Subject: | FFM.EXAMPLE.ORG -> M.EXAMPLE.ORG broken |
Hi!
In an AD multi-domain/realm environment with FFM.EXAMPLE.ORG,
EXAMPLE.ORG and M.EXAMPLE.ORG winbind with a machine principal in
FFM.EXAMPLE.ORG wants to acquire a service ticket for
pdc$@M.EXAMPLE.ORG. This fails because krb5_walk_realm_tree() is wrong
in the case FFM and M share the "M". The loop that the attached patch
fixes goes one step too far, rendering slen==0, in which case it
believes that M.EXAMPLE.ORG is a parent realm of FFM.EXAMPLE.ORG.
EXAMPLE.ORG is obviously not the right domain I could provide a log for,
this is a customer of mine.
Volker Lendecke
Samba Team
In an AD multi-domain/realm environment with FFM.EXAMPLE.ORG,
EXAMPLE.ORG and M.EXAMPLE.ORG winbind with a machine principal in
FFM.EXAMPLE.ORG wants to acquire a service ticket for
pdc$@M.EXAMPLE.ORG. This fails because krb5_walk_realm_tree() is wrong
in the case FFM and M share the "M". The loop that the attached patch
fixes goes one step too far, rendering slen==0, in which case it
believes that M.EXAMPLE.ORG is a parent realm of FFM.EXAMPLE.ORG.
EXAMPLE.ORG is obviously not the right domain I could provide a log for,
this is a customer of mine.
Volker Lendecke
Samba Team
--- src/lib/krb5/krb/walk_rtree.c~ 2007-06-19 21:22:50.000000000 +0200
+++ src/lib/krb5/krb/walk_rtree.c 2008-04-25 14:47:11.000000000 +0200
@@ -190,6 +190,14 @@
com_sdot = scp;
nocommon = 0;
}
+ if ((slen == 1) && (ccp == com_cdot - (com_sdot - scp))) {
+ /* 1st server component shares ending with 1st client comp. */
+ break;
+ }
+ if ((clen == 1) && (scp == com_sdot - (com_cdot - ccp))) {
+ /* 1st client component shares ending with 1st server comp. */
+ break;
+ }
}
/* ccp, scp point to common root.
+++ src/lib/krb5/krb/walk_rtree.c 2008-04-25 14:47:11.000000000 +0200
@@ -190,6 +190,14 @@
com_sdot = scp;
nocommon = 0;
}
+ if ((slen == 1) && (ccp == com_cdot - (com_sdot - scp))) {
+ /* 1st server component shares ending with 1st client comp. */
+ break;
+ }
+ if ((clen == 1) && (scp == com_sdot - (com_cdot - ccp))) {
+ /* 1st client component shares ending with 1st server comp. */
+ break;
+ }
}
/* ccp, scp point to common root.