diff options
author | Stefan Metzmacher <metze@samba.org> | 2011-04-07 14:40:54 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2011-05-18 07:46:36 +0200 |
commit | 2c46585a428eb224755892884af6bcb0d16df463 (patch) | |
tree | c73dc0fc3b54310c03c36010ca637b46c11ffb5c | |
parent | 3797e465439ec146cde2b041a553c6dcf1eb9683 (diff) | |
download | samba-2c46585a428eb224755892884af6bcb0d16df463.tar.gz samba-2c46585a428eb224755892884af6bcb0d16df463.tar.bz2 samba-2c46585a428eb224755892884af6bcb0d16df463.zip |
HEIMDAL:kdc: check and regenerate the PAC in the s4u2proxy case
TODO: we need to add a S4U_DELEGATION_INFO to the PAC later.
metze
-rw-r--r-- | source4/heimdal/kdc/krb5tgs.c | 51 |
1 files changed, 38 insertions, 13 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 522eeda71b..66170cb29f 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -2004,11 +2004,23 @@ server_lookup: goto out; } + ret = _krb5_principalname2krb5_principal(context, + &tp, + adtkt.cname, + adtkt.crealm); + if (ret) + goto out; + + ret = krb5_unparse_name(context, tp, &tpn); + if (ret) + goto out; + /* check that ticket is valid */ if (adtkt.flags.forwardable == 0) { kdc_log(context, config, 0, "Missing forwardable flag on ticket for " - "constrained delegation from %s to %s ", cpn, spn); + "constrained delegation from %s as %s to %s ", + cpn, tpn, spn); ret = KRB5KDC_ERR_BADOPTION; goto out; } @@ -2017,24 +2029,37 @@ server_lookup: client, sp); if (ret) { kdc_log(context, config, 0, - "constrained delegation from %s to %s not allowed", - cpn, spn); + "constrained delegation from %s as %s to %s not allowed", + cpn, tpn, spn); goto out; } - ret = _krb5_principalname2krb5_principal(context, - &tp, - adtkt.cname, - adtkt.crealm); - if (ret) - goto out; - - ret = krb5_unparse_name(context, tp, &tpn); - if (ret) + ret = verify_flags(context, config, &adtkt, tpn); + if (ret) { goto out; + } - ret = verify_flags(context, config, &adtkt, tpn); + krb5_data_free(&rspac); + /* + * generate the PAC for the user. + * + * TODO: pass in t->sname and t->realm and build + * a S4U_DELEGATION_INFO blob to the PAC. + */ + ret = check_PAC(context, config, tp, + client, server, krbtgt, + &clientkey->key, &tkey_check->key, + ekey, &tkey_sign->key, + &adtkt, &rspac, &ad_signedpath); + if (ret == 0 && !ad_signedpath) + ret = KRB5KDC_ERR_BADOPTION; if (ret) { + const char *msg = krb5_get_error_message(context, ret); + kdc_log(context, config, 0, + "Verify delegated PAC failed to %s for client" + "%s as %s from %s with %s", + spn, cpn, tpn, from, msg); + krb5_free_error_message(context, msg); goto out; } |