IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipa-kdb: S4U2Proxy target should use a service name without realm

Browse Source 
According to new Samba Kerberos tests and [MS-SFU] 3.2.5.2.4
'KDC Replies with Service Ticket', the target should not include the
realm.

Fixes: https://pagure.io/freeipa/issue/9031

Pair-programmed-with: Andreas Schneider <asn@redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Andreas Schneider <asn@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Alexander Bokovoy
2021-10-28 11:01:08 +03:00
committed by Rob Crittenden
parent 443a99060c
commit 6828273b56
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
daemons/ipa-kdb/ipa_kdb_mspac.c
View File

@@ -1847,7 +1847,10 @@ static krb5_error_code ipadb_add_transited_service(krb5_context context,
krb5_free_data_contents(context, &pac_blob);
memset(&pac_blob, 0, sizeof(krb5_data));
kerr = krb5_unparse_name(context, proxy->princ, &tmpstr);
kerr = krb5_unparse_name_flags(context, proxy->princ,
KRB5_PRINCIPAL_UNPARSE_NO_REALM |
KRB5_PRINCIPAL_UNPARSE_DISPLAY,
&tmpstr);
if (kerr != 0) {
goto done;
}