diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2010-03-03 13:24:52 +1100 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2010-04-10 21:40:58 +1000 |
| commit | aecaddfa1b2a55c9cc91c3644947c3686714ceb5 (patch) | |
| tree | 17f1d17c318c284d5f68af80ea3bc7fd6a3bafee /source4/auth/kerberos/kerberos.c | |
| parent | 18f0e24f5573611c983d2d5d37409fa77b199dd5 (diff) | |
| download | samba-aecaddfa1b2a55c9cc91c3644947c3686714ceb5.tar.gz samba-aecaddfa1b2a55c9cc91c3644947c3686714ceb5.tar.bz2 samba-aecaddfa1b2a55c9cc91c3644947c3686714ceb5.zip | |
s4:credentials Add the functions needed to do S4U2Self with cli_credentials
A torture test to demonstrate will be added soon.
Andrew Bartlett
Diffstat (limited to 'source4/auth/kerberos/kerberos.c')
| -rw-r--r-- | source4/auth/kerberos/kerberos.c | 79 |
1 files changed, 66 insertions, 13 deletions
diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c index d4549ee88a..42757640f2 100644 --- a/source4/auth/kerberos/kerberos.c +++ b/source4/auth/kerberos/kerberos.c @@ -33,10 +33,15 @@ This version is built to use a keyblock, rather than needing the original password. + + The impersonate_principal is the principal if NULL, or the principal to impersonate + + The target_service defaults to the krbtgt if NULL, but could be kpasswd/realm or the local service (if we are doing s4u2self) */ krb5_error_code kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc, - krb5_principal principal, krb5_keyblock *keyblock, - time_t *expire_time, time_t *kdc_time) + krb5_principal principal, krb5_keyblock *keyblock, + const char *target_service, + time_t *expire_time, time_t *kdc_time) { krb5_error_code code = 0; krb5_creds my_creds; @@ -49,7 +54,7 @@ krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, options); if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, principal, keyblock, - 0, NULL, options))) { + 0, target_service, options))) { return code; } @@ -82,36 +87,49 @@ /* simulate a kinit, putting the tgt in the given credentials cache. Orignally by remus@snapserver.com + + The impersonate_principal is the principal if NULL, or the principal to impersonate + + The target_service defaults to the krbtgt if NULL, but could be kpasswd/realm or the local service (if we are doing s4u2self) + */ krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, krb5_principal principal, const char *password, + krb5_principal impersonate_principal, const char *target_service, time_t *expire_time, time_t *kdc_time) { krb5_error_code code = 0; krb5_creds my_creds; - krb5_get_init_creds_opt *options; + krb5_creds *impersonate_creds; + krb5_get_init_creds_opt *init_options; + krb5_get_creds_opt options; - if ((code = krb5_get_init_creds_opt_alloc(ctx, &options))) { + if ((code = krb5_get_init_creds_opt_alloc(ctx, &init_options))) { return code; } - krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, options); + krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, init_options); + /* If we are not impersonating, then get this ticket for the + * target service, otherwise a krbtgt, and get the next ticket + * for the target */ if ((code = krb5_get_init_creds_password(ctx, &my_creds, principal, password, - NULL, - NULL, 0, NULL, options))) { - krb5_get_init_creds_opt_free(ctx, options); + NULL, NULL, + 0, + impersonate_principal ? NULL : target_service, + init_options))) { + krb5_get_init_creds_opt_free(ctx, init_options); return code; } - + if ((code = krb5_cc_initialize(ctx, cc, principal))) { - krb5_get_init_creds_opt_free(ctx, options); + krb5_get_init_creds_opt_free(ctx, init_options); krb5_free_cred_contents(ctx, &my_creds); return code; } if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) { - krb5_get_init_creds_opt_free(ctx, options); + krb5_get_init_creds_opt_free(ctx, init_options); krb5_free_cred_contents(ctx, &my_creds); return code; } @@ -124,9 +142,44 @@ *kdc_time = (time_t) my_creds.times.starttime; } - krb5_get_init_creds_opt_free(ctx, options); + krb5_get_init_creds_opt_free(ctx, init_options); krb5_free_cred_contents(ctx, &my_creds); + if (code == 0 && impersonate_principal) { + krb5_principal target_princ; + if ((code = krb5_get_creds_opt_alloc(ctx, &options))) { + return code; + } + + if ((code = krb5_get_creds_opt_set_impersonate(ctx, options, impersonate_principal))) { + krb5_get_creds_opt_free(ctx, options); + return code; + } + + if ((code = krb5_parse_name(ctx, target_service, &target_princ))) { + krb5_get_creds_opt_free(ctx, options); + return code; + } + + if ((code = krb5_principal_set_realm(ctx, target_princ, krb5_principal_get_realm(ctx, principal)))) { + krb5_get_creds_opt_free(ctx, options); + krb5_free_principal(ctx, target_princ); + return code; + } + + if ((code = krb5_get_creds(ctx, options, cc, target_princ, &impersonate_creds))) { + krb5_free_principal(ctx, target_princ); + krb5_get_creds_opt_free(ctx, options); + return code; + } + + krb5_free_principal(ctx, target_princ); + + code = krb5_cc_store_cred(ctx, cc, impersonate_creds); + krb5_get_creds_opt_free(ctx, options); + krb5_free_creds(ctx, impersonate_creds); + } + return 0; } |