From 57cc6b9c1232832312cc83a5ba0fd9061bfe5188 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 12 Nov 2009 00:51:46 +0100
Subject: [PATCH 1/2] s3-kerberos: add smb_krb5_principal_get_realm().

Guenther
---
 source3/include/includes.h |    3 ++-
 source3/libsmb/clikrb5.c   |   25 +++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletions(-)

diff --git a/source3/include/includes.h b/source3/include/includes.h
index 4dee258..ea9a159 100644
--- a/source3/include/includes.h
+++ b/source3/include/includes.h
@@ -1025,7 +1025,8 @@ int smb_krb5_kt_add_entry_ext(krb5_context context,
 			      krb5_data password,
 			      bool no_salt,
 			      bool keep_old_entries);
-
+char *smb_krb5_principal_get_realm(krb5_context context,
+				   krb5_principal principal);
 #endif /* HAVE_KRB5 */
 
 
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 76d99c1..6e6793b 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -1941,6 +1941,31 @@ krb5_error_code krb5_auth_con_set_req_cksumtype(
 }
 #endif
 
+/*
+ * smb_krb5_principal_get_realm
+ *
+ * @brief Get realm of a principal
+ *
+ * @param[in] context		The krb5_context
+ * @param[in] principal		The principal
+ * @return pointer to the realm
+ *
+ */
+
+char *smb_krb5_principal_get_realm(krb5_context context,
+				   krb5_principal principal)
+{
+#ifdef HAVE_KRB5_PRINCIPAL_GET_REALM /* Heimdal */
+	return krb5_principal_get_realm(context, principal);
+#elif defined(krb5_princ_realm) /* MIT */
+	krb5_data *realm;
+	realm = krb5_princ_realm(context, principal);
+	return (char *)realm->data;
+#else
+	return NULL;
+#endif
+}
+
 #else /* HAVE_KRB5 */
  /* this saves a few linking headaches */
  int cli_krb5_get_ticket(const char *principal, time_t time_offset, 
-- 
1.6.5.2


From f1b113d989b8596638331e13e8f7af28a7895173 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 12 Nov 2009 00:52:38 +0100
Subject: [PATCH 2/2] cifs.upcall: Fix Bug #6868: support building with Heimdal we well as with MIT.

Guenther
(cherry picked from commit b29eed492f1c056adb0b53510be10e738276ca11)
---
 source3/client/cifs.upcall.c |   34 ++++++++++++++++------------------
 1 files changed, 16 insertions(+), 18 deletions(-)

diff --git a/source3/client/cifs.upcall.c b/source3/client/cifs.upcall.c
index 71e60c6..ecd0348 100644
--- a/source3/client/cifs.upcall.c
+++ b/source3/client/cifs.upcall.c
@@ -44,18 +44,6 @@ typedef enum _sectype {
 	MS_KRB5
 } sectype_t;
 
-static inline int
-k5_data_equal(krb5_data d1, krb5_data d2, unsigned int length)
-{
-	if (!length)
-		length = d1.length;
-
-	return (d1.length == length &&
-		d1.length == d2.length &&
-		memcmp(d1.data, d2.data, length) == 0);
-
-}
-
 /* does the ccache have a valid TGT? */
 static time_t
 get_tgt_time(const char *ccname) {
@@ -64,9 +52,8 @@ get_tgt_time(const char *ccname) {
 	krb5_cc_cursor cur;
 	krb5_creds creds;
 	krb5_principal principal;
-	krb5_data tgt = { .data =	"krbtgt",
-			  .length =	6 };
 	time_t credtime = 0;
+	char *realm = NULL;
 
 	if (krb5_init_context(&context)) {
 		syslog(LOG_DEBUG, "%s: unable to init krb5 context", __func__);
@@ -93,16 +80,27 @@ get_tgt_time(const char *ccname) {
 		goto err_ccstart;
 	}
 
+	if ((realm = smb_krb5_principal_get_realm(context, principal)) == NULL) {
+		syslog(LOG_DEBUG, "%s: unable to get realm", __func__);
+		goto err_ccstart;
+	}
+
 	while (!credtime && !krb5_cc_next_cred(context, ccache, &cur, &creds)) {
-		if (k5_data_equal(creds.server->realm, principal->realm, 0) &&
-		    k5_data_equal(creds.server->data[0], tgt, tgt.length) &&
-		    k5_data_equal(creds.server->data[1], principal->realm, 0) &&
+		char *name;
+		if (smb_krb5_unparse_name(NULL, context, creds.server, &name)) {
+			syslog(LOG_DEBUG, "%s: unable to unparse name", __func__);
+			goto err_endseq;
+		}
+		if (krb5_realm_compare(context, creds.server, principal) &&
+		    strnequal(name, KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE) &&
+		    strnequal(name+KRB5_TGS_NAME_SIZE+1, realm, strlen(realm)) &&
 		    creds.times.endtime > time(NULL))
 			credtime = creds.times.endtime;
                 krb5_free_cred_contents(context, &creds);
+		TALLOC_FREE(name);
         }
+err_endseq:
         krb5_cc_end_seq_get(context, ccache, &cur);
-
 err_ccstart:
 	krb5_free_principal(context, principal);
 err_princ:
-- 
1.6.5.2