From 6abade3f8daed8dfa024936114209d19319c4f12 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Jun 08 2020 19:58:26 +0000 Subject: kdb: handle enterprise principal lookup in AS_REQ Refactoring of the get_principal() code in commit b5876f30d4000424cc8122498c411f812b3a0959 broke handling of enterprise principal lookup for AS request (kinit -E user@ipa.test@IPA.TEST). Related: https://pagure.io/freeipa/issue/8319 Signed-off-by: Alexander Bokovoy Reviewed-By: Rob Crittenden Reviewed-By: Rob Crittenden --- diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 312e8bc..cdfb322 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -1282,11 +1282,43 @@ static krb5_error_code dbget_princ(krb5_context kcontext, LDAPMessage *lentry; uint32_t pol; - /* Unparse without escaping '@' and '/' because we are going to use them - * in LDAP filters where escaping character '\' will be escaped and the - * result will never match. */ - kerr = krb5_unparse_name_flags(kcontext, search_for, - KRB5_PRINCIPAL_UNPARSE_DISPLAY, &principal); + + if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0 && + (flags & KRB5_KDB_FLAG_CANONICALIZE) != 0) { + + /* AS_REQ with canonicalization*/ + krb5_principal norm_princ = NULL; + + /* unparse the Kerberos principal without (our) outer realm. */ + kerr = krb5_unparse_name_flags(kcontext, search_for, + KRB5_PRINCIPAL_UNPARSE_NO_REALM | + KRB5_PRINCIPAL_UNPARSE_DISPLAY, + &principal); + if (kerr != 0) { + goto done; + } + + /* Re-parse the principal to normalize it. Innner realm becomes + * the realm if present. If no inner realm, our default realm + * will be used instead (as it was before). */ + kerr = krb5_parse_name(kcontext, principal, &norm_princ); + if (kerr != 0) { + goto done; + } + /* Unparse without escaping '@' and '/' because we are going to use them + * in LDAP filters where escaping character '\' will be escaped and the + * result will never match. */ + kerr = krb5_unparse_name_flags(kcontext, norm_princ, + KRB5_PRINCIPAL_UNPARSE_DISPLAY, &principal); + krb5_free_principal(kcontext, norm_princ); + } else { + /* Unparse without escaping '@' and '/' because we are going to use them + * in LDAP filters where escaping character '\' will be escaped and the + * result will never match. */ + kerr = krb5_unparse_name_flags(kcontext, search_for, + KRB5_PRINCIPAL_UNPARSE_DISPLAY, &principal); + } + if (kerr != 0) { goto done; } @@ -1483,9 +1515,6 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext, } if (!is_request_for_us(kcontext, ipactx->local_tgs, search_for)) { - krb5_klog_syslog(LOG_INFO, - "ipadb_get_principal: requested principal " - "is not for our realm\n"); return KRB5_KDB_NOENTRY; }