diff options
author | Stefan Metzmacher <metze@samba.org> | 2011-06-20 21:23:45 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2011-06-22 08:00:24 +0200 |
commit | e5378e600e507241dd64c1ea7345676076dc8755 (patch) | |
tree | c9c2a32086b7abbc744446f35a8918d11762471f /source4/auth | |
parent | b98428e630cc5a1bbc18bf4260030a24322fdf9e (diff) | |
download | samba-e5378e600e507241dd64c1ea7345676076dc8755.tar.gz samba-e5378e600e507241dd64c1ea7345676076dc8755.tar.bz2 samba-e5378e600e507241dd64c1ea7345676076dc8755.zip |
s4:auth/kerberos: remove one indentation level in kerberos_kinit_password_cc()
This will make the following changes easier to review.
metze
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/kerberos/kerberos.c | 193 |
1 files changed, 99 insertions, 94 deletions
diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c index 1ba6952e2b..4acb54fb33 100644 --- a/source4/auth/kerberos/kerberos.c +++ b/source4/auth/kerberos/kerberos.c @@ -97,6 +97,10 @@ krb5_principal store_principal; krb5_creds store_creds; const char *self_service = target_service; + krb5_creds *s4u2self_creds; + krb5_principal self_princ; + krb5_ccache tmp_cc; + const char *self_realm; /* * If we are not impersonating, then get this ticket for the @@ -116,106 +120,107 @@ store_principal = init_principal; - if (impersonate_principal) { - krb5_ccache tmp_cc; - krb5_creds *s4u2self_creds; - krb5_principal self_princ; - const char *self_realm; - - /* - * As we do not want to expose our TGT in the - * krb5_ccache, which is also holds the impersonated creds. - * - * Some low level krb5/gssapi function might use the TGT - * identity and let the client act as our machine account. - * - * We need to avoid that and use a temporary krb5_ccache - * in order to pass our TGT to the krb5_get_creds() function. - */ - code = krb5_cc_new_unique(ctx, NULL, NULL, &tmp_cc); - if (code != 0) { - krb5_free_cred_contents(ctx, &store_creds); - return code; - } - - code = krb5_cc_initialize(ctx, tmp_cc, store_creds.client); - if (code != 0) { - krb5_cc_destroy(ctx, tmp_cc); - krb5_free_cred_contents(ctx, &store_creds); - return code; - } - - code = krb5_cc_store_cred(ctx, tmp_cc, &store_creds); + if (impersonate_principal == NULL) { + goto store; + } + + /* + * We are trying S4U2Self now: + * + * As we do not want to expose our TGT in the + * krb5_ccache, which is also holds the impersonated creds. + * + * Some low level krb5/gssapi function might use the TGT + * identity and let the client act as our machine account. + * + * We need to avoid that and use a temporary krb5_ccache + * in order to pass our TGT to the krb5_get_creds() function. + */ + code = krb5_cc_new_unique(ctx, NULL, NULL, &tmp_cc); + if (code != 0) { + krb5_free_cred_contents(ctx, &store_creds); + return code; + } + + code = krb5_cc_initialize(ctx, tmp_cc, store_creds.client); + if (code != 0) { + krb5_cc_destroy(ctx, tmp_cc); krb5_free_cred_contents(ctx, &store_creds); - if (code != 0) { - krb5_cc_destroy(ctx, tmp_cc); - return code; - } - - /* - * For S4U2Self we need our own service principal, - * which belongs to our own realm (available on - * our client principal. - */ - self_realm = krb5_principal_get_realm(ctx, init_principal); - - code = krb5_parse_name(ctx, self_service, &self_princ); - if (code != 0) { - krb5_cc_destroy(ctx, tmp_cc); - return code; - } - - code = krb5_principal_set_realm(ctx, self_princ, self_realm); - if (code != 0) { - krb5_free_principal(ctx, self_princ); - krb5_cc_destroy(ctx, tmp_cc); - return code; - } - - code = krb5_get_creds_opt_alloc(ctx, &options); - if (code != 0) { - krb5_free_principal(ctx, self_princ); - krb5_cc_destroy(ctx, tmp_cc); - return code; - } - - code = krb5_get_creds_opt_set_impersonate(ctx, options, - impersonate_principal); - if (code != 0) { - krb5_get_creds_opt_free(ctx, options); - krb5_free_principal(ctx, self_princ); - krb5_cc_destroy(ctx, tmp_cc); - return code; - } - - code = krb5_get_creds(ctx, options, tmp_cc, - self_princ, &s4u2self_creds); + return code; + } + + code = krb5_cc_store_cred(ctx, tmp_cc, &store_creds); + krb5_free_cred_contents(ctx, &store_creds); + if (code != 0) { + krb5_cc_destroy(ctx, tmp_cc); + return code; + } + + /* + * For S4U2Self we need our own service principal, + * which belongs to our own realm (available on + * our client principal). + */ + self_realm = krb5_principal_get_realm(ctx, init_principal); + + code = krb5_parse_name(ctx, self_service, &self_princ); + if (code != 0) { + krb5_cc_destroy(ctx, tmp_cc); + return code; + } + + code = krb5_principal_set_realm(ctx, self_princ, self_realm); + if (code != 0) { + krb5_free_principal(ctx, self_princ); + krb5_cc_destroy(ctx, tmp_cc); + return code; + } + + code = krb5_get_creds_opt_alloc(ctx, &options); + if (code != 0) { + krb5_free_principal(ctx, self_princ); + krb5_cc_destroy(ctx, tmp_cc); + return code; + } + + code = krb5_get_creds_opt_set_impersonate(ctx, options, + impersonate_principal); + if (code != 0) { krb5_get_creds_opt_free(ctx, options); krb5_free_principal(ctx, self_princ); krb5_cc_destroy(ctx, tmp_cc); - if (code != 0) { - return code; - } - - /* - * Now make sure we store the impersonated principal - * and creds instead of the TGT related stuff - * in the krb5_ccache of the caller. - */ - code = krb5_copy_creds_contents(ctx, s4u2self_creds, &store_creds); - krb5_free_creds(ctx, s4u2self_creds); - if (code != 0) { - return code; - } - - /* - * It's important to store the principal the KDC - * returned, as otherwise the caller would not find - * the S4U2Self ticket in the krb5_ccache lookup. - */ - store_principal = store_creds.client; + return code; } + code = krb5_get_creds(ctx, options, tmp_cc, + self_princ, &s4u2self_creds); + krb5_get_creds_opt_free(ctx, options); + krb5_free_principal(ctx, self_princ); + krb5_cc_destroy(ctx, tmp_cc); + if (code != 0) { + return code; + } + + /* + * Now make sure we store the impersonated principal + * and creds instead of the TGT related stuff + * in the krb5_ccache of the caller. + */ + code = krb5_copy_creds_contents(ctx, s4u2self_creds, + &store_creds); + krb5_free_creds(ctx, s4u2self_creds); + if (code != 0) { + return code; + } + + /* + * It's important to store the principal the KDC + * returned, as otherwise the caller would not find + * the S4U2Self ticket in the krb5_ccache lookup. + */ + store_principal = store_creds.client; + + store: code = krb5_cc_initialize(ctx, store_cc, store_principal); if (code != 0) { krb5_free_cred_contents(ctx, &store_creds); |