third_party/heimdal kdc: introduce HDB_F_USER2USER_PRINCIPAL (import …

…lorikeet-heimdal-202310152331 (commit a571340c9e1b75d4f5d96f08fcf9fd660d3ba3d4)) This allows HDB backends to do special handling for User2User TGS-REQs. The main reason is to let the HDB_F_GET_SERVER lookup to succeed even for non-computer accounts. In Samba these are typically not returned in HDB_F_GET_SERVER in order to avoid generating tickets with the user password. But for User2User the account password is not used, so it is safe to return the server entry. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abartlet@samba.org Adapted to be an import from lorikeet-heimdal as requested]
gd · Oct 16, 2023 · cbb8145 · cbb8145
1 parent c99fe11
commit cbb8145
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/third_party/heimdal/kdc/krb5tgs.c b/third_party/heimdal/kdc/krb5tgs.c
@@ -1375,6 +1375,7 @@ tgs_build_reply(astgs_request_t priv,
 
     Key *tkey_sign;
     int flags = HDB_F_FOR_TGS_REQ;
+    int server_flags;
 
     int result;
 
@@ -1396,6 +1397,10 @@ tgs_build_reply(astgs_request_t priv,
     if (b->kdc_options.canonicalize)
 	flags |= HDB_F_CANON;
 
+    server_flags = HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags;
+    if (b->kdc_options.enc_tkt_in_skey)
+	server_flags |= HDB_F_USER2USER_PRINCIPAL;
+
     if (s == NULL) {
 	ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
         _kdc_set_const_e_text(priv, "No server in request");
@@ -1433,7 +1438,7 @@ tgs_build_reply(astgs_request_t priv,
         _kdc_free_ent(context, serverdb, priv->server);
     priv->server = NULL;
     ret = _kdc_db_fetch(context, config, priv->server_princ,
-                        HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags,
+                        server_flags,
 			NULL, &serverdb, &priv->server);
     priv->serverdb = serverdb;
     if (ret == HDB_ERR_NOT_FOUND_HERE) {

diff --git a/third_party/heimdal/lib/hdb/hdb.h b/third_party/heimdal/lib/hdb/hdb.h
@@ -78,6 +78,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_F_SYNTHETIC_OK	0x10000	/* synthetic principal for PKINIT or GSS preauth OK */
 #define HDB_F_GET_FAST_COOKIE	0x20000	/* fetch the FX-COOKIE key (not a normal principal) */
 #define HDB_F_ARMOR_PRINCIPAL	0x40000	/* fetch is for the client of an armor ticket */
+#define HDB_F_USER2USER_PRINCIPAL	0x80000	/* fetch is for the server of a user2user tgs-req */
 
 /* hdb_capability_flags */
 #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1