heimdal: Change KDC to respect HDB server name type if f.canonicalize is set

This changes behaviour flagged as being for Java 1.6.  My hope is that this does not
set f.canonicalize

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

diff --git a/selftest/knownfail.d/kdc-spn-is-upn b/selftest/knownfail.d/kdc-spn-is-upn
deleted file mode 100644 (file)
index 9225ec2..0000000
--- a/selftest/knownfail.d/kdc-spn-is-upn
+++ /dev/null
@@ -1,16 +0,0 @@
-^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.no-win2k.spn.normal
-^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.no-win2k.spn.normal
-^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.no-win2k.spn.normal
-^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.no-win2k.spn.normal
-^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.win2k.spn.normal
-^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.win2k.spn.normal
-^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.win2k.spn.normal
-^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.win2k.spn.normal
-^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.no-win2k.spn.s4u2self
-^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.no-win2k.spn.s4u2self
-^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.no-win2k.spn.s4u2self
-^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.no-win2k.spn.s4u2self
-^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.win2k.spn.s4u2self
-^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.win2k.spn.s4u2self
-^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.win2k.spn.s4u2self
-^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.win2k.spn.s4u2self

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index a3ba5fef0ee44ea52730cd49d48bd90fca4b1a02..27d38ad84b7be019600f06d82bda8c8b31ad64d0 100644 (file)
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1486,10 +1486,13 @@ _kdc_as_rep(krb5_context context,
     _krb5_principal2principalname(&rep.ticket.sname,
                                  server->entry.principal);
     /* java 1.6 expects the name to be the same type, lets allow that
-     * uncomplicated name-types. */
+     * uncomplicated name-types, when f.canonicalize is not set (to
+     * match Windows Server 1709). */
 #define CNT(sp,t) (((sp)->sname->name_type) == KRB5_NT_##t)
-    if (CNT(b, UNKNOWN) || CNT(b, PRINCIPAL) || CNT(b, SRV_INST) || CNT(b, SRV_HST) || CNT(b, SRV_XHST))
+    if (!f.canonicalize
+       && (CNT(b, UNKNOWN) || CNT(b, PRINCIPAL) || CNT(b, SRV_INST) || CNT(b, SRV_HST) || CNT(b, SRV_XHST))) {
        rep.ticket.sname.name_type = b->sname->name_type;
+    }
 #undef CNT
 
     et.flags.initial = 1;