s4:auth/credentials: pass 'self_service' to cli_credentials_set_impersonate_principal()

This also adds a cli_credentials_get_self_service() helper function.

In order to support S4U2Proxy we need to be able to set
the service principal for the S4U2Self step independent of the
target principal.

metze

1 files changed, 6 insertions, 2 deletions

diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 45b0b07e13..f05016b873 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -338,7 +338,9 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
 				 const char **error_string)
 {
 	krb5_error_code ret;
-	const char *password, *target_service;
+	const char *password;
+	const char *self_service;
+	const char *target_service;
 	time_t kdc_time = 0;
 	krb5_principal princ;
 	krb5_principal impersonate_principal;
@@ -363,6 +365,7 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
 		return ret;
 	}
 
+	self_service = cli_credentials_get_self_service(credentials);
 	target_service = cli_credentials_get_target_service(credentials);
 
 	password = cli_credentials_get_password(credentials);
@@ -403,7 +406,8 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
 		if (password) {
 			ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache, 
 							 princ, password,
-							 impersonate_principal, target_service,
+							 impersonate_principal,
+							 self_service,
 							 krb_options,
 							 NULL, &kdc_time);
 		} else if (impersonate_principal) {