hdb: force canonicalization of enterprise principal names

Whilst Windows does not canonicalize enterprise principal names if the canonicalize flag is unset, the original specification in draft-ietf-krb-wg-kerberos-referrals-03.txt says we should. Non-Windows deployments of Heimdals are unlikely to understand enterprise principal names in tickets, and are also unlikely to set the canonicalize flag, so this makes sense. (It was also the behavior prior to moving the name canonicalization logic into the KDC.)
heimdal · Jan 6, 2019 · 9750f2d · 9750f2d
1 parent 4ea5cc2
commit 9750f2d
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/lib/hdb/common.c b/lib/hdb/common.c
@@ -119,7 +119,6 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
 	if (ret)
 	    return ret;
 	principal = enterprise_principal;
-	flags |= HDB_F_CANON; /* enterprise implies canonicalization */
     }
 
     hdb_principal2key(context, principal, &key);
@@ -192,6 +191,14 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
 	    }
 	}
     }
+    if (enterprise_principal) {
+	/*
+	 * Whilst Windows does not canonicalize enterprise principal names if
+	 * the canonicalize flag is unset, the original specification in
+	 * draft-ietf-krb-wg-kerberos-referrals-03.txt says we should.
+	 */
+	entry->entry.flags.force_canonicalize = 1;
+    }
 
     return 0;
 }