summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/kdc/db-glue.c12
-rw-r--r--source4/kdc/db-glue.h8
-rw-r--r--source4/kdc/hdb-samba4.c11
-rw-r--r--source4/kdc/mit_samba.c8
4 files changed, 21 insertions, 18 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index a54f8f59cf..8871b0ebf8 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1403,15 +1403,17 @@ krb5_error_code samba_kdc_nextkey(krb5_context context,
return samba_kdc_seq(context, kdc_db_ctx, entry);
}
-/* Check if a given entry may delegate to this target principal
+/* Check if a given entry may delegate or do s4u2self to this target principal
*
* This is currently a very nasty hack - allowing only delegation to itself.
+ *
+ * This is shared between the constrained delegation and S4U2Self code.
*/
krb5_error_code
-samba_kdc_check_constrained_delegation(krb5_context context,
- struct samba_kdc_db_context *kdc_db_ctx,
- hdb_entry_ex *entry,
- krb5_const_principal target_principal)
+samba_kdc_check_identical_client_and_server(krb5_context context,
+ struct samba_kdc_db_context *kdc_db_ctx,
+ hdb_entry_ex *entry,
+ krb5_const_principal target_principal)
{
krb5_error_code ret;
krb5_principal enterprise_prinicpal = NULL;
diff --git a/source4/kdc/db-glue.h b/source4/kdc/db-glue.h
index b2291f9eb2..33ba707822 100644
--- a/source4/kdc/db-glue.h
+++ b/source4/kdc/db-glue.h
@@ -36,10 +36,10 @@ krb5_error_code samba_kdc_nextkey(krb5_context context,
hdb_entry_ex *entry);
krb5_error_code
-samba_kdc_check_constrained_delegation(krb5_context context,
- struct samba_kdc_db_context *kdc_db_ctx,
- hdb_entry_ex *entry,
- krb5_const_principal target_principal);
+samba_kdc_check_identical_client_and_server(krb5_context context,
+ struct samba_kdc_db_context *kdc_db_ctx,
+ hdb_entry_ex *entry,
+ krb5_const_principal target_principal);
krb5_error_code
samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index b1568ba0de..fc913292a0 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -134,7 +134,7 @@ static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db)
}
static krb5_error_code
-hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
+hdb_samba4_check_identical_client_and_server(krb5_context context, HDB *db,
hdb_entry_ex *entry,
krb5_const_principal target_principal)
{
@@ -143,9 +143,9 @@ hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
struct samba_kdc_db_context);
- return samba_kdc_check_constrained_delegation(context, kdc_db_ctx,
- entry,
- target_principal);
+ return samba_kdc_check_identical_client_and_server(context, kdc_db_ctx,
+ entry,
+ target_principal);
}
static krb5_error_code
@@ -251,8 +251,9 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
(*db)->hdb_destroy = hdb_samba4_destroy;
(*db)->hdb_auth_status = NULL;
- (*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation;
+ (*db)->hdb_check_constrained_delegation = hdb_samba4_check_identical_client_and_server;
(*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match;
+ (*db)->hdb_check_s4u2self = hdb_samba4_check_identical_client_and_server;
return NT_STATUS_OK;
}
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 3faa20938f..328124c409 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -351,10 +351,10 @@ static int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
return ret;
}
- ret = samba_kdc_check_constrained_delegation(ctx->context,
- ctx->db_ctx,
- entry,
- target_principal);
+ ret = samba_kdc_check_identical_client_and_server(ctx->context,
+ ctx->db_ctx,
+ entry,
+ target_principal);
krb5_free_principal(ctx->context, target_principal);