svn rev #21554: branches/mskrb-integ/src/kdc/

lhoward@MIT.EDU lhoward at MIT.EDU
Fri Dec 19 20:51:21 EST 2008 

http://src.mit.edu/fisheye/changelog/krb5/?cs=21554
Commit By: lhoward
Log Message:
back out r21552 for now pending some answers regarding Windows referral
behaviour. The comment from the Novell patch (which was presumably based
on my research) suggests that Windows 2003 always returns referrals
regardless of the setting of the canonicalize flag. As Windows XP
clients do not appear to set the canonicalize flag in TGS-REQs, I'm
concerned about breaking cross-forest authentication by changing this.

If it turns out we need this behaviour then Novell can change their
backend to implicitly set KRB5_KDB_FLAG_CANONICALIZE if
KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is unset.

I can't empirically test this behaviour against Windows 2003 as I only
have 2008 setup now, and it appears to have yet again different
behaviour (which I also have some outstanding questions on).



Changed Files:
U   branches/mskrb-integ/src/kdc/do_tgs_req.c
Modified: branches/mskrb-integ/src/kdc/do_tgs_req.c
===================================================================
--- branches/mskrb-integ/src/kdc/do_tgs_req.c	2008-12-19 17:14:16 UTC (rev 21553)
+++ branches/mskrb-integ/src/kdc/do_tgs_req.c	2008-12-20 01:51:19 UTC (rev 21554)
@@ -195,9 +195,18 @@
     nprincs = 1;
     if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
 	setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
-	setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
     }
 
+    /*
+     * TGS-REP canonicalization matches Windows 2003 rather
+     * than Windows 2000. This means that we should indicate
+     * to the backend to always return referrals by setting
+     * KDB_FLAG_CANONICALIZE, and we should also always
+     * return the requested SPN in the reply regardless of
+     * whether KDC_OPT_CANONICALIZE was set or not.
+     */
+    setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
+
     errcode = krb5_db_get_principal_ext(kdc_context,
 					request->server,
 					s_flags,
@@ -256,8 +265,8 @@
     if (!is_local_principal(header_enc_tkt->client))
 	setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
 
-    is_referral = isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE) &&
-	krb5_is_tgs_principal(server.princ);
+    is_referral = krb5_is_tgs_principal(server.princ) &&
+	!krb5_principal_compare(kdc_context, tgs_server, server.princ);
 
     /* Check for protocol transition */
     errcode = kdc_process_s4u2self_req(kdc_context, request, header_enc_tkt->client,

More information about the cvs-krb5 mailing list