summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2008-10-13 17:27:21 +0200
committerGünther Deschner <gd@samba.org>2009-11-06 12:44:15 +0100
commit5e266225108aa3335476cbe1214cc0f484c4fd02 (patch)
tree8e88a3bd3fc3dc898a7c5b04530e94403e3e630f /source3
parent4ffbfc4475c92b9190811bd189802ff265aa6846 (diff)
downloadsamba-5e266225108aa3335476cbe1214cc0f484c4fd02.tar.gz
samba-5e266225108aa3335476cbe1214cc0f484c4fd02.tar.bz2
samba-5e266225108aa3335476cbe1214cc0f484c4fd02.zip
s3-kerberos: add impersonate_principal for kerberos_return_pac_X calls.
Guenther
Diffstat (limited to 'source3')
-rw-r--r--source3/include/proto.h2
-rw-r--r--source3/libads/authdata.c26
-rw-r--r--source3/winbindd/winbindd_pam.c1
3 files changed, 28 insertions, 1 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h
index ae35e04aa3..0dbc1c7fed 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1707,6 +1707,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
bool request_pac,
bool add_netbios_addr,
time_t renewable_time,
+ const char *impersonate_princ_s,
struct PAC_DATA **pac_ret);
NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
const char *name,
@@ -1718,6 +1719,7 @@ NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
bool request_pac,
bool add_netbios_addr,
time_t renewable_time,
+ const char *impersonate_princ_s,
struct netr_SamInfo3 **info3);
/* The following definitions come from libads/cldap.c */
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 1499067612..8a6a35130b 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -388,6 +388,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
bool request_pac,
bool add_netbios_addr,
time_t renewable_time,
+ const char *impersonate_princ_s,
struct PAC_DATA **pac_ret)
{
krb5_error_code ret;
@@ -398,6 +399,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
const char *auth_princ = NULL;
const char *local_service = NULL;
const char *cc = "MEMORY:kerberos_return_pac";
+ krb5_creds *creds = NULL;
ZERO_STRUCT(tkt);
ZERO_STRUCT(ap_rep);
@@ -460,8 +462,26 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
(*expire_time == 0) && (*renew_till_time == 0)) {
return NT_STATUS_INVALID_LOGON_TYPE;
}
+#if 1
+ ret = smb_krb5_get_creds(local_service,
+ time_offset,
+ cc,
+ impersonate_princ_s,
+ &creds);
+ if (ret) {
+ DEBUG(1,("failed to get credentials for %s: %s\n",
+ local_service, error_message(ret)));
+ status = krb5_to_nt_status(ret);
+ goto out;
+ }
+ ret = smb_krb5_get_tkt_from_creds(creds, &tkt);
+ if (ret) {
+ status = krb5_to_nt_status(ret);
+ goto out;
+ }
+#else
ret = cli_krb5_get_ticket(local_service,
time_offset,
&tkt,
@@ -475,7 +495,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
status = krb5_to_nt_status(ret);
goto out;
}
-
+#endif
status = ads_verify_ticket(mem_ctx,
lp_realm(),
time_offset,
@@ -527,6 +547,7 @@ static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx,
bool request_pac,
bool add_netbios_addr,
time_t renewable_time,
+ const char *impersonate_princ_s,
struct PAC_LOGON_INFO **logon_info)
{
NTSTATUS status;
@@ -543,6 +564,7 @@ static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx,
request_pac,
add_netbios_addr,
renewable_time,
+ impersonate_princ_s,
&pac_data);
if (!NT_STATUS_IS_OK(status)) {
return status;
@@ -577,6 +599,7 @@ NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
bool request_pac,
bool add_netbios_addr,
time_t renewable_time,
+ const char *impersonate_princ_s,
struct netr_SamInfo3 **info3)
{
NTSTATUS status;
@@ -592,6 +615,7 @@ NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
request_pac,
add_netbios_addr,
renewable_time,
+ impersonate_princ_s,
&logon_info);
if (!NT_STATUS_IS_OK(status)) {
return status;
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 43f81f79ae..755f703d63 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -627,6 +627,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
true,
true,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+ NULL,
info3);
if (!internal_ccache) {
gain_root_privilege();