From: Andrew Bartlett Date: Mon, 3 Sep 2018 00:49:40 +0000 (+1200) Subject: heimdal: Change KDC to respect HDB server name type if f.canonicalize is set X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=41473daf09efbc4aed7ab0961ef536f15fca84f6;p=metze%2Fsamba%2Fwip.git heimdal: Change KDC to respect HDB server name type if f.canonicalize is set This changes behaviour flagged as being for Java 1.6. My hope is that this does not set f.canonicalize Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer --- diff --git a/selftest/knownfail.d/kdc-spn-is-upn b/selftest/knownfail.d/kdc-spn-is-upn deleted file mode 100644 index 9225ec215df2..000000000000 --- a/selftest/knownfail.d/kdc-spn-is-upn +++ /dev/null @@ -1,16 +0,0 @@ -^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.no-win2k.spn.normal -^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.no-win2k.spn.normal -^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.no-win2k.spn.normal -^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.no-win2k.spn.normal -^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.win2k.spn.normal -^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.win2k.spn.normal -^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.win2k.spn.normal -^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.win2k.spn.normal -^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.no-win2k.spn.s4u2self -^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.no-win2k.spn.s4u2self -^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.no-win2k.spn.s4u2self -^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.no-win2k.spn.s4u2self -^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.win2k.spn.s4u2self -^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.win2k.spn.s4u2self -^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.win2k.spn.s4u2self -^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.win2k.spn.s4u2self diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index a3ba5fef0ee4..27d38ad84b7b 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -1486,10 +1486,13 @@ _kdc_as_rep(krb5_context context, _krb5_principal2principalname(&rep.ticket.sname, server->entry.principal); /* java 1.6 expects the name to be the same type, lets allow that - * uncomplicated name-types. */ + * uncomplicated name-types, when f.canonicalize is not set (to + * match Windows Server 1709). */ #define CNT(sp,t) (((sp)->sname->name_type) == KRB5_NT_##t) - if (CNT(b, UNKNOWN) || CNT(b, PRINCIPAL) || CNT(b, SRV_INST) || CNT(b, SRV_HST) || CNT(b, SRV_XHST)) + if (!f.canonicalize + && (CNT(b, UNKNOWN) || CNT(b, PRINCIPAL) || CNT(b, SRV_INST) || CNT(b, SRV_HST) || CNT(b, SRV_XHST))) { rep.ticket.sname.name_type = b->sname->name_type; + } #undef CNT et.flags.initial = 1;