71 lines
2.3 KiB
Diff
71 lines
2.3 KiB
Diff
From 34347586375dea9b615fb6a0218bcb5927031e4d Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Thu, 16 Jan 2020 22:00:21 +0100
|
|
Subject: [PATCH] Sign and verify PAC with ticket principal instead of canon
|
|
|
|
Conflict: NA
|
|
Reference: https://git.samba.org/samba.git/?p=samba.git;a=patch;h=34347586375dea9b615fb6a0218bcb5927031e4d
|
|
|
|
principal
|
|
|
|
With MIT library 1.18 the KDC no longer set
|
|
KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows
|
|
us to not canonicalize them (like in Windows / Heimdal).
|
|
|
|
However, it now breaks the PAC signature verification as it was
|
|
wrongly done using canonical client rather than ticket client name.
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
---
|
|
source4/kdc/mit-kdb/kdb_samba_policies.c | 12 ++----------
|
|
1 file changed, 2 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
|
|
index 586cf81451d..2eec496fa92 100644
|
|
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
|
|
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
|
|
@@ -301,20 +301,12 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
|
krb5_authdata **tgt_auth_data,
|
|
krb5_authdata ***signed_auth_data)
|
|
{
|
|
- krb5_const_principal ks_client_princ;
|
|
krb5_authdata **authdata = NULL;
|
|
krb5_boolean is_as_req;
|
|
krb5_error_code code;
|
|
krb5_pac pac = NULL;
|
|
krb5_data pac_data;
|
|
|
|
- /* Prefer canonicalised name from client entry */
|
|
- if (client != NULL) {
|
|
- ks_client_princ = client->princ;
|
|
- } else {
|
|
- ks_client_princ = client_princ;
|
|
- }
|
|
-
|
|
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
|
|
|
|
if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
|
|
@@ -354,7 +346,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
|
if (!is_as_req) {
|
|
code = ks_verify_pac(context,
|
|
flags,
|
|
- ks_client_princ,
|
|
+ client_princ,
|
|
client,
|
|
server,
|
|
krbtgt,
|
|
@@ -381,7 +373,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
|
goto done;
|
|
}
|
|
|
|
- code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
|
|
+ code = krb5_pac_sign(context, pac, authtime, client_princ,
|
|
server_key, krbtgt_key, &pac_data);
|
|
if (code != 0) {
|
|
DBG_ERR("krb5_pac_sign failed: %d\n", code);
|
|
--
|
|
GitLab
|
|
|