Set pkinit_kdc_hostname when known
Since Windows doesn't use id-pkinit-san in its certificates, it is necessary to manually configure which hosts are valid KDCs. In the case where a kdcUrl (or hostname) is provided to us, we can do that configuration ourselves.
This commit is contained in:
parent
7b0b273ec1
commit
201b743f20
@ -153,6 +153,9 @@ krb5_error_code krb5glue_get_init_creds(krb5_context ctx, krb5_principal princ,
|
|||||||
{
|
{
|
||||||
const char* names[4] = { 0 };
|
const char* names[4] = { 0 };
|
||||||
char* realm = NULL;
|
char* realm = NULL;
|
||||||
|
char* host_start = NULL;
|
||||||
|
char* host_end = NULL;
|
||||||
|
char tmp = '\0';
|
||||||
|
|
||||||
if ((rv = krb5_get_profile(ctx, &profile)))
|
if ((rv = krb5_get_profile(ctx, &profile)))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
@ -171,6 +174,25 @@ krb5_error_code krb5glue_get_init_creds(krb5_context ctx, krb5_principal princ,
|
|||||||
profile_clear_relation(profile, names);
|
profile_clear_relation(profile, names);
|
||||||
profile_add_relation(profile, names, krb_settings->kdcUrl);
|
profile_add_relation(profile, names, krb_settings->kdcUrl);
|
||||||
|
|
||||||
|
/* Since we know who the KDC is, tell krb5 that its certificate is valid for pkinit */
|
||||||
|
names[2] = "pkinit_kdc_hostname";
|
||||||
|
|
||||||
|
/* If kdcUrl is in URL form, get the hostname portion */
|
||||||
|
host_start = strstr(krb_settings->kdcUrl, "://");
|
||||||
|
if (host_start)
|
||||||
|
host_start += 3;
|
||||||
|
else
|
||||||
|
host_start = krb_settings->kdcUrl;
|
||||||
|
|
||||||
|
host_end = strchr(host_start, '/');
|
||||||
|
if (!host_end)
|
||||||
|
host_end = strchr(host_start, '\0');
|
||||||
|
|
||||||
|
tmp = *host_end;
|
||||||
|
*host_end = '\0';
|
||||||
|
profile_add_relation(profile, names, krb_settings->kdcUrl);
|
||||||
|
*host_end = tmp;
|
||||||
|
|
||||||
free(realm);
|
free(realm);
|
||||||
|
|
||||||
if ((rv = profile_flush_to_file(profile, tmp_profile_path)))
|
if ((rv = profile_flush_to_file(profile, tmp_profile_path)))
|
||||||
|
Loading…
Reference in New Issue
Block a user