krb5 commit: Remove KRB5_KDB_FLAG_ALIAS_OK
Greg Hudson
ghudson at mit.edu
Sat Dec 28 01:16:18 EST 2019
https://github.com/krb5/krb5/commit/ac8865a22138ab0c657208c41be8fd6bc7968148
commit ac8865a22138ab0c657208c41be8fd6bc7968148
Author: Isaac Boukris <iboukris at gmail.com>
Date: Thu Dec 26 00:23:21 2019 +0100
Remove KRB5_KDB_FLAG_ALIAS_OK
It is simpler and more consistent with Windows to let the KDB module
always return aliases, and use KDC logic (already present) to decide
whether to use the requested or canonical principal name in the
ticket.
With the removal of this flag, "kinit alias" (without the -C flag)
against the LDAP KDB module will issue a ticket for the alias name,
instead of failing with a "client not found" error.
[ghudson at mit.edu: edited comments; wrote commit message]
ticket: 8859 (new)
src/include/kdb.h | 14 +++-----------
src/kdc/do_as_req.c | 7 +------
src/kdc/do_tgs_req.c | 1 -
src/kdc/kdc_preauth.c | 2 +-
src/kdc/kdc_util.c | 5 ++---
src/lib/kadm5/srv/server_kdb.c | 3 +--
src/lib/kdb/kdb5.c | 3 +--
src/lib/kdb/kdb_default.c | 3 +--
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 15 ++++++---------
src/plugins/kdb/test/kdb_test.c | 14 +++++---------
src/tests/t_kdb.py | 5 +++--
11 files changed, 24 insertions(+), 48 deletions(-)
diff --git a/src/include/kdb.h b/src/include/kdb.h
index fc9400b..7f1362d 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -121,8 +121,6 @@
#define KRB5_KDB_FLAG_USER_TO_USER 0x00000800
/* Cross-realm */
#define KRB5_KDB_FLAG_CROSS_REALM 0x00001000
-/* Allow in-realm aliases */
-#define KRB5_KDB_FLAG_ALIAS_OK 0x00002000
/* Issuing referral */
#define KRB5_KDB_FLAG_ISSUING_REFERRAL 0x00004000
@@ -1047,15 +1045,9 @@ typedef struct _kdb_vftabl {
* part of the realm being served, and a referral or alternate TGT will
* be issued instead.
*
- * KRB5_KDB_FLAG_ALIAS_OK: Set by the KDC for server principal lookups and
- * for AS request client principal lookups with canonicalization
- * requested; also set by the admin interface. Determines whether the
- * module should return in-realm aliases.
- *
- * A module can return in-realm aliases if KRB5_KDB_FLAG_ALIAS_OK is set,
- * or if search_for->type is KRB5_NT_ENTERPRISE_PRINCIPAL. To return an
- * in-realm alias, fill in a different value for entries->princ than the
- * one requested.
+ * A module may return an in-realm alias by setting (*entry)->princ to the
+ * canonical name. The KDC will decide based on the request whether to use
+ * the requested name or the canonical name in the issued ticket.
*
* A module can return a referral to another realm if
* KRB5_KDB_FLAG_CANONICALIZE is set, or if
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index fcff99f..87dd7e9 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -596,11 +596,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
* of cross realm TGS entries.
*/
setflag(state->c_flags, KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY);
- /* Enterprise principals are implicitly alias-ok. */
- if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE) ||
- state->request->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
- setflag(state->c_flags, KRB5_KDB_FLAG_ALIAS_OK);
- }
+
if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) {
setflag(state->c_flags, KRB5_KDB_FLAG_CANONICALIZE);
}
@@ -639,7 +635,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
au_state->stage = SRVC_PRINC;
s_flags = 0;
- setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) {
setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
}
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 0524075..dfb5205 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -238,7 +238,6 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
/* XXX make sure server here has the proper realm...taken from AP_REQ
header? */
- setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 3016ace..a303bfd 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -489,7 +489,7 @@ match_client(krb5_context context, krb5_kdcpreauth_rock rock,
krb5_principal_compare(context, princ, client))
return TRUE;
- if (krb5_db_get_principal(context, princ, KRB5_KDB_FLAG_ALIAS_OK, &ent))
+ if (krb5_db_get_principal(context, princ, 0, &ent))
return FALSE;
match = krb5_principal_compare(context, ent->princ, client);
krb5_db_free_principal(context, ent);
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 1982334..d0fd5d7 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -403,9 +403,8 @@ kdc_rd_ap_req(kdc_realm_t *kdc_active_realm,
match_enctype = 0;
}
- retval = kdc_get_server_key(kdc_context, apreq->ticket,
