summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2010-09-16 14:12:37 +1000
committerAndrew Tridgell <tridge@samba.org>2010-09-16 16:08:46 +1000
commit6a82997285db9aff0085e6a54e58a34a97152ebb (patch)
tree6e1918772cd61b6b64e434ec020744dcf8e07348 /source4
parent377ffcb0292505bfcdc6fbcfdc379614364cc868 (diff)
downloadsamba-6a82997285db9aff0085e6a54e58a34a97152ebb.tar.gz
samba-6a82997285db9aff0085e6a54e58a34a97152ebb.tar.bz2
samba-6a82997285db9aff0085e6a54e58a34a97152ebb.zip
s4-credentials: added ability to control forwardable attribute on krb5 tickets
with the latest bind9 nsupdate, we need to be able to control if the ticket we use is forwardable Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/credentials/credentials.c12
-rw-r--r--source4/auth/credentials/credentials.h12
2 files changed, 24 insertions, 0 deletions
diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c
index acdcfdee69..e1965b3f84 100644
--- a/source4/auth/credentials/credentials.c
+++ b/source4/auth/credentials/credentials.c
@@ -109,6 +109,7 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS);
cli_credentials_set_gensec_features(cred, 0);
+ cli_credentials_set_krb_forwardable(cred, CRED_AUTO_KRB_FORWARDABLE);
return cred;
}
@@ -133,11 +134,22 @@ _PUBLIC_ void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
creds->use_kerberos = use_kerberos;
}
+_PUBLIC_ void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
+ enum credentials_krb_forwardable krb_forwardable)
+{
+ creds->krb_forwardable = krb_forwardable;
+}
+
_PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds)
{
return creds->use_kerberos;
}
+_PUBLIC_ enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds)
+{
+ return creds->krb_forwardable;
+}
+
_PUBLIC_ void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features)
{
creds->gensec_features = gensec_features;
diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h
index c4c7d3f246..b7a9540d86 100644
--- a/source4/auth/credentials/credentials.h
+++ b/source4/auth/credentials/credentials.h
@@ -44,6 +44,12 @@ enum credentials_use_kerberos {
CRED_MUST_USE_KERBEROS /* Sometimes administrators are parinoid, so always do kerberos */
};
+enum credentials_krb_forwardable {
+ CRED_AUTO_KRB_FORWARDABLE = 0, /* Default, follow library defaults */
+ CRED_NO_KRB_FORWARDABLE, /* not forwardable */
+ CRED_FORCE_KRB_FORWARDABLE /* forwardable */
+};
+
#define CLI_CRED_NTLM2 0x01
#define CLI_CRED_NTLMv2_AUTH 0x02
#define CLI_CRED_LANMAN_AUTH 0x04
@@ -122,6 +128,9 @@ struct cli_credentials {
/* Should we be trying to use kerberos? */
enum credentials_use_kerberos use_kerberos;
+ /* Should we get a forwardable ticket? */
+ enum credentials_krb_forwardable krb_forwardable;
+
/* gensec features which should be used for connections */
uint32_t gensec_features;
@@ -193,6 +202,8 @@ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
const char **error_string);
void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
enum credentials_use_kerberos use_kerberos);
+void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
+ enum credentials_krb_forwardable krb_forwardable);
bool cli_credentials_set_domain(struct cli_credentials *cred,
const char *val,
enum credentials_obtained obtained);
@@ -280,6 +291,7 @@ const char *cli_credentials_get_salt_principal(struct cli_credentials *cred);
const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred);
const char *cli_credentials_get_target_service(struct cli_credentials *cred);
enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
+enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds);
NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,