summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-03-27 23:09:31 +1100
committerAndrew Bartlett <abartlet@samba.org>2010-04-10 21:40:58 +1000
commit1d59abc724a9ad01fdc61f3e6cfdf41c9f4cb910 (patch)
treee62ae543354023b376e7e8ba135d1583f105ecaa
parentaecaddfa1b2a55c9cc91c3644947c3686714ceb5 (diff)
downloadsamba-1d59abc724a9ad01fdc61f3e6cfdf41c9f4cb910.tar.gz
samba-1d59abc724a9ad01fdc61f3e6cfdf41c9f4cb910.tar.bz2
samba-1d59abc724a9ad01fdc61f3e6cfdf41c9f4cb910.zip
s4:heimdal Add hooks to check with the DB before we allow s4u2self
This allows us to resolve multiple forms of a name, allowing for example machine$@REALM to get an S4U2Self ticket for host/machine@REALM. Andrew Bartlett
-rw-r--r--source4/heimdal/kdc/krb5tgs.c40
-rw-r--r--source4/heimdal/lib/hdb/hdb.h7
2 files changed, 42 insertions, 5 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 53c0a589ba..ca650645de 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -486,7 +486,7 @@ check_tgs_flags(krb5_context context,
}
/*
- *
+ * Determine if constrained delegation is allowed from this client to this server
*/
static krb5_error_code
@@ -529,6 +529,38 @@ check_constrained_delegation(krb5_context context,
}
/*
+ * Determine if s4u2self is allowed from this client to this server
+ *
+ * For example, regardless of the principal being impersonated, if the
+ * 'client' and 'server' are the same, then it's safe.
+ */
+
+static krb5_error_code
+check_s4u2self(krb5_context context,
+ krb5_kdc_configuration *config,
+ HDB *clientdb,
+ hdb_entry_ex *client,
+ krb5_const_principal server)
+{
+ const HDB_Ext_Constrained_delegation_acl *acl;
+ krb5_error_code ret;
+ int i;
+
+ /* if client does a s4u2self to itself, that ok */
+ if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
+ return 0;
+
+ if (clientdb->hdb_check_s4u2self) {
+ ret = clientdb->hdb_check_s4u2self(context, clientdb, client, server);
+ if (ret == 0)
+ return 0;
+ } else {
+ ret = KRB5KDC_ERR_BADOPTION;
+ }
+ return ret;
+}
+
+/*
*
*/
@@ -1783,13 +1815,13 @@ server_lookup:
* Check that service doing the impersonating is
* requesting a ticket to it-self.
*/
- if (krb5_principal_compare(context, cp, sp) != TRUE) {
+ ret = check_s4u2self(context, config, clientdb, client, sp);
+ if (ret) {
kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
- "to impersonate some other user "
+ "to impersonate to service "
"(tried for user %s to service %s)",
cpn, selfcpn, spn);
free(selfcpn);
- ret = KRB5KDC_ERR_BADOPTION; /* ? */
goto out;
}
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
index d118555121..ad32a145c0 100644
--- a/source4/heimdal/lib/hdb/hdb.h
+++ b/source4/heimdal/lib/hdb/hdb.h
@@ -235,9 +235,14 @@ typedef struct HDB{
* Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins
*/
krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
+
+ /**
+ * Check if s4u2self is allowed from this client to this server
+ */
+ krb5_error_code (*hdb_check_s4u2self)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
}HDB;
-#define HDB_INTERFACE_VERSION 6
+#define HDB_INTERFACE_VERSION 7
struct hdb_so_method {
int version;