- KRB5_KDB_FLAG_ALIAS_OK, match_enctype, server,
- NULL, NULL);
+ retval = kdc_get_server_key(kdc_context, apreq->ticket, 0, match_enctype,
+ server, NULL, NULL);
if (retval)
return retval;
diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c
index f4b8aef..0ddfa4c 100644
--- a/src/lib/kadm5/srv/server_kdb.c
+++ b/src/lib/kadm5/srv/server_kdb.c
@@ -264,8 +264,7 @@ kdb_get_entry(kadm5_server_handle_t handle,
*kdb_ptr = NULL;
- ret = krb5_db_get_principal(handle->context, principal,
- KRB5_KDB_FLAG_ALIAS_OK, &kdb);
+ ret = krb5_db_get_principal(handle->context, principal, 0, &kdb);
if (ret == KRB5_KDB_NOENTRY)
return(KADM5_UNK_PRINC);
if (ret)
diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c
index 9001fb7..a3fc0bf 100644
--- a/src/lib/kdb/kdb5.c
+++ b/src/lib/kdb/kdb5.c
@@ -1038,8 +1038,7 @@ krb5_db_rename_principal(krb5_context kcontext, krb5_principal source,
logging(kcontext))
return KRB5_PLUGIN_OP_NOTSUPP;
- status = krb5_db_get_principal(kcontext, target, KRB5_KDB_FLAG_ALIAS_OK,
- &entry);
+ status = krb5_db_get_principal(kcontext, target, 0, &entry);
if (status == 0) {
krb5_db_free_principal(kcontext, entry);
return KRB5_KDB_INUSE;
diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index 231a0d8..526ddd2 100644
--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -524,8 +524,7 @@ krb5_db_def_rename_principal(krb5_context kcontext,
if (source == NULL || target == NULL)
return EINVAL;
- ret = krb5_db_get_principal(kcontext, source, KRB5_KDB_FLAG_ALIAS_OK,
- &kdb);
+ ret = krb5_db_get_principal(kcontext, source, 0, &kdb);
if (ret)
goto cleanup;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index ee9c028..564093f 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -189,15 +189,12 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) {
if (values[0] && strcmp(values[0], user) != 0) {
/* We matched an alias, not the canonical name. */
- if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
- st = krb5_ldap_parse_principal_name(values[0], &cname);
- if (st != 0)
- goto cleanup;
- st = krb5_parse_name(context, cname, &cprinc);
- if (st != 0)
- goto cleanup;
- } else /* No canonicalization, so don't return aliases. */
- found = FALSE;
+ st = krb5_ldap_parse_principal_name(values[0], &cname);
+ if (st != 0)
+ goto cleanup;
+ st = krb5_parse_name(context, cname, &cprinc);
+ if (st != 0)
+ goto cleanup;
}
ldap_value_free(values);
if (!found)
diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c
index 3a1d1ba..69a4663 100644
--- a/src/plugins/kdb/test/kdb_test.c
+++ b/src/plugins/kdb/test/kdb_test.c
@@ -351,14 +351,12 @@ test_get_principal(krb5_context context, krb5_const_principal search_for,
&search_name));
canon = get_string(h, "alias", search_name, NULL);
if (canon != NULL) {
- if (!(flags & KRB5_KDB_FLAG_ALIAS_OK) &&
- search_for->type != KRB5_NT_ENTERPRISE_PRINCIPAL) {
- ret = KRB5_KDB_NOENTRY;
- goto cleanup;
- }
check(krb5_parse_name(context, canon, &princ));
if (!krb5_realm_compare(context, search_for, princ)) {
- if (flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) {
+ /* Out of realm */
+ if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) &&
+ ((flags & KRB5_KDB_FLAG_CANONICALIZE) ||
+ search_for->type == KRB5_NT_ENTERPRISE_PRINCIPAL)) {
/* Return a client referral by creating an entry with only the
* principal set. */
*entry = ealloc(sizeof(**entry));
@@ -486,9 +484,7 @@ test_get_s4u_x509_principal(krb5_context context, const krb5_data *client_cert,
&princ_name));
canon = get_string(h, "alias", princ_name, NULL);
krb5_free_unparsed_name(context, princ_name);
- if (canon != NULL &&
- ((flags & KRB5_KDB_FLAG_ALIAS_OK) ||
- princ->type == KRB5_NT_ENTERPRISE_PRINCIPAL)) {
+ if (canon != NULL) {
check(krb5_parse_name(context, canon, &canon_princ));
match = krb5_principal_compare(context, canon_princ, (*entry)->princ);
krb5_free_principal(context, canon_princ);
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 7271fcb..9fff204 100755
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -383,8 +383,9 @@ realm.klist(realm.user_princ, 'alias at KRBTEST.COM')
# Test client principal aliases, with and without preauth.
realm.kinit('canon', password('canon'))
-realm.kinit('alias', password('canon'), expected_code=1,
- expected_msg='not found in Kerberos database')
+realm.kinit('alias', password('canon'))
+realm.run([kvno, 'alias'])
+realm.klist('alias at KRBTEST.COM', 'alias at KRBTEST.COM')
realm.kinit('alias', password('canon'), ['-C'])
realm.run([kvno, 'alias'])
realm.klist('canon at KRBTEST.COM', 'alias at KRBTEST.COM')
More information about the cvs-krb5
mailing list