Separate enterprise and canonicalize flags
The meaning of the two is different and we should not implicitly set both if one was requested (this aligns the logic with MIT kinit -C/-E options). Signed-off-by: Isaac Boukris <iboukris@gmail.com>
This commit is contained in:

committed by
Nico Williams

parent
2ee4169dd1
commit
efb111e450
@@ -1058,7 +1058,7 @@ get_princ(krb5_context context, krb5_principal *principal, const char *name)
|
||||
user_realm = get_user_realm(context);
|
||||
|
||||
if (name) {
|
||||
if (canonicalize_flag || enterprise_flag)
|
||||
if (enterprise_flag)
|
||||
parseflags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
|
||||
|
||||
parse_name_realm(context, name, parseflags, user_realm, &tmp);
|
||||
|
@@ -426,9 +426,7 @@ get_init_creds_common(krb5_context context,
|
||||
if (ctx->keyproc == NULL)
|
||||
ctx->keyproc = default_s2k_func;
|
||||
|
||||
/* Enterprise name implicitly turns on canonicalize */
|
||||
if ((ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) ||
|
||||
krb5_principal_get_type(context, client) == KRB5_NT_ENTERPRISE_PRINCIPAL)
|
||||
if (ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE)
|
||||
ctx->flags.canonicalize = 1;
|
||||
|
||||
ctx->pre_auth_types = NULL;
|
||||
|
@@ -202,7 +202,7 @@ ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
||||
${kdestroy}
|
||||
|
||||
echo "Trying pk-init (ms upn, enterprise)"; > messages.log
|
||||
${kinit} --canonicalize \
|
||||
${kinit} --canonicalize --enterprise \
|
||||
-C FILE:${base}/pkinit4.crt,${keyfile2} baz2@test.h5l.se@${R} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
||||
|
@@ -137,7 +137,7 @@ ${klist} | grep "Principal: foo@${R}" > /dev/null || \
|
||||
${kdestroy}
|
||||
|
||||
echo "Getting client client tickets (default realm, enterprisename)"; > messages.log
|
||||
${kinit} --canonicalize \
|
||||
${kinit} --canonicalize --enterprise \
|
||||
--password-file=${objdir}/foopassword foo@${R} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
echo "checking that we got back right principal"
|
||||
@@ -146,7 +146,7 @@ ${klist} | grep "Principal: foo@${R}" > /dev/null || \
|
||||
${kdestroy}
|
||||
|
||||
echo "Getting client alias1 tickets"; > messages.log
|
||||
${kinit} --canonicalize \
|
||||
${kinit} --canonicalize --enterprise \
|
||||
--password-file=${objdir}/foopassword foo@${R} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
echo "checking that we got back right principal"
|
||||
@@ -156,7 +156,7 @@ ${kdestroy}
|
||||
|
||||
|
||||
echo "Getting client alias2 tickets"; > messages.log
|
||||
${kinit} --canonicalize \
|
||||
${kinit} --canonicalize --enterprise \
|
||||
--password-file=${objdir}/foopassword alias2@${R}@${R} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
echo "checking that we got back right principal"
|
||||
@@ -171,7 +171,7 @@ ${kinit} --password-file=${objdir}/foopassword \
|
||||
|
||||
echo "Getting client alias2 tickets (removed)"; > messages.log
|
||||
${kadmin} modify --alias=alias1 foo@${R} || { ec=1 ; eval "${testfailed}"; }
|
||||
${kinit} --canonicalize \
|
||||
${kinit} --canonicalize --enterprise \
|
||||
--password-file=${objdir}/foopassword \
|
||||
alias2@${R}@${R} > /dev/null 2>/dev/null && \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
|
Reference in New Issue
Block a user