diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-03-03 13:24:52 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-04-10 21:40:58 +1000 |
commit | aecaddfa1b2a55c9cc91c3644947c3686714ceb5 (patch) | |
tree | 17f1d17c318c284d5f68af80ea3bc7fd6a3bafee /source4/auth/credentials/credentials_krb5.c | |
parent | 18f0e24f5573611c983d2d5d37409fa77b199dd5 (diff) | |
download | samba-aecaddfa1b2a55c9cc91c3644947c3686714ceb5.tar.gz samba-aecaddfa1b2a55c9cc91c3644947c3686714ceb5.tar.bz2 samba-aecaddfa1b2a55c9cc91c3644947c3686714ceb5.zip |
s4:credentials Add the functions needed to do S4U2Self with cli_credentials
A torture test to demonstrate will be added soon.
Andrew Bartlett
Diffstat (limited to 'source4/auth/credentials/credentials_krb5.c')
-rw-r--r-- | source4/auth/credentials/credentials_krb5.c | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c index d8ce0e58e2..1e0db3cb36 100644 --- a/source4/auth/credentials/credentials_krb5.c +++ b/source4/auth/credentials/credentials_krb5.c @@ -802,4 +802,42 @@ _PUBLIC_ void cli_credentials_set_salt_principal(struct cli_credentials *cred, c cred->salt_principal = talloc_strdup(cred, principal); } +/* The 'impersonate_principal' is used to allow on Kerberos principal + * (and it's associated keytab etc) to impersonate another. The + * ability to do this is controlled by the KDC, but it is generally + * permitted to impersonate anyone to yourself. This allows any + * member of the domain to get the groups of a user. This is also + * known as S4U2Self */ + +const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred) +{ + return cred->impersonate_principal; +} + +_PUBLIC_ void cli_credentials_set_impersonate_principal(struct cli_credentials *cred, const char *principal) +{ + talloc_free(cred->impersonate_principal); + cred->impersonate_principal = talloc_strdup(cred, principal); +} + +/* when impersonating for S4U2Self we need to set the target principal + * to ourself, as otherwise we would need additional rights. + * Similarly, we may only be authorized to do general impersonation to + * some particular services. + * + * Likewise, password changes typically require a ticket to kpasswd/realm directly, not via a TGT + * + * NULL means that tickets will be obtained for the krbtgt service. +*/ + +const char *cli_credentials_get_target_service(struct cli_credentials *cred) +{ + return cred->target_service; +} + +_PUBLIC_ void cli_credentials_set_target_service(struct cli_credentials *cred, const char *target_service) +{ + talloc_free(cred->target_service); + cred->target_service = talloc_strdup(cred, target_service); +} |