[26623] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.8]: Use correct name-type in TGS-REQs for 2008R2
daemon@ATHENA.MIT.EDU (Tom Yu)
Fri Jun 15 14:44:18 2012
Date: Fri, 15 Jun 2012 14:43:58 -0400
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201206151843.q5FIhwAX013275@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/442a15f9debdad1fc8ef7c79fe1ca9f3aa8e0cd7
commit 442a15f9debdad1fc8ef7c79fe1ca9f3aa8e0cd7
Author: Tom Yu <tlyu@mit.edu>
Date: Fri Apr 27 22:40:21 2012 +0000
Use correct name-type in TGS-REQs for 2008R2 RODCs
Correctly set the name-type for the TGS principals to KRB5_NT_SRV_INST
in TGS-REQs. (Previously, only AS-REQs had the name-type set in this
way.) Windows Server 2008 R2 read-only domain controllers (RODCs)
insist on having the correct name-type for the TGS principal in
TGS-REQs as well as AS-REQs, at least for the TGT-forwarding case.
Thanks to Sebastian Galiano for reporting this bug and helping with
testing.
(back ported from commit 5994d8928b8ff88751b14bc60c7d7bfce8b30e57)
ticket: 7176 (new)
version_fixed: 1.8.7
status: resolved
src/lib/krb5/krb/fwd_tgt.c | 12 ++++--------
src/lib/krb5/krb/tgtname.c | 19 +++++++++++++++----
2 files changed, 19 insertions(+), 12 deletions(-)
diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c
index 5725e49..2fcb419 100644
--- a/src/lib/krb5/krb/fwd_tgt.c
+++ b/src/lib/krb5/krb/fwd_tgt.c
@@ -29,6 +29,7 @@
#ifdef HAVE_MEMORY_H
#include <memory.h>
#endif
+#include "int-proto.h"
/* helper function: convert flags to necessary KDC options */
#define flags2options(flags) (flags & KDC_TKT_COMMON_MASK)
@@ -99,14 +100,9 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char *r
if ((retval = krb5_copy_principal(context, client, &creds.client)))
goto errout;
- if ((retval = krb5_build_principal_ext(context, &creds.server,
- client->realm.length,
- client->realm.data,
- KRB5_TGS_NAME_SIZE,
- KRB5_TGS_NAME,
- client->realm.length,
- client->realm.data,
- 0)))
+ retval = krb5_tgtname(context, &client->realm, &client->realm,
+ &creds.server);
+ if (retval)
goto errout;
/* fetch tgt directly from cache */
diff --git a/src/lib/krb5/krb/tgtname.c b/src/lib/krb5/krb/tgtname.c
index cfd01cb..f509829 100644
--- a/src/lib/krb5/krb/tgtname.c
+++ b/src/lib/krb5/krb/tgtname.c
@@ -36,8 +36,19 @@
krb5_error_code
krb5_tgtname(krb5_context context, const krb5_data *server, const krb5_data *client, krb5_principal *tgtprinc)
{
- return krb5_build_principal_ext(context, tgtprinc, client->length, client->data,
- KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME,
- server->length, server->data,
- 0);
+ krb5_error_code ret;
+
+ ret = krb5_build_principal_ext(context, tgtprinc, client->length, client->data,
+ KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME,
+ server->length, server->data,
+ 0);
+ if (ret)
+ return ret;
+ /*
+ * Windows Server 2008 R2 RODC insists on TGS principal names having the
+ * right name type.
+ */
+ krb5_princ_type(context, *tgtprinc) = KRB5_NT_SRV_INST;
+
+ return ret;
}
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
