diff options
author | Simo Sorce <idra@samba.org> | 2012-04-26 12:06:24 -0400 |
---|---|---|
committer | Simo Sorce <idra@samba.org> | 2012-05-04 16:51:28 +0200 |
commit | 3109a3de1f362e9dc42bceb81a393e2dbf80b7b2 (patch) | |
tree | c71c2e87cbe6e0e40ea8fff0d9c364efc82407ad | |
parent | 29d284c245c1b3458712c8140cd7b0d1ae175d1f (diff) | |
download | samba-3109a3de1f362e9dc42bceb81a393e2dbf80b7b2.tar.gz samba-3109a3de1f362e9dc42bceb81a393e2dbf80b7b2.tar.bz2 samba-3109a3de1f362e9dc42bceb81a393e2dbf80b7b2.zip |
Split normal kinit from s4u2 flavored kinit
This makes it simpler to slowly integrate MIT support and also amkes it
somewhat clearer what operation is really requested.
The 24u2 part is really only used by the cifs proxy code so we can temporarily
disable it in the MIT build w/o major consequences.
-rw-r--r-- | lib/krb5_wrap/krb5_samba.c | 82 | ||||
-rw-r--r-- | lib/krb5_wrap/krb5_samba.h | 20 | ||||
-rw-r--r-- | source4/auth/kerberos/kerberos_util.c | 28 |
3 files changed, 92 insertions, 38 deletions
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index 28cd6471ef..82c25103e7 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -1646,12 +1646,54 @@ done: return code; } +krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, + krb5_principal principal, + const char *password, + const char *target_service, + krb5_get_init_creds_opt *krb_options, + time_t *expire_time, + time_t *kdc_time) +{ + krb5_error_code code = 0; + krb5_creds my_creds; + + code = krb5_get_init_creds_password(ctx, &my_creds, principal, + password, NULL, NULL, 0, + target_service, krb_options); + if (code) { + return code; + } + + code = krb5_cc_initialize(ctx, cc, principal); + if (code) { + goto done; + } + + code = krb5_cc_store_cred(ctx, cc, &my_creds); + if (code) { + goto done; + } + + if (expire_time) { + *expire_time = (time_t) my_creds.times.endtime; + } + + if (kdc_time) { + *kdc_time = (time_t) my_creds.times.starttime; + } + + code = 0; +done: + krb5_free_cred_contents(ctx, &my_creds); + return code; +} + +#ifdef SAMBA4_USES_HEIMDAL /* simulate a kinit, putting the tgt in the given credentials cache. Orignally by remus@snapserver.com - The impersonate_principal is the principal if NULL, or the principal to - impersonate + The impersonate_principal is the principal The self_service, should be the local service (for S4U2Self if impersonate_principal is given). @@ -1660,16 +1702,16 @@ done: kpasswd/realm or a remote service (for S4U2Proxy) */ -krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, - krb5_ccache store_cc, - krb5_principal init_principal, - const char *init_password, - krb5_principal impersonate_principal, - const char *self_service, - const char *target_service, - krb5_get_init_creds_opt *krb_options, - time_t *expire_time, - time_t *kdc_time) +krb5_error_code kerberos_kinit_s4u2_cc(krb5_context ctx, + krb5_ccache store_cc, + krb5_principal init_principal, + const char *init_password, + krb5_principal impersonate_principal, + const char *self_service, + const char *target_service, + krb5_get_init_creds_opt *krb_options, + time_t *expire_time, + time_t *kdc_time) { krb5_error_code code = 0; krb5_get_creds_opt options; @@ -1687,21 +1729,12 @@ krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_principal blacklist_principal = NULL; krb5_principal whitelist_principal = NULL; - if (impersonate_principal && self_service == NULL) { - return EINVAL; - } - - /* - * If we are not impersonating, then get this ticket for the - * target service, otherwise a krbtgt, and get the next ticket - * for the target - */ code = krb5_get_init_creds_password(ctx, &store_creds, init_principal, init_password, NULL, NULL, 0, - impersonate_principal ? NULL : target_service, + NULL, krb_options); if (code != 0) { return code; @@ -1709,10 +1742,6 @@ krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, store_principal = init_principal; - if (impersonate_principal == NULL) { - goto store; - } - /* * We are trying S4U2Self now: * @@ -2040,6 +2069,7 @@ krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, return 0; } +#endif /* * smb_krb5_principal_get_realm diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h index d235563a7b..864cda67bb 100644 --- a/lib/krb5_wrap/krb5_samba.h +++ b/lib/krb5_wrap/krb5_samba.h @@ -206,15 +206,25 @@ krb5_error_code kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc, time_t *expire_time, time_t *kdc_time); krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, - krb5_ccache store_cc, - krb5_principal init_principal, - const char *init_password, - krb5_principal impersonate_principal, - const char *self_service, + krb5_ccache cc, + krb5_principal principal, + const char *password, const char *target_service, krb5_get_init_creds_opt *krb_options, time_t *expire_time, time_t *kdc_time); +#ifdef SAMBA4_USES_HEIMDAL +krb5_error_code kerberos_kinit_s4u2_cc(krb5_context ctx, + krb5_ccache store_cc, + krb5_principal init_principal, + const char *init_password, + krb5_principal impersonate_principal, + const char *self_service, + const char *target_service, + krb5_get_init_creds_opt *krb_options, + time_t *expire_time, + time_t *kdc_time); +#endif char *smb_krb5_principal_get_realm(krb5_context context, krb5_principal principal); diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c index 9933ca84c7..31a8405a7f 100644 --- a/source4/auth/kerberos/kerberos_util.c +++ b/source4/auth/kerberos/kerberos_util.c @@ -232,13 +232,27 @@ static krb5_error_code impersonate_principal_from_credentials( } #endif if (password) { - ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache, - princ, password, - impersonate_principal, - self_service, - target_service, - krb_options, - NULL, &kdc_time); + if (impersonate_principal) { +#ifdef SAMBA4_USES_HEIMDAL + ret = kerberos_kinit_s4u2_cc( + smb_krb5_context->krb5_context, + ccache, princ, password, + impersonate_principal, + self_service, target_service, + krb_options, NULL, &kdc_time); +#else + talloc_free(mem_ctx); + (*error_string) = "INTERNAL error: s4u2 ops " + "are not supported with MIT build yet"; + return EINVAL; +#endif + } else { + ret = kerberos_kinit_password_cc( + smb_krb5_context->krb5_context, + ccache, princ, password, + target_service, + krb_options, NULL, &kdc_time); + } } else if (impersonate_principal) { talloc_free(mem_ctx); (*error_string) = "INTERNAL error: Cannot impersonate principal with just a keyblock. A password must be specified in the credentials"; |