[Heimdal-source-changes] [heimdal/heimdal] c6d00f: Revert "KDC: Allow hdb to set the issued ticket's ...

GitHub noreply at github.com
Sat Jan 5 04:01:27 CET 2019 

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: c6d00f250296ee49822025b52e9b75b67a85e194
      https://github.com/heimdal/heimdal/commit/c6d00f250296ee49822025b52e9b75b67a85e194
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-01-05 (Sat, 05 Jan 2019)

  Changed paths:
    M kdc/krb5tgs.c

  Log Message:
  -----------
  Revert "KDC: Allow hdb to set the issued ticket's realm"

This reverts commit c555ed6a1f7ddb1cb391326140a0c30a68a9b700.


  Commit: 6bb8eaca2052967bbda194e2c2bc0622b18a4d2f
      https://github.com/heimdal/heimdal/commit/6bb8eaca2052967bbda194e2c2bc0622b18a4d2f
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-01-05 (Sat, 05 Jan 2019)

  Changed paths:
    M kdc/krb5tgs.c
    M lib/hdb/common.c
    M lib/hdb/hdb.asn1

  Log Message:
  -----------
  hdb: dereference principal aliases in all KDC lookups (#452)

e11abf41 added support in libhdb for always dereferencing principal aliases
during an AS-REQ (where dereferencing refers to enabling alias lookups, and
rewriting the returned entry with the alias name unless canonicalization was
enabled).

Due to the KDC setting HDB_F_FOR_AS_REQ for all lookups from the AS, this
allowed aliases on the TGS itself to be dereferenced during an AS-REQ; however,
on presenting the TGT, the TGS would fail to resolve. Creating an explicit TGS
principal for the aliased realm would work (at least prior to c555ed6a), but
this could be confusing to deploy.

This commit changes enables alias dereferencing when HDB_F_GET_ANY is set,
which essentially means dereference whenever the request is coming from the KDC
(as opposed to, say, kadmin).

We also backout c555ed6a, which changed the TGS to always canonicalize the
server realm, as this breaks serving multiple realms from a single KDC, where
server principals in different realms share a single canonical entry.
HDB_F_CANON is now passed to the backend as a hint only, and per RFC 6806 the
principal name is never changed in TGS replies. (However, for Samba interop,
backends can override this by setting the force-canonicalize HDB flag.)


Compare: https://github.com/heimdal/heimdal/compare/2287c250b2ea...6bb8eaca2052
      **NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/

      Functionality will be removed from GitHub.com on January 31st, 2019.

More information about the Heimdal-source-changes mailing list