summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2009-11-05 19:10:55 +0100
committerGünther Deschner <gd@samba.org>2009-11-06 13:35:20 +0100
commit9e48dc2b78226bdacb8988509eaa93e5c9d92787 (patch)
treedfa8ad2d96c758c9b3e9c944a8f68df82ea7e54a /source3
parentbb01aae1b9eb1bede98b7d9a9c4920082db128fe (diff)
downloadsamba-9e48dc2b78226bdacb8988509eaa93e5c9d92787.tar.gz
samba-9e48dc2b78226bdacb8988509eaa93e5c9d92787.tar.bz2
samba-9e48dc2b78226bdacb8988509eaa93e5c9d92787.zip
s3-kerberos: support S4U2SELF impersionation through cli_krb5_get_ticket().
Guenther
Diffstat (limited to 'source3')
-rw-r--r--source3/libads/authdata.c3
-rw-r--r--source3/libsmb/clikrb5.c25
2 files changed, 22 insertions, 6 deletions
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 8a6a35130b..98d418cf75 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -488,7 +488,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
&sesskey1,
0,
cc,
- NULL);
+ NULL,
+ impersonate_princ_s);
if (ret) {
DEBUG(1,("failed to get ticket for %s: %s\n",
local_service, error_message(ret)));
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 7ee2abf9c3..75abf1cbfd 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -673,10 +673,12 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
const char *principal,
krb5_ccache ccache,
krb5_data *outbuf,
- time_t *expire_time)
+ time_t *expire_time,
+ const char *impersonate_princ_s)
{
krb5_error_code retval;
krb5_principal server;
+ krb5_principal impersonate_princ = NULL;
krb5_creds * credsp;
krb5_creds creds;
krb5_data in_data;
@@ -690,7 +692,16 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal));
return retval;
}
-
+
+ if (impersonate_princ_s) {
+ retval = smb_krb5_parse_name(context, impersonate_princ_s,
+ &impersonate_princ);
+ if (retval) {
+ DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", impersonate_princ_s));
+ goto cleanup_princ;
+ }
+ }
+
/* obtain ticket & session key */
ZERO_STRUCT(creds);
if ((retval = krb5_copy_principal(context, server, &creds.server))) {
@@ -702,7 +713,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) {
/* This can commonly fail on smbd startup with no ticket in the cache.
* Report at higher level than 1. */
- DEBUG(3,("ads_krb5_mk_req: krb5_cc_get_principal failed (%s)\n",
+ DEBUG(3,("ads_krb5_mk_req: krb5_cc_get_principal failed (%s)\n",
error_message(retval)));
goto cleanup_creds;
}
@@ -712,7 +723,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
if ((retval = smb_krb5_get_credentials(context, ccache,
creds.client,
creds.server,
- NULL,
+ impersonate_princ,
&credsp))) {
DEBUG(1,("ads_krb5_mk_req: smb_krb5_get_credentials failed for %s (%s)\n",
principal, error_message(retval)));
@@ -819,6 +830,9 @@ cleanup_creds:
cleanup_princ:
krb5_free_principal(context, server);
+ if (impersonate_princ) {
+ krb5_free_principal(context, impersonate_princ);
+ }
return retval;
}
@@ -876,7 +890,8 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset,
AP_OPTS_USE_SUBKEY | (krb5_flags)extra_ap_opts,
principal,
ccdef, &packet,
- tgs_expire))) {
+ tgs_expire,
+ impersonate_princ_s))) {
goto failed;
}