git.samba.org / obnox / samba / samba-obnox.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7bef5e4)
kdc: Fix S4U2Self handling with KRB5_NT_ENTERPRISE_PRINCIPAL containing a UPN
authorAndrew Bartlett <abartlet@samba.org>
Mon, 9 Mar 2015 03:00:56 +0000 (16:00 +1300)
committerStefan Metzmacher <metze@samba.org>
Mon, 9 Mar 2015 08:35:05 +0000 (09:35 +0100)
This is now handled properly by samba_kdc_lookup_server() and this wrapper actually
breaks things.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
source4/kdc/db-glue.c patch | blob | history

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index aa7364182ac0521593f02b845d06ad4012d2d2ea..0bc907ef6093f182b7c56da98f000b798f2d822b 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1839,7 +1839,6 @@ samba_kdc_check_s4u2self(krb5_context context,
                         krb5_const_principal target_principal)
 {
        krb5_error_code ret;
-       krb5_principal enterprise_prinicpal = NULL;
        struct ldb_dn *realm_dn;
        struct ldb_message *msg;
        struct dom_sid *orig_sid;
@@ -1857,30 +1856,10 @@ samba_kdc_check_s4u2self(krb5_context context,
                return ret;
        }
 
-       if (target_principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
-               /* Need to reparse the enterprise principal to find the real target */
-               if (target_principal->name.name_string.len != 1) {
-                       ret = KRB5_PARSE_MALFORMED;
-                       krb5_set_error_message(context, ret, "samba_kdc_check_s4u2self: request for delegation to enterprise principal with wrong (%d) number of components",
-                                              target_principal->name.name_string.len);
-                       talloc_free(mem_ctx);
-                       return ret;
-               }
-               ret = krb5_parse_name(context, target_principal->name.name_string.val[0],
-                                     &enterprise_prinicpal);
-               if (ret) {
-                       talloc_free(mem_ctx);
-                       return ret;
-               }
-               target_principal = enterprise_prinicpal;
-       }
-
        ret = samba_kdc_lookup_server(context, kdc_db_ctx, mem_ctx, target_principal,
                                      HDB_F_GET_CLIENT|HDB_F_GET_SERVER,
                                      delegation_check_attrs, &realm_dn, &msg);
 
-       krb5_free_principal(context, enterprise_prinicpal);
-
        if (ret != 0) {
                talloc_free(mem_ctx);
                return ret;
Michael's Samba GIT