third_party/heimdal kdc: introduce HDB_F_USER2USER_PRINCIPAL (import lorikeet-heimdal...

This allows HDB backends to do special handling for
User2User TGS-REQs. The main reason is to let
the HDB_F_GET_SERVER lookup to succeed even for
non-computer accounts. In Samba these are typically
not returned in HDB_F_GET_SERVER in order to avoid
generating tickets with the user password.

But for User2User the account password is not used,
so it is safe to return the server entry.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Adapted to be an import from lorikeet-heimdal as requested]

(cherry picked from commit cbb8145d0c58b34b76a579afd81f0e19ec7106b6)

diff --git a/third_party/heimdal/kdc/krb5tgs.c b/third_party/heimdal/kdc/krb5tgs.c
index 79dbe6622f46e703d5c520e0843b201ada4ea918..e7f0e1e49dd54a9ffde85905ed9e2fc4019fa25b 100644 (file)
--- a/third_party/heimdal/kdc/krb5tgs.c
+++ b/third_party/heimdal/kdc/krb5tgs.c
@@ -1380,6 +1380,7 @@ tgs_build_reply(astgs_request_t priv,
 
     Key *tkey_sign;
     int flags = HDB_F_FOR_TGS_REQ;
+    int server_flags;
 
     int result;
 
@@ -1401,6 +1402,10 @@ tgs_build_reply(astgs_request_t priv,
     if (b->kdc_options.canonicalize)
        flags |= HDB_F_CANON;
 
+    server_flags = HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags;
+    if (b->kdc_options.enc_tkt_in_skey)
+       server_flags |= HDB_F_USER2USER_PRINCIPAL;
+
     if (s == NULL) {
        ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
         _kdc_set_const_e_text(priv, "No server in request");
@@ -1438,7 +1443,7 @@ server_lookup:
         _kdc_free_ent(context, serverdb, priv->server);
     priv->server = NULL;
     ret = _kdc_db_fetch(context, config, priv->server_princ,
-                        HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags,
+                        server_flags,
                        NULL, &serverdb, &priv->server);
     priv->serverdb = serverdb;
     if (ret == HDB_ERR_NOT_FOUND_HERE) {

diff --git a/third_party/heimdal/lib/hdb/hdb.h b/third_party/heimdal/lib/hdb/hdb.h
index 6534766a18cf2d11474ea34d72c43acbc9b47c22..bd40e5a57690e22969f96f331201f9b9ec4a4980 100644 (file)
--- a/third_party/heimdal/lib/hdb/hdb.h
+++ b/third_party/heimdal/lib/hdb/hdb.h
@@ -78,6 +78,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_F_SYNTHETIC_OK     0x10000 /* synthetic principal for PKINIT or GSS preauth OK */
 #define HDB_F_GET_FAST_COOKIE  0x20000 /* fetch the FX-COOKIE key (not a normal principal) */
 #define HDB_F_ARMOR_PRINCIPAL  0x40000 /* fetch is for the client of an armor ticket */
+#define HDB_F_USER2USER_PRINCIPAL      0x80000 /* fetch is for the server of a user2user tgs-req */
 
 /* hdb_capability_flags */
 #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1