krb5 commit [krb5-1.8]: Use correct name-type in TGS-REQs for 2008R2 RODCs

Tom Yu tlyu at MIT.EDU
Fri Jun 15 14:43:58 EDT 2012


https://github.com/krb5/krb5/commit/442a15f9debdad1fc8ef7c79fe1ca9f3aa8e0cd7
commit 442a15f9debdad1fc8ef7c79fe1ca9f3aa8e0cd7
Author: Tom Yu <tlyu at mit.edu>
Date:   Fri Apr 27 22:40:21 2012 +0000

    Use correct name-type in TGS-REQs for 2008R2 RODCs
    
    Correctly set the name-type for the TGS principals to KRB5_NT_SRV_INST
    in TGS-REQs.  (Previously, only AS-REQs had the name-type set in this
    way.)  Windows Server 2008 R2 read-only domain controllers (RODCs)
    insist on having the correct name-type for the TGS principal in
    TGS-REQs as well as AS-REQs, at least for the TGT-forwarding case.
    
    Thanks to Sebastian Galiano for reporting this bug and helping with
    testing.
    
    (back ported from commit 5994d8928b8ff88751b14bc60c7d7bfce8b30e57)
    
    ticket: 7176 (new)
    version_fixed: 1.8.7
    status: resolved

 src/lib/krb5/krb/fwd_tgt.c |   12 ++++--------
 src/lib/krb5/krb/tgtname.c |   19 +++++++++++++++----
 2 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c
index 5725e49..2fcb419 100644
--- a/src/lib/krb5/krb/fwd_tgt.c
+++ b/src/lib/krb5/krb/fwd_tgt.c
@@ -29,6 +29,7 @@
 #ifdef HAVE_MEMORY_H
 #include <memory.h>
 #endif
+#include "int-proto.h"
 
 /* helper function: convert flags to necessary KDC options */
 #define flags2options(flags) (flags & KDC_TKT_COMMON_MASK)
@@ -99,14 +100,9 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char *r
     if ((retval = krb5_copy_principal(context, client, &creds.client)))
         goto errout;
 
-    if ((retval = krb5_build_principal_ext(context, &creds.server,
-                                           client->realm.length,
-                                           client->realm.data,
-                                           KRB5_TGS_NAME_SIZE,
-                                           KRB5_TGS_NAME,
-                                           client->realm.length,
-                                           client->realm.data,
-                                           0)))
+    retval = krb5_tgtname(context, &client->realm, &client->realm,
+                          &creds.server);
+    if (retval)
         goto errout;
 
     /* fetch tgt directly from cache */
diff --git a/src/lib/krb5/krb/tgtname.c b/src/lib/krb5/krb/tgtname.c
index cfd01cb..f509829 100644
--- a/src/lib/krb5/krb/tgtname.c
+++ b/src/lib/krb5/krb/tgtname.c
@@ -36,8 +36,19 @@
 krb5_error_code
 krb5_tgtname(krb5_context context, const krb5_data *server, const krb5_data *client, krb5_principal *tgtprinc)
 {
-    return krb5_build_principal_ext(context, tgtprinc, client->length, client->data,
-                                    KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME,
-                                    server->length, server->data,
-                                    0);
+    krb5_error_code ret;
+
+    ret = krb5_build_principal_ext(context, tgtprinc, client->length, client->data,
+                                   KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME,
+                                   server->length, server->data,
+                                   0);
+    if (ret)
+        return ret;
+    /*
+     * Windows Server 2008 R2 RODC insists on TGS principal names having the
+     * right name type.
+     */
+    krb5_princ_type(context, *tgtprinc) = KRB5_NT_SRV_INST;
+
+    return ret;
 }


More information about the cvs-krb5 mailing list