PAC verification fails for enterprise principals
Stefan Metzmacher
metze at samba.org
Wed Aug 23 19:19:16 EDT 2017
Hi,
I found that krb5_pac_verify() fails if I asked for
S4U2Self with an enterprise principal.
The problem is that k5_pac_validate_client()
uses this:
ret = krb5_parse_name_flags(context, pac_princname,
KRB5_PRINCIPAL_PARSE_NO_REALM,
&pac_principal);
if (ret != 0) {
free(pac_princname);
return ret;
}
free(pac_princname);
if (pac_authtime != authtime ||
!krb5_principal_compare_flags(context,
pac_principal,
principal,
KRB5_PRINCIPAL_COMPARE_IGNORE_REALM))
ret = KRB5KRB_AP_WRONG_PRINC;
The value in the Client Info PAC element is the principal without
the realm part.
The KRB5_PRINCIPAL_PARSE_NO_REALM means we'll discard the @... part
of an enterprise principal.
The question is should I somehow add a flags variable that may
get |= KRB5_PRINCIPAL_PARSE_ENTERPRISE?
Heimdal uses a different approach:
ret = krb5_unparse_name_flags(context, principal,
KRB5_PRINCIPAL_UNPARSE_NO_REALM |
KRB5_PRINCIPAL_UNPARSE_DISPLAY,
&principal_string);
if (ret) {
free(logon_string);
return ret;
}
ret = strcmp(logon_string, principal_string);
if (ret != 0) {
ret = EINVAL;
I'd prefer to take over the logic from Heimal, if that's ok
I'll prepare a patch for that.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20170823/076af588/attachment.bin
More information about the krbdev
mailing list