summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2011-04-07 14:40:54 +0200
committerStefan Metzmacher <metze@samba.org>2011-05-18 07:46:36 +0200
commit2c46585a428eb224755892884af6bcb0d16df463 (patch)
treec73dc0fc3b54310c03c36010ca637b46c11ffb5c
parent3797e465439ec146cde2b041a553c6dcf1eb9683 (diff)
downloadsamba-2c46585a428eb224755892884af6bcb0d16df463.tar.gz
samba-2c46585a428eb224755892884af6bcb0d16df463.tar.bz2
samba-2c46585a428eb224755892884af6bcb0d16df463.zip
HEIMDAL:kdc: check and regenerate the PAC in the s4u2proxy case
TODO: we need to add a S4U_DELEGATION_INFO to the PAC later. metze
-rw-r--r--source4/heimdal/kdc/krb5tgs.c51
1 files changed, 38 insertions, 13 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 522eeda71b..66170cb29f 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -2004,11 +2004,23 @@ server_lookup:
goto out;
}
+ ret = _krb5_principalname2krb5_principal(context,
+ &tp,
+ adtkt.cname,
+ adtkt.crealm);
+ if (ret)
+ goto out;
+
+ ret = krb5_unparse_name(context, tp, &tpn);
+ if (ret)
+ goto out;
+
/* check that ticket is valid */
if (adtkt.flags.forwardable == 0) {
kdc_log(context, config, 0,
"Missing forwardable flag on ticket for "
- "constrained delegation from %s to %s ", cpn, spn);
+ "constrained delegation from %s as %s to %s ",
+ cpn, tpn, spn);
ret = KRB5KDC_ERR_BADOPTION;
goto out;
}
@@ -2017,24 +2029,37 @@ server_lookup:
client, sp);
if (ret) {
kdc_log(context, config, 0,
- "constrained delegation from %s to %s not allowed",
- cpn, spn);
+ "constrained delegation from %s as %s to %s not allowed",
+ cpn, tpn, spn);
goto out;
}
- ret = _krb5_principalname2krb5_principal(context,
- &tp,
- adtkt.cname,
- adtkt.crealm);
- if (ret)
- goto out;
-
- ret = krb5_unparse_name(context, tp, &tpn);
- if (ret)
+ ret = verify_flags(context, config, &adtkt, tpn);
+ if (ret) {
goto out;
+ }
- ret = verify_flags(context, config, &adtkt, tpn);
+ krb5_data_free(&rspac);
+ /*
+ * generate the PAC for the user.
+ *
+ * TODO: pass in t->sname and t->realm and build
+ * a S4U_DELEGATION_INFO blob to the PAC.
+ */
+ ret = check_PAC(context, config, tp,
+ client, server, krbtgt,
+ &clientkey->key, &tkey_check->key,
+ ekey, &tkey_sign->key,
+ &adtkt, &rspac, &ad_signedpath);
+ if (ret == 0 && !ad_signedpath)
+ ret = KRB5KDC_ERR_BADOPTION;
if (ret) {
+ const char *msg = krb5_get_error_message(context, ret);
+ kdc_log(context, config, 0,
+ "Verify delegated PAC failed to %s for client"
+ "%s as %s from %s with %s",
+ spn, cpn, tpn, from, msg);
+ krb5_free_error_message(context, msg);
goto out;
}