| commit | 47a3f9cc5a1e3de5b7eadeae5c001863c2adca2b | |
| author | Stefan Metzmacher <metze@samba.org> | |
| Wed, 20 May 2015 13:40:58 +0000 (20 13:40 +0000) | ||
| committer | Stefan Metzmacher <metze@samba.org> | |
| Wed, 20 May 2015 17:29:30 +0000 (20 19:29 +0200) | ||
| tree | 2749c29e65be8882a8afb890b7f1949a970d077c | treesnapshot (tar.gz zip) |
| parent | 88d1b44d150c5eaeea32c08f98c2b26f44dbeede | commitdiff |
heimdal:lib/krb5: verify_logonname() to handle multi component principal
FreeIPA can generate tickets with a client principal of
'host/hostname.example.com'.
verify_logonname() should just verify the principal name
in the PAC_LOGON_NAME is the same as the principal of
the client principal (without realm) of the ticket.
Samba commit b7cc8c1187ff967e44587cd0d09185330378f366
break this. We try to compare ['host']['hostname.example.com']
with ['host/hostname.example.com]' (as we interpret it as enterprise principal)
this fail if we don't compare them as strings.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
FreeIPA can generate tickets with a client principal of
'host/hostname.example.com'.
verify_logonname() should just verify the principal name
in the PAC_LOGON_NAME is the same as the principal of
the client principal (without realm) of the ticket.
Samba commit b7cc8c1187ff967e44587cd0d09185330378f366
break this. We try to compare ['host']['hostname.example.com']
with ['host/hostname.example.com]' (as we interpret it as enterprise principal)
this fail if we don't compare them as strings.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
| source4/heimdal/lib/krb5/pac.c | diffblobblamehistory |