Skip Menu |
 

From: Arlene Berry <aberry@likewise.com>
To: "krb5-bugs@mit.edu" <krb5-bugs@mit.edu>
Subject: don't require a default realm
Date: Thu, 21 Jul 2011 23:04:40 +0000
Download (untitled) / with headers
text/plain 2.1KiB
We want to be able to function without configuring a default realm. In k5_pac_validate_client it gets the user name from the pac, parses it, and then compares it to the ticket's client principal. The user name in the pac does not contain the realm so krb5_parse_name_flags applies the default realm. Then krb5_principal_compare_flags with KRB5_PRINCIPAL_COMPARE_IGNORE_REALM is used to compare the result to the ticket's principal. Since the realm is ignored, we modified k5_pac_validate_client to append the realm from the ticket's principal to the pac user name before parsing it.

Index: src/lib/krb5/krb/pac.c
===================================================================
--- src/lib/krb5/krb/pac.c (revision 25023)
+++ src/lib/krb5/krb/pac.c (working copy)
@@ -418,6 +418,8 @@
{
krb5_error_code ret;
krb5_data client_info;
+ char *decoded_pac_princname;
+ char *appended_pac_princname;
char *pac_princname;
unsigned char *p;
krb5_timestamp pac_authtime;
@@ -447,10 +449,36 @@
return ERANGE;

ret = krb5int_ucs2lecs_to_utf8s(p, (size_t)pac_princname_length / 2,
- &pac_princname, NULL);
+ &decoded_pac_princname, NULL);
if (ret != 0)
return ret;

+ if (!strchr(decoded_pac_princname, "@")) {
+ /* Append a realm so the default realm in the conf file is is avoided */
+ appended_pac_princname = malloc(strlen(decoded_pac_princname) +
+ principal->realm.length + 2);
+ if (appended_pac_princname == NULL) {
+ free(decoded_pac_princname);
+ return(ENOMEM);
+ }
+
+ pac_princname = appended_pac_princname;
+
+ memcpy(pac_princname, decoded_pac_princname,
+ strlen(decoded_pac_princname));
+ pac_princname += strlen(decoded_pac_princname);
+ pac_princname[0] = '@';
+ pac_princname++;
+ memcpy(pac_princname, principal->realm.data, principal->realm.length);
+ pac_princname += principal->realm.length;
+ pac_princname[0] = 0;
+
+ pac_princname = appended_pac_princname;
+ free(decoded_pac_princname);
+ } else {
+ pac_princname = decoded_pac_princname;
+ }
+
ret = krb5_parse_name_flags(context, pac_princname, 0, &pac_principal);
if (ret != 0) {
free(pac_princname);
Would it be simpler to just use KRB5_PRINCIPAL_PARSE_NO_REALM when parsing
the name?
From: Arlene Berry <aberry@likewise.com>
To: "krb5-bugs@mit.edu" <krb5-bugs@mit.edu>
Subject: RE: [krbdev.mit.edu #6934] don't require a default realm
Date: Fri, 22 Jul 2011 20:44:06 +0000
RT-Send-Cc:
That definitely seems like a better solution.
From: ghudson@mit.edu
Subject: SVN Commit

PAC_CLIENT_INFO principal names do not contain a realm, so parse them
with the KRB5_PRINCIPAL_PARSE_NO_REALM flag. Otherwise we'll wind up
using the default realm (and then ignoring it) which fails if one
isn't configured.

https://github.com/krb5/krb5/commit/1261faf0569fc172dafa7c39262d177e3ab38848
Commit By: ghudson
Revision: 25050
Changed Files:
U trunk/src/lib/krb5/krb/pac.c