Use correct name-type in TGS-REQs for 2008R2 RODCs

Correctly set the name-type for the TGS principals to KRB5_NT_SRV_INST in TGS-REQs. (Previously, only AS-REQs had the name-type set in this way.) Windows Server 2008 R2 read-only domain controllers (RODCs) insist on having the correct name-type for the TGS principal in TGS-REQs as well as AS-REQs, at least for the TGT-forwarding case. Thanks to Sebastian Galiano for reporting this bug and helping with testing. (cherry picked from commit 5994d8928b8ff88751b14bc60c7d7bfce8b30e57) ticket: 7142 (new) version_fixed: 1.9.4 status: resolved
author: Tom Yu <tlyu@mit.edu> 2012-04-27 22:40:21 +0000
committer: Tom Yu <tlyu@mit.edu> 2012-05-18 17:55:48 -0400
commit: f67b1e9492706522fd88a0a95f11c85532ed75a8 (patch)
tree: ac5ec1540ccd8f4822f3cae1573264eca9b37e9d
parent: e631461882d4e992d098f4d15aa08811a0619123 (diff)
download: krb5-f67b1e9492706522fd88a0a95f11c85532ed75a8.zip
krb5-f67b1e9492706522fd88a0a95f11c85532ed75a8.tar.gz
krb5-f67b1e9492706522fd88a0a95f11c85532ed75a8.tar.bz2
2 files changed, 19 insertions, 12 deletions
diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c
index 5725e49..198ef8e 100644
--- a/src/lib/krb5/krb/fwd_tgt.c
+++ b/src/lib/krb5/krb/fwd_tgt.c
@@ -29,6 +29,7 @@
 #ifdef HAVE_MEMORY_H
 #include <memory.h>
 #endif
+#include "int-proto.h"
 
 /* helper function: convert flags to necessary KDC options */
 #define flags2options(flags) (flags & KDC_TKT_COMMON_MASK)
@@ -99,14 +100,9 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char *r
     if ((retval = krb5_copy_principal(context, client, &creds.client)))
         goto errout;
 
-    if ((retval = krb5_build_principal_ext(context, &creds.server,
-                                           client->realm.length,
-                                           client->realm.data,
-                                           KRB5_TGS_NAME_SIZE,
-                                           KRB5_TGS_NAME,
-                                           client->realm.length,
-                                           client->realm.data,
-                                           0)))
+    retval = krb5int_tgtname(context, &client->realm, &client->realm,
+                             &creds.server);
+    if (retval)
         goto errout;
 
     /* fetch tgt directly from cache */
diff --git a/src/lib/krb5/krb/tgtname.c b/src/lib/krb5/krb/tgtname.c
index 416badd..534b39e 100644
--- a/src/lib/krb5/krb/tgtname.c
+++ b/src/lib/krb5/krb/tgtname.c
@@ -34,8 +34,19 @@
 krb5_error_code
 krb5int_tgtname(krb5_context context, const krb5_data *server, const krb5_data *client, krb5_principal *tgtprinc)
 {
-    return krb5_build_principal_ext(context, tgtprinc, client->length, client->data,
-                                    KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME,
-                                    server->length, server->data,
-                                    0);
+    krb5_error_code ret;
+
+    ret = krb5_build_principal_ext(context, tgtprinc, client->length, client->data,
+                                   KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME,
+                                   server->length, server->data,
+                                   0);
+    if (ret)
+        return ret;
+    /*
+     * Windows Server 2008 R2 RODC insists on TGS principal names having the
+     * right name type.
+     */
+    krb5_princ_type(context, *tgtprinc) = KRB5_NT_SRV_INST;
+
+    return ret;
 }
author	Tom Yu <tlyu@mit.edu>	2012-04-27 22:40:21 +0000
committer	Tom Yu <tlyu@mit.edu>	2012-05-18 17:55:48 -0400
commit	f67b1e9492706522fd88a0a95f11c85532ed75a8 (patch)
tree	ac5ec1540ccd8f4822f3cae1573264eca9b37e9d
parent	e631461882d4e992d098f4d15aa08811a0619123 (diff)
download	krb5-f67b1e9492706522fd88a0a95f11c85532ed75a8.zip krb5-f67b1e9492706522fd88a0a95f11c85532ed75a8.tar.gz krb5-f67b1e9492706522fd88a0a95f11c85532ed75a8.tar.bz2