krb5 commit: Allow KDC to canonicalize realm in TGS client

Tue Nov 3 10:36:46 EST 2020

https://github.com/krb5/krb5/commit/04c2b7415d62913845f31dc5b0d4051291e4d6d4
commit 04c2b7415d62913845f31dc5b0d4051291e4d6d4
Author: Greg Hudson <ghudson at mit.edu>
Date:   Wed Aug 26 16:49:37 2020 -0400

    Allow KDC to canonicalize realm in TGS client
    
    Active Directory canonicalizes the srealm field of TGS replies,
    whether or not the client requests canonicalization.  Allow this for
    regular TGS and S4U2Self referrals queries by comparing only the name
    part of the service principal.  The S4U2Proxy code is already correct.
    
    ticket: 8943 (new)

 src/lib/krb5/krb/get_creds.c |   10 ++++++----
 src/lib/krb5/krb/s4u_creds.c |    5 ++---
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
index c35b8d6..b693f58 100644
--- a/src/lib/krb5/krb/get_creds.c
+++ b/src/lib/krb5/krb/get_creds.c
@@ -571,10 +571,12 @@ step_referrals(krb5_context context, krb5_tkt_creds_context ctx)
     if (ctx->reply_code != 0)
         return try_fallback(context, ctx);
 
-    if (krb5_principal_compare(context, ctx->reply_creds->server,
-                               ctx->server)) {
-        /* We got the ticket we asked for... but we didn't necessarily ask for
-         * it with the right enctypes.  Try a non-referral request if so. */
+    /* Check if we got the ticket we asked for.  Allow the KDC to canonicalize
+     * the realm. */
+    if (krb5_principal_compare_any_realm(context, ctx->reply_creds->server,
+                                         ctx->server)) {
+        /* We didn't necessarily ask for it with the right enctypes.  Try a
+         * non-referral request if so. */
         if (wrong_enctype(context, ctx->reply_creds->keyblock.enctype)) {
             TRACE_TKT_CREDS_WRONG_ENCTYPE(context);
             return begin_non_referral(context, ctx);
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index b448110..44d113e 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -592,9 +592,8 @@ krb5_get_self_cred_from_kdc(krb5_context context,
         /* Only include a cert in the initial request to the client realm. */
         s4u_user.user_id.subject_cert = empty_data();
 
-        if (krb5_principal_compare(context,
-                                   in_creds->server,
-                                   (*out_creds)->server)) {
+        if (krb5_principal_compare_any_realm(context, in_creds->server,
+                                             (*out_creds)->server)) {
             /* Verify that the unprotected client name in the reply matches the
              * checksum-protected one from the client realm's KDC padata. */
             if (!krb5_principal_compare(context, (*out_creds)->client,
