[19627] in Kerberos_V5_Development
PAC verification fails for enterprise principals
daemon@ATHENA.MIT.EDU (Stefan Metzmacher)
Wed Aug 23 19:19:29 2017
To: "krbdev@mit.edu Dev List" <krbdev@mit.edu>
From: Stefan Metzmacher <metze@samba.org>
Message-ID: <76ac560a-6c63-a875-d5dd-0ff38f5bd6e5@samba.org>
Date: Thu, 24 Aug 2017 01:19:16 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3394892913939583484=="
Errors-To: krbdev-bounces@mit.edu
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============3394892913939583484==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="aNi3UIqPVAtGhLt9pKBnw8EpBtU9M6AQT"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--aNi3UIqPVAtGhLt9pKBnw8EpBtU9M6AQT
Content-Type: multipart/mixed; boundary="eUEot5UEAakNihl5j9kQWww9jbSgJ54iJ";
protected-headers="v1"
From: Stefan Metzmacher <metze@samba.org>
To: "krbdev@mit.edu Dev List" <krbdev@mit.edu>
Message-ID: <76ac560a-6c63-a875-d5dd-0ff38f5bd6e5@samba.org>
Subject: PAC verification fails for enterprise principals
--eUEot5UEAakNihl5j9kQWww9jbSgJ54iJ
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Hi,
I found that krb5_pac_verify() fails if I asked for
S4U2Self with an enterprise principal.
The problem is that k5_pac_validate_client()
uses this:
ret =3D krb5_parse_name_flags(context, pac_princname,
KRB5_PRINCIPAL_PARSE_NO_REALM,
&pac_principal);
if (ret !=3D 0) {
free(pac_princname);
return ret;
}
free(pac_princname);
if (pac_authtime !=3D authtime ||
!krb5_principal_compare_flags(context,
pac_principal,
principal,
KRB5_PRINCIPAL_COMPARE_IGNORE_REALM))
ret =3D KRB5KRB_AP_WRONG_PRINC;
The value in the Client Info PAC element is the principal without
the realm part.
The KRB5_PRINCIPAL_PARSE_NO_REALM means we'll discard the @... part
of an enterprise principal.
The question is should I somehow add a flags variable that may
get |=3D KRB5_PRINCIPAL_PARSE_ENTERPRISE?
Heimdal uses a different approach:
ret =3D krb5_unparse_name_flags(context, principal,
KRB5_PRINCIPAL_UNPARSE_NO_REALM |
KRB5_PRINCIPAL_UNPARSE_DISPLAY,
&principal_string);
if (ret) {
free(logon_string);
return ret;
}
ret =3D strcmp(logon_string, principal_string);
if (ret !=3D 0) {
ret =3D EINVAL;
I'd prefer to take over the logic from Heimal, if that's ok
I'll prepare a patch for that.
metze
--eUEot5UEAakNihl5j9kQWww9jbSgJ54iJ--
--aNi3UIqPVAtGhLt9pKBnw8EpBtU9M6AQT
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBAgAGBQJZng15AAoJEA219WEoab1WfdMQALKsAgdcOqUdj0s07vEHy+aX
teHW9h+qYEg9jk6GoWdtCh+q1hLQibEp3NH/V5dn4VTFwMpDXL73+Z2QjxfJD2pU
KOvO1fNTP9DtfDBOzGOTUrII9UkPu+4Xb+pFUbINFrOJVRnxZIWVFcXqja3TGg7z
trSE5jdrPuQNvgQQeTSrO/gPYGjhMe1ZVuO4ticMVvd6u87qmssDzejl9TZFIa3k
D7HHISBoTGzFLGTS6xRUAGLy9hee57dqD2azk/kpEfPdUKEgTZ57P/2x2ZbZzJKt
ZSbFPRP4C3UfN9n8msJCxo1w4FMGrtNbAHNWDXXwQZ9ZilxFB5yMQrxBfcfJ0zPB
yO7K5GxNKs4o9vaNzTkq66AkrnF976beaONAGmP+32yGvJu9E4xM8AL1uScahoTA
GX4Pgb3t+6XpCOTCx3tbeaP1RJhFNQHAdml9oA5NFrDzrHI5GFJ0VG4ATvadmzTL
TG6xXLRsPB9SB7S5pJbaT3ogko1eFMI+DDGvpkpwRyaoM3ew0EvZT3xgnRtBAnqy
E7NTmvKluUgvLG9tE5u9gF0RHuj9Hig3z41VxyKsbZmuWDevGdZKuKB9Kz++6Yc9
PrF6RCBo16lHmDdFYMSNOTIUqLA6HFR98VcnderaYhfeSoVYuE7i3sw0rlaX8p6r
A0vmFzq83Dz/mljwzIlN
=CnkZ
-----END PGP SIGNATURE-----
--aNi3UIqPVAtGhLt9pKBnw8EpBtU9M6AQT--
--===============3394892913939583484==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============3394892913939583484==--