diff options
author | Stefan Metzmacher <metze@samba.org> | 2011-04-22 11:22:50 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2011-05-18 07:46:39 +0200 |
commit | a41efe6802da4e81a4af72aa231daa00f5012ab8 (patch) | |
tree | 2f0d6a9bfac436b06eae0bfd22fe76a82d342ed2 /source4/auth/credentials/credentials_krb5.c | |
parent | c6836c8ede90a97a31c208a0057cffe78ed5a3d9 (diff) | |
download | samba-a41efe6802da4e81a4af72aa231daa00f5012ab8.tar.gz samba-a41efe6802da4e81a4af72aa231daa00f5012ab8.tar.bz2 samba-a41efe6802da4e81a4af72aa231daa00f5012ab8.zip |
s4:auth/credentials: pass 'self_service' to cli_credentials_set_impersonate_principal()
This also adds a cli_credentials_get_self_service() helper function.
In order to support S4U2Proxy we need to be able to set
the service principal for the S4U2Self step independent of the
target principal.
metze
Diffstat (limited to 'source4/auth/credentials/credentials_krb5.c')
-rw-r--r-- | source4/auth/credentials/credentials_krb5.c | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c index d3925a01f6..5883282c25 100644 --- a/source4/auth/credentials/credentials_krb5.c +++ b/source4/auth/credentials/credentials_krb5.c @@ -788,19 +788,35 @@ _PUBLIC_ void cli_credentials_set_salt_principal(struct cli_credentials *cred, c * member of the domain to get the groups of a user. This is also * known as S4U2Self */ -const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred) +_PUBLIC_ const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred) { return cred->impersonate_principal; } -_PUBLIC_ void cli_credentials_set_impersonate_principal(struct cli_credentials *cred, const char *principal) +/* + * The 'self_service' is the service principal that + * represents the same object (by its objectSid) + * as the client principal (typically our machine account). + * When trying to impersonate 'impersonate_principal' with + * S4U2Self. + */ +_PUBLIC_ const char *cli_credentials_get_self_service(struct cli_credentials *cred) +{ + return cred->self_service; +} + +_PUBLIC_ void cli_credentials_set_impersonate_principal(struct cli_credentials *cred, + const char *principal, + const char *self_service) { talloc_free(cred->impersonate_principal); cred->impersonate_principal = talloc_strdup(cred, principal); + talloc_free(cred->self_service); + cred->self_service = talloc_strdup(cred, self_service); } -/* when impersonating for S4U2Self we need to set the target principal - * to ourself, as otherwise we would need additional rights. +/* + * when impersonating for S4U2proxy we need to set the target principal. * Similarly, we may only be authorized to do general impersonation to * some particular services. * |