diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2010-11-11 11:27:33 +1100 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2010-11-15 01:25:06 +0000 |
| commit | 1342185e333cb8139b7a70b7fe43571bcc2716a7 (patch) | |
| tree | 0e1cb8d3cfc437bd7cc3a97f2bdc472f54d95dbd /source4/heimdal/lib/krb5/get_cred.c | |
| parent | 13fd22f61017124d2d4964db3e32c667d119b56c (diff) | |
| download | samba-1342185e333cb8139b7a70b7fe43571bcc2716a7.tar.gz samba-1342185e333cb8139b7a70b7fe43571bcc2716a7.tar.bz2 samba-1342185e333cb8139b7a70b7fe43571bcc2716a7.zip | |
s4:heimdal: import lorikeet-heimdal-201011102149 (commit 5734d03c20e104c8f45533d07f2a2cbbd3224f29)
Diffstat (limited to 'source4/heimdal/lib/krb5/get_cred.c')
| -rw-r--r-- | source4/heimdal/lib/krb5/get_cred.c | 96 |
1 files changed, 66 insertions, 30 deletions
diff --git a/source4/heimdal/lib/krb5/get_cred.c b/source4/heimdal/lib/krb5/get_cred.c index 8f9d462190..9e06770e64 100644 --- a/source4/heimdal/lib/krb5/get_cred.c +++ b/source4/heimdal/lib/krb5/get_cred.c @@ -36,6 +36,11 @@ #include "krb5_locl.h" #include <assert.h> +static krb5_error_code +get_cred_kdc_capath(krb5_context, krb5_kdc_flags, + krb5_ccache, krb5_creds *, krb5_principal, + Ticket *, krb5_creds **, krb5_creds ***); + /* * Take the `body' and encode it into `padata' using the credentials * in `creds'. @@ -710,34 +715,20 @@ add_cred(krb5_context context, krb5_creds const *tkt, krb5_creds ***tgts) return ret; } -/* -get_cred(server) - creds = cc_get_cred(server) - if(creds) return creds - tgt = cc_get_cred(krbtgt/server_realm@any_realm) - if(tgt) - return get_cred_tgt(server, tgt) - if(client_realm == server_realm) - return NULL - tgt = get_cred(krbtgt/server_realm@client_realm) - while(tgt_inst != server_realm) - tgt = get_cred(krbtgt/server_realm@tgt_inst) - return get_cred_tgt(server, tgt) - */ - static krb5_error_code -get_cred_kdc_capath(krb5_context context, - krb5_kdc_flags flags, - krb5_ccache ccache, - krb5_creds *in_creds, - krb5_principal impersonate_principal, - Ticket *second_ticket, - krb5_creds **out_creds, - krb5_creds ***ret_tgts) +get_cred_kdc_capath_worker(krb5_context context, + krb5_kdc_flags flags, + krb5_ccache ccache, + krb5_creds *in_creds, + krb5_const_realm try_realm, + krb5_principal impersonate_principal, + Ticket *second_ticket, + krb5_creds **out_creds, + krb5_creds ***ret_tgts) { krb5_error_code ret; krb5_creds *tgt, tmp_creds; - krb5_const_realm client_realm, server_realm, try_realm; + krb5_const_realm client_realm, server_realm; int ok_as_delegate = 1; *out_creds = NULL; @@ -749,11 +740,6 @@ get_cred_kdc_capath(krb5_context context, if(ret) return ret; - try_realm = krb5_config_get_string(context, NULL, "capaths", - client_realm, server_realm, NULL); - if (try_realm == NULL) - try_realm = client_realm; - ret = krb5_make_principal(context, &tmp_creds.server, try_realm, @@ -770,7 +756,7 @@ get_cred_kdc_capath(krb5_context context, ret = find_cred(context, ccache, tmp_creds.server, *ret_tgts, &tgts); if(ret == 0){ - if (try_realm != client_realm) + if (strcmp(try_realm, client_realm) != 0) ok_as_delegate = tgts.flags.b.ok_as_delegate; *out_creds = calloc(1, sizeof(**out_creds)); @@ -863,6 +849,56 @@ get_cred_kdc_capath(krb5_context context, return ret; } +/* +get_cred(server) + creds = cc_get_cred(server) + if(creds) return creds + tgt = cc_get_cred(krbtgt/server_realm@any_realm) + if(tgt) + return get_cred_tgt(server, tgt) + if(client_realm == server_realm) + return NULL + tgt = get_cred(krbtgt/server_realm@client_realm) + while(tgt_inst != server_realm) + tgt = get_cred(krbtgt/server_realm@tgt_inst) + return get_cred_tgt(server, tgt) + */ + +static krb5_error_code +get_cred_kdc_capath(krb5_context context, + krb5_kdc_flags flags, + krb5_ccache ccache, + krb5_creds *in_creds, + krb5_principal impersonate_principal, + Ticket *second_ticket, + krb5_creds **out_creds, + krb5_creds ***ret_tgts) +{ + krb5_error_code ret; + krb5_const_realm client_realm, server_realm, try_realm; + + client_realm = krb5_principal_get_realm(context, in_creds->client); + server_realm = krb5_principal_get_realm(context, in_creds->server); + + try_realm = client_realm; + ret = get_cred_kdc_capath_worker(context, flags, ccache, in_creds, try_realm, + impersonate_principal, second_ticket, out_creds, + ret_tgts); + + if (ret == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) { + try_realm = krb5_config_get_string(context, NULL, "capaths", + client_realm, server_realm, NULL); + + if (try_realm != NULL && strcmp(try_realm, client_realm)) { + ret = get_cred_kdc_capath_worker(context, flags, ccache, in_creds, + try_realm, impersonate_principal, + second_ticket, out_creds, ret_tgts); + } + } + + return ret; +} + static krb5_error_code get_cred_kdc_referral(krb5_context context, krb5_kdc_flags flags, |