svn rev #21638: branches/mskrb-integ/src/kdc/

Tue Dec 30 07:28:37 EST 2008

http://src.mit.edu/fisheye/changelog/krb5/?cs=21638
Commit By: lhoward
Log Message:
Previously, we tested explicitly for KRB5_KDB_PWCHANGE_SERVICE when
disabling AS-REP canonicalization, because in Windows kadmin/changepw is
an alias for the TGS. This was to avoid a client asking for a changepw
service ticket getting a TGT by setting the canonicalize flag, something
particularly problematic for a user who is only allowed to reset an
expired password.

The correct fix, however, is to disable AS-REP server name
canonicalization for any alias of the TGS (unless the user is requesting
a TGT, in which case we enable it, because that allows us to deal with
realm aliases for Windows interop).



Changed Files:
U   branches/mskrb-integ/src/kdc/do_as_req.c
U   branches/mskrb-integ/src/kdc/do_tgs_req.c
Modified: branches/mskrb-integ/src/kdc/do_as_req.c
===================================================================

--- branches/mskrb-integ/src/kdc/do_as_req.c	2008-12-30 05:45:06 UTC (rev 21637)
+++ branches/mskrb-integ/src/kdc/do_as_req.c	2008-12-30 12:28:36 UTC (rev 21638)
@@ -281,16 +281,20 @@
     }
 
     /*
-     * Turn off canonicalization for changepw service; if it is an
-     * alias for the TGS, then a client with an expired key could
-     * still be issued a ticket granting ticket.
+     * Turn off canonicalization for services that are aliases of
+     * the TGS, such as (in Windows) the changepw service.
      */
-    if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE) &&
-	!isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
+    if (isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE) &&
+	krb5_is_tgs_principal(server.princ) &&
+	!krb5_is_tgs_principal(request->server)) {
+	clear(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
+    }
+
+    if (isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE)) {
 	server_princ = *(server.princ);
     } else {
 	server_princ = *(request->server);
-	/* The realm is always canonicalized */
+	/* The realm is always canonicalized in Windows */
 	server_princ.realm = *(krb5_princ_realm(context, server.princ));
     }
     ticket_reply.server = &server_princ;

Modified: branches/mskrb-integ/src/kdc/do_tgs_req.c
===================================================================
--- branches/mskrb-integ/src/kdc/do_tgs_req.c	2008-12-30 05:45:06 UTC (rev 21637)
+++ branches/mskrb-integ/src/kdc/do_tgs_req.c	2008-12-30 12:28:36 UTC (rev 21638)
@@ -121,7 +121,7 @@
     krb5_authdata **kdc_issued_auth_data = NULL;    /* auth data issued by KDC */
     unsigned int c_flags = 0, s_flags = 0;	    /* client/server KDB flags */
     char *s4u_name = NULL;
-    krb5_boolean is_referral = FALSE;
+    krb5_boolean is_referral;
 
     session_key.contents = NULL;
     
@@ -256,11 +256,8 @@
     if (!is_local_principal(header_enc_tkt->client))
 	setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
 
-    if (krb5_is_tgs_principal(server.princ) &&
-	!krb5_principal_compare(kdc_context, tgs_server, server.princ)) {
-	assert(!isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE));
-	is_referral = TRUE;
-    }
+    is_referral = krb5_is_tgs_principal(server.princ) &&
+	!krb5_principal_compare(kdc_context, tgs_server, server.princ);
 
     /* Check for protocol transition */
     errcode = kdc_process_s4u2self_req(kdc_context, request, header_enc_tkt->client,


