From 94fa28979065556a8c0fa71095d87a15c9c6488c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 16 Oct 2023 12:33:15 +1300 Subject: [PATCH] third_party/heimdal kdc: introduce HDB_F_USER2USER_PRINCIPAL (import lorikeet-heimdal-202310152331 (commit a571340c9e1b75d4f5d96f08fcf9fd660d3ba3d4)) This allows HDB backends to do special handling for User2User TGS-REQs. The main reason is to let the HDB_F_GET_SERVER lookup to succeed even for non-computer accounts. In Samba these are typically not returned in HDB_F_GET_SERVER in order to avoid generating tickets with the user password. But for User2User the account password is not used, so it is safe to return the server entry. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett [abartlet@samba.org Adapted to be an import from lorikeet-heimdal as requested] (cherry picked from commit cbb8145d0c58b34b76a579afd81f0e19ec7106b6) --- third_party/heimdal/kdc/krb5tgs.c | 7 ++++++- third_party/heimdal/lib/hdb/hdb.h | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/third_party/heimdal/kdc/krb5tgs.c b/third_party/heimdal/kdc/krb5tgs.c index 79dbe6622f4..e7f0e1e49dd 100644 --- a/third_party/heimdal/kdc/krb5tgs.c +++ b/third_party/heimdal/kdc/krb5tgs.c @@ -1380,6 +1380,7 @@ tgs_build_reply(astgs_request_t priv, Key *tkey_sign; int flags = HDB_F_FOR_TGS_REQ; + int server_flags; int result; @@ -1401,6 +1402,10 @@ tgs_build_reply(astgs_request_t priv, if (b->kdc_options.canonicalize) flags |= HDB_F_CANON; + server_flags = HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags; + if (b->kdc_options.enc_tkt_in_skey) + server_flags |= HDB_F_USER2USER_PRINCIPAL; + if (s == NULL) { ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; _kdc_set_const_e_text(priv, "No server in request"); @@ -1438,7 +1443,7 @@ server_lookup: _kdc_free_ent(context, serverdb, priv->server); priv->server = NULL; ret = _kdc_db_fetch(context, config, priv->server_princ, - HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags, + server_flags, NULL, &serverdb, &priv->server); priv->serverdb = serverdb; if (ret == HDB_ERR_NOT_FOUND_HERE) { diff --git a/third_party/heimdal/lib/hdb/hdb.h b/third_party/heimdal/lib/hdb/hdb.h index 6534766a18c..bd40e5a5769 100644 --- a/third_party/heimdal/lib/hdb/hdb.h +++ b/third_party/heimdal/lib/hdb/hdb.h @@ -78,6 +78,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; #define HDB_F_SYNTHETIC_OK 0x10000 /* synthetic principal for PKINIT or GSS preauth OK */ #define HDB_F_GET_FAST_COOKIE 0x20000 /* fetch the FX-COOKIE key (not a normal principal) */ #define HDB_F_ARMOR_PRINCIPAL 0x40000 /* fetch is for the client of an armor ticket */ +#define HDB_F_USER2USER_PRINCIPAL 0x80000 /* fetch is for the server of a user2user tgs-req */ /* hdb_capability_flags */ #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 -- 2.11.4.GIT