diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-03-27 23:09:31 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-04-10 21:40:58 +1000 |
commit | 1d59abc724a9ad01fdc61f3e6cfdf41c9f4cb910 (patch) | |
tree | e62ae543354023b376e7e8ba135d1583f105ecaa /source4 | |
parent | aecaddfa1b2a55c9cc91c3644947c3686714ceb5 (diff) | |
download | samba-1d59abc724a9ad01fdc61f3e6cfdf41c9f4cb910.tar.gz samba-1d59abc724a9ad01fdc61f3e6cfdf41c9f4cb910.tar.bz2 samba-1d59abc724a9ad01fdc61f3e6cfdf41c9f4cb910.zip |
s4:heimdal Add hooks to check with the DB before we allow s4u2self
This allows us to resolve multiple forms of a name, allowing for
example machine$@REALM to get an S4U2Self ticket for
host/machine@REALM.
Andrew Bartlett
Diffstat (limited to 'source4')
-rw-r--r-- | source4/heimdal/kdc/krb5tgs.c | 40 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/hdb.h | 7 |
2 files changed, 42 insertions, 5 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 53c0a589ba..ca650645de 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -486,7 +486,7 @@ check_tgs_flags(krb5_context context, } /* - * + * Determine if constrained delegation is allowed from this client to this server */ static krb5_error_code @@ -529,6 +529,38 @@ check_constrained_delegation(krb5_context context, } /* + * Determine if s4u2self is allowed from this client to this server + * + * For example, regardless of the principal being impersonated, if the + * 'client' and 'server' are the same, then it's safe. + */ + +static krb5_error_code +check_s4u2self(krb5_context context, + krb5_kdc_configuration *config, + HDB *clientdb, + hdb_entry_ex *client, + krb5_const_principal server) +{ + const HDB_Ext_Constrained_delegation_acl *acl; + krb5_error_code ret; + int i; + + /* if client does a s4u2self to itself, that ok */ + if (krb5_principal_compare(context, client->entry.principal, server) == TRUE) + return 0; + + if (clientdb->hdb_check_s4u2self) { + ret = clientdb->hdb_check_s4u2self(context, clientdb, client, server); + if (ret == 0) + return 0; + } else { + ret = KRB5KDC_ERR_BADOPTION; + } + return ret; +} + +/* * */ @@ -1783,13 +1815,13 @@ server_lookup: * Check that service doing the impersonating is * requesting a ticket to it-self. */ - if (krb5_principal_compare(context, cp, sp) != TRUE) { + ret = check_s4u2self(context, config, clientdb, client, sp); + if (ret) { kdc_log(context, config, 0, "S4U2Self: %s is not allowed " - "to impersonate some other user " + "to impersonate to service " "(tried for user %s to service %s)", cpn, selfcpn, spn); free(selfcpn); - ret = KRB5KDC_ERR_BADOPTION; /* ? */ goto out; } diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h index d118555121..ad32a145c0 100644 --- a/source4/heimdal/lib/hdb/hdb.h +++ b/source4/heimdal/lib/hdb/hdb.h @@ -235,9 +235,14 @@ typedef struct HDB{ * Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins */ krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal); + + /** + * Check if s4u2self is allowed from this client to this server + */ + krb5_error_code (*hdb_check_s4u2self)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal); }HDB; -#define HDB_INTERFACE_VERSION 6 +#define HDB_INTERFACE_VERSION 7 struct hdb_so_method { int version; |