[krbdev.mit.edu #6934] don't require a default realm

Arlene Berry via RT rt-comment at krbdev.mit.edu
Fri Jul 22 15:38:02 EDT 2011 

We want to be able to function without configuring a default realm.  In k5_pac_validate_client it gets the user name from the pac, parses it, and then compares it to the ticket's client principal.  The user name in the pac does not contain the realm so krb5_parse_name_flags applies the default realm.  Then krb5_principal_compare_flags with KRB5_PRINCIPAL_COMPARE_IGNORE_REALM is used to compare the result to the ticket's principal.  Since the realm is ignored, we modified k5_pac_validate_client to append the realm from the ticket's principal to the pac user name before parsing it.

Index: src/lib/krb5/krb/pac.c
===================================================================
--- src/lib/krb5/krb/pac.c	(revision 25023)
+++ src/lib/krb5/krb/pac.c	(working copy)
@@ -418,6 +418,8 @@
 {
     krb5_error_code ret;
     krb5_data client_info;
+    char *decoded_pac_princname;
+    char *appended_pac_princname;
     char *pac_princname;
     unsigned char *p;
     krb5_timestamp pac_authtime;
@@ -447,10 +449,36 @@
         return ERANGE;

     ret = krb5int_ucs2lecs_to_utf8s(p, (size_t)pac_princname_length / 2,
-                                    &pac_princname, NULL);
+                                    &decoded_pac_princname, NULL);
     if (ret != 0)
         return ret;
 
+    if (!strchr(decoded_pac_princname, "@")) {
+	/* Append a realm so the default realm in the conf file is is avoided */
+	appended_pac_princname = malloc(strlen(decoded_pac_princname) +
+					principal->realm.length + 2);
+	if (appended_pac_princname == NULL) {
+	    free(decoded_pac_princname);
+	    return(ENOMEM);
+	}
+
+	pac_princname = appended_pac_princname;
+
+	memcpy(pac_princname, decoded_pac_princname,
+		strlen(decoded_pac_princname));
+	pac_princname += strlen(decoded_pac_princname);
+	pac_princname[0] = '@';
+	pac_princname++;
+	memcpy(pac_princname, principal->realm.data, principal->realm.length);
+	pac_princname += principal->realm.length;
+	pac_princname[0] = 0;
+
+	pac_princname = appended_pac_princname;
+	free(decoded_pac_princname);
+    } else {
+	pac_princname = decoded_pac_princname;
+    }
+
     ret = krb5_parse_name_flags(context, pac_princname, 0, &pac_principal);
     if (ret != 0) {
         free(pac_princname);

More information about the krb5-bugs mailing list