From 04a1802749b6ebf72730357b06bf8cabe09ebb01 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 24 May 2017 16:10:26 +0200
Subject: [PATCH 139/141] krb5: accept changed principal if
krb5_canonicalize=True
Currently SSSD accepts significant changes in the principal only if
krb5_use_enterprise_principal=True. But canonicalization can lead to
similar changes so they should be accepted in this case as well.
Resolves:
https://pagure.io/SSSD/sssd/issue/3408
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit ca95807a9060e454ee68f6f30558d6f7ee968c39)
---
src/providers/krb5/krb5_auth.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 894bd41bde031ac33187bfa3b14202e9429a9198..03ea9d88cac67919d4b9ba3a1cf2efa208662195 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -829,6 +829,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
char *renew_interval_str;
time_t renew_interval_time = 0;
bool use_enterprise_principal;
+ bool canonicalize;
ret = handle_child_recv(subreq, pd, &buf, &len);
talloc_zfree(subreq);
@@ -908,6 +909,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts,
KRB5_USE_ENTERPRISE_PRINCIPAL);
+ canonicalize = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_CANONICALIZE);
/* Check if the cases of our upn are correct and update it if needed.
* Fail if the upn differs by more than just the case for non-enterprise
@@ -915,6 +917,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
if (res->correct_upn != NULL &&
strcmp(kr->upn, res->correct_upn) != 0) {
if (strcasecmp(kr->upn, res->correct_upn) == 0 ||
+ canonicalize == true ||
use_enterprise_principal == true) {
talloc_free(kr->upn);
kr->upn = talloc_strdup(kr, res->correct_upn);
--
2.9.4