 1 && strcmp(princ_ncomp(p, 0), "kca_service") == 0)
princ_type(p) = KRB5_NT_SRV_HST;
else if (princ_num_comp(p) == 2 &&
strcmp(princ_ncomp(p, 0), KRB5_WELLKNOWN_NAME) == 0)
princ_type(p) = KRB5_NT_WELLKNOWN;