[30318] in CVS-changelog-for-Kerberos-V5
krb5 commit: Start S4U2Self realm lookup at server realm
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Oct 23 17:40:44 2018
Date: Tue, 23 Oct 2018 17:40:10 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201810232140.w9NLeACv024658@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/a7020d32cf4c7692aec1903e7818d779713ecd43
commit a7020d32cf4c7692aec1903e7818d779713ecd43
Author: Isaac Boukris <iboukris@gmail.com>
Date: Tue Oct 23 12:52:41 2018 +0300
Start S4U2Self realm lookup at server realm
When looking up the realm of an enterprise principal, start with the
realm of the server instead of the realm attached to the enterprise
name, as specified in [MS-SFU] 3.1.5.1.1.1.
[ghudson@mit.edu: simplified out client_data+client into just client;
edited commit message]
ticket: 8757 (new)
src/lib/krb5/krb/s4u_creds.c | 23 +++++++++++------------
1 files changed, 11 insertions(+), 12 deletions(-)
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index 91c02aa..d2fdcb3 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -63,8 +63,7 @@ s4u_identify_user(krb5_context context,
krb5_creds creds;
int use_master = 0;
krb5_get_init_creds_opt *opts = NULL;
- krb5_principal_data client_data;
- krb5_principal client;
+ krb5_principal_data client;
krb5_s4u_userid userid;
*canon_user = NULL;
@@ -102,19 +101,19 @@ s4u_identify_user(krb5_context context,
krb5_get_init_creds_opt_set_canonicalize(opts, 1);
krb5_get_init_creds_opt_set_preauth_list(opts, ptypes, 1);
- if (in_creds->client != NULL)
- client = in_creds->client;
- else {
- client_data.magic = KV5M_PRINCIPAL;
- client_data.realm = in_creds->server->realm;
+ if (in_creds->client != NULL) {
+ client = *in_creds->client;
+ client.realm = in_creds->server->realm;
+ } else {
+ client.magic = KV5M_PRINCIPAL;
+ client.realm = in_creds->server->realm;
/* should this be NULL, empty or a fixed string? XXX */
- client_data.data = NULL;
- client_data.length = 0;
- client_data.type = KRB5_NT_ENTERPRISE_PRINCIPAL;
- client = &client_data;
+ client.data = NULL;
+ client.length = 0;
+ client.type = KRB5_NT_ENTERPRISE_PRINCIPAL;
}
- code = k5_get_init_creds(context, &creds, client, NULL, NULL, 0, NULL,
+ code = k5_get_init_creds(context, &creds, &client, NULL, NULL, 0, NULL,
opts, krb5_get_as_key_noop, &userid, &use_master,
NULL);
if (code == 0 || code == KRB5_PREAUTH_FAILED) {
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5