From e48d136e3a5c89c9bab8ea898775fad1449d2f96 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 11 Mar 2015 15:57:06 +1300 Subject: [PATCH] auth/kerberos: Do a string comparison in kerberos_decode_pac() not a principal comparison This ensures that if an enterprise principal is used, we do the comparison properly This matters as in the enterprise case, which can be triggered by MIT kinit -E, does not use canonicalization, and so the enterprise name, with the @ in it, is in the logon name. Otherwise, we get errors like: Name in PAC [TESTALLOWED@WIN2012R2] does not match principal name in ticket BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Reviewed-by: Guenther Deschner --- auth/kerberos/kerberos_pac.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c index 8f55c8ff6a4..32d9d7fad0e 100644 --- a/auth/kerberos/kerberos_pac.c +++ b/auth/kerberos/kerberos_pac.c @@ -106,7 +106,6 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, DATA_BLOB modified_pac_blob; NTTIME tgs_authtime_nttime; - krb5_principal client_principal_pac = NULL; int i; struct PAC_SIGNATURE_DATA *srv_sig_ptr = NULL; @@ -357,28 +356,30 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, } if (client_principal) { - ret = smb_krb5_parse_name_norealm(context, - logon_name->account_name, - &client_principal_pac); + char *client_principal_string; + ret = krb5_unparse_name_flags(context, client_principal, + KRB5_PRINCIPAL_UNPARSE_NO_REALM|KRB5_PRINCIPAL_UNPARSE_DISPLAY, + &client_principal_string); if (ret) { - DEBUG(2, ("Could not parse name from PAC: [%s]:%s\n", + DEBUG(2, ("Could not unparse name from ticket to match with name from PAC: [%s]:%s\n", logon_name->account_name, error_message(ret))); talloc_free(tmp_ctx); return NT_STATUS_INVALID_PARAMETER; } - bool_ret = smb_krb5_principal_compare_any_realm(context, - client_principal, - client_principal_pac); - - krb5_free_principal(context, client_principal_pac); + bool_ret = strcmp(client_principal_string, logon_name->account_name) == 0; if (!bool_ret) { DEBUG(2, ("Name in PAC [%s] does not match principal name " - "in ticket\n", logon_name->account_name)); + "in ticket [%s]\n", + logon_name->account_name, + client_principal_string)); + SAFE_FREE(client_principal_string); talloc_free(tmp_ctx); return NT_STATUS_ACCESS_DENIED; } + SAFE_FREE(client_principal_string); + } DEBUG(3,("Found account name from PAC: %s [%s]\n", -- 2.11.4.GIT