Separate enterprise and canonicalize flags

The meaning of the two is different and we should
not implicitly set both if one was requested (this
aligns the logic with MIT kinit -C/-E options).

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
This commit is contained in:
Isaac Boukris
2018-12-24 17:15:53 +02:00
committed by Nico Williams
parent 2ee4169dd1
commit efb111e450
4 changed files with 7 additions and 9 deletions

View File

@@ -1058,7 +1058,7 @@ get_princ(krb5_context context, krb5_principal *principal, const char *name)
user_realm = get_user_realm(context);
if (name) {
if (canonicalize_flag || enterprise_flag)
if (enterprise_flag)
parseflags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
parse_name_realm(context, name, parseflags, user_realm, &tmp);

View File

@@ -426,9 +426,7 @@ get_init_creds_common(krb5_context context,
if (ctx->keyproc == NULL)
ctx->keyproc = default_s2k_func;
/* Enterprise name implicitly turns on canonicalize */
if ((ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) ||
krb5_principal_get_type(context, client) == KRB5_NT_ENTERPRISE_PRINCIPAL)
if (ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE)
ctx->flags.canonicalize = 1;
ctx->pre_auth_types = NULL;

View File

@@ -202,7 +202,7 @@ ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
${kdestroy}
echo "Trying pk-init (ms upn, enterprise)"; > messages.log
${kinit} --canonicalize \
${kinit} --canonicalize --enterprise \
-C FILE:${base}/pkinit4.crt,${keyfile2} baz2@test.h5l.se@${R} || \
{ ec=1 ; eval "${testfailed}"; }
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }

View File

@@ -137,7 +137,7 @@ ${klist} | grep "Principal: foo@${R}" > /dev/null || \
${kdestroy}
echo "Getting client client tickets (default realm, enterprisename)"; > messages.log
${kinit} --canonicalize \
${kinit} --canonicalize --enterprise \
--password-file=${objdir}/foopassword foo@${R} || \
{ ec=1 ; eval "${testfailed}"; }
echo "checking that we got back right principal"
@@ -146,7 +146,7 @@ ${klist} | grep "Principal: foo@${R}" > /dev/null || \
${kdestroy}
echo "Getting client alias1 tickets"; > messages.log
${kinit} --canonicalize \
${kinit} --canonicalize --enterprise \
--password-file=${objdir}/foopassword foo@${R} || \
{ ec=1 ; eval "${testfailed}"; }
echo "checking that we got back right principal"
@@ -156,7 +156,7 @@ ${kdestroy}
echo "Getting client alias2 tickets"; > messages.log
${kinit} --canonicalize \
${kinit} --canonicalize --enterprise \
--password-file=${objdir}/foopassword alias2@${R}@${R} || \
{ ec=1 ; eval "${testfailed}"; }
echo "checking that we got back right principal"
@@ -171,7 +171,7 @@ ${kinit} --password-file=${objdir}/foopassword \
echo "Getting client alias2 tickets (removed)"; > messages.log
${kadmin} modify --alias=alias1 foo@${R} || { ec=1 ; eval "${testfailed}"; }
${kinit} --canonicalize \
${kinit} --canonicalize --enterprise \
--password-file=${objdir}/foopassword \
alias2@${R}@${R} > /dev/null 2>/dev/null && \
{ ec=1 ; eval "${testfailed}"; }