2c0634c50d
This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/krb5.git#bfdc7c0b7be1f33f451a173fb1155450fbe25690
66 lines
2.5 KiB
Diff
66 lines
2.5 KiB
Diff
From ccc5b9663e229f20421c01836aa5ecb06f1f2a48 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Tue, 22 Sep 2020 01:17:11 +0300
|
|
Subject: [PATCH] Allow aliases when matching U2U second ticket
|
|
|
|
In process_tgs_req() when verifying the user-to-user second ticket,
|
|
compare the canonical names of the request server and the second
|
|
ticket client.
|
|
|
|
[ghudson@mit.edu: expanded commit message; trimmed tests]
|
|
|
|
ticket: 8951 (new)
|
|
(cherry picked from commit afc494ef9418e6be7fbb887364efa6606b10034a)
|
|
---
|
|
src/kdc/do_tgs_req.c | 2 +-
|
|
src/tests/t_u2u.py | 25 +++++++++++++++++++++++++
|
|
2 files changed, 26 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
|
|
index 463a9c0dd..74cd19e96 100644
|
|
--- a/src/kdc/do_tgs_req.c
|
|
+++ b/src/kdc/do_tgs_req.c
|
|
@@ -666,7 +666,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
|
|
*/
|
|
krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
|
|
krb5_principal client2 = t2enc->client;
|
|
- if (!krb5_principal_compare(kdc_context, request->server, client2)) {
|
|
+ if (!is_client_db_alias(kdc_context, server, client2)) {
|
|
altcprinc = client2;
|
|
errcode = KRB5KDC_ERR_SERVER_NOMATCH;
|
|
status = "2ND_TKT_MISMATCH";
|
|
diff --git a/src/tests/t_u2u.py b/src/tests/t_u2u.py
|
|
index 1ca6ac87e..4b8a82a2f 100644
|
|
--- a/src/tests/t_u2u.py
|
|
+++ b/src/tests/t_u2u.py
|
|
@@ -32,4 +32,29 @@ realm.run([kvno, '--u2u', realm.ccache, realm.user_princ])
|
|
|
|
realm.run([klist])
|
|
|
|
+realm.stop()
|
|
+
|
|
+# Load the test KDB module to test aliases
|
|
+testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'},
|
|
+ 'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
|
|
+ 'WIN10': {'keys': 'aes128-cts'}}
|
|
+kdcconf = {'realms': {'$realm': {'database_module': 'test'}},
|
|
+ 'dbmodules': {'test': {'db_library': 'test',
|
|
+ 'princs': testprincs,
|
|
+ 'alias': {'HOST/win10': 'WIN10'}}}}
|
|
+
|
|
+realm = K5Realm(kdc_conf=kdcconf, create_kdb=False)
|
|
+realm.start_kdc()
|
|
+
|
|
+# Create a second user principal and get tickets for it.
|
|
+u2u_ccache = 'FILE:' + os.path.join(realm.testdir, 'ccu2u')
|
|
+realm.extract_keytab('WIN10', realm.keytab)
|
|
+realm.kinit('WIN10', None, ['-k', '-c', u2u_ccache])
|
|
+
|
|
+realm.extract_keytab(realm.user_princ, realm.keytab)
|
|
+realm.kinit(realm.user_princ, None, ['-k'])
|
|
+
|
|
+realm.run([kvno, '--u2u', u2u_ccache, 'HOST/win10'], expected_msg='kvno = 0')
|
|
+realm.run([kvno, '--u2u', u2u_ccache, 'WIN10'], expected_msg='kvno = 0')
|
|
+
|
|
success('user-to-user tests')
|