summaryrefslogtreecommitdiff
path: root/source4/auth/kerberos/kerberos.c
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth/kerberos/kerberos.c')
-rw-r--r--source4/auth/kerberos/kerberos.c79
1 files changed, 66 insertions, 13 deletions
diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c
index d4549ee88a..42757640f2 100644
--- a/source4/auth/kerberos/kerberos.c
+++ b/source4/auth/kerberos/kerberos.c
@@ -33,10 +33,15 @@
This version is built to use a keyblock, rather than needing the
original password.
+
+ The impersonate_principal is the principal if NULL, or the principal to impersonate
+
+ The target_service defaults to the krbtgt if NULL, but could be kpasswd/realm or the local service (if we are doing s4u2self)
*/
krb5_error_code kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc,
- krb5_principal principal, krb5_keyblock *keyblock,
- time_t *expire_time, time_t *kdc_time)
+ krb5_principal principal, krb5_keyblock *keyblock,
+ const char *target_service,
+ time_t *expire_time, time_t *kdc_time)
{
krb5_error_code code = 0;
krb5_creds my_creds;
@@ -49,7 +54,7 @@
krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, options);
if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, principal, keyblock,
- 0, NULL, options))) {
+ 0, target_service, options))) {
return code;
}
@@ -82,36 +87,49 @@
/*
simulate a kinit, putting the tgt in the given credentials cache.
Orignally by remus@snapserver.com
+
+ The impersonate_principal is the principal if NULL, or the principal to impersonate
+
+ The target_service defaults to the krbtgt if NULL, but could be kpasswd/realm or the local service (if we are doing s4u2self)
+
*/
krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc,
krb5_principal principal, const char *password,
+ krb5_principal impersonate_principal, const char *target_service,
time_t *expire_time, time_t *kdc_time)
{
krb5_error_code code = 0;
krb5_creds my_creds;
- krb5_get_init_creds_opt *options;
+ krb5_creds *impersonate_creds;
+ krb5_get_init_creds_opt *init_options;
+ krb5_get_creds_opt options;
- if ((code = krb5_get_init_creds_opt_alloc(ctx, &options))) {
+ if ((code = krb5_get_init_creds_opt_alloc(ctx, &init_options))) {
return code;
}
- krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, options);
+ krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, init_options);
+ /* If we are not impersonating, then get this ticket for the
+ * target service, otherwise a krbtgt, and get the next ticket
+ * for the target */
if ((code = krb5_get_init_creds_password(ctx, &my_creds, principal, password,
- NULL,
- NULL, 0, NULL, options))) {
- krb5_get_init_creds_opt_free(ctx, options);
+ NULL, NULL,
+ 0,
+ impersonate_principal ? NULL : target_service,
+ init_options))) {
+ krb5_get_init_creds_opt_free(ctx, init_options);
return code;
}
-
+
if ((code = krb5_cc_initialize(ctx, cc, principal))) {
- krb5_get_init_creds_opt_free(ctx, options);
+ krb5_get_init_creds_opt_free(ctx, init_options);
krb5_free_cred_contents(ctx, &my_creds);
return code;
}
if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
- krb5_get_init_creds_opt_free(ctx, options);
+ krb5_get_init_creds_opt_free(ctx, init_options);
krb5_free_cred_contents(ctx, &my_creds);
return code;
}
@@ -124,9 +142,44 @@
*kdc_time = (time_t) my_creds.times.starttime;
}
- krb5_get_init_creds_opt_free(ctx, options);
+ krb5_get_init_creds_opt_free(ctx, init_options);
krb5_free_cred_contents(ctx, &my_creds);
+ if (code == 0 && impersonate_principal) {
+ krb5_principal target_princ;
+ if ((code = krb5_get_creds_opt_alloc(ctx, &options))) {
+ return code;
+ }
+
+ if ((code = krb5_get_creds_opt_set_impersonate(ctx, options, impersonate_principal))) {
+ krb5_get_creds_opt_free(ctx, options);
+ return code;
+ }
+
+ if ((code = krb5_parse_name(ctx, target_service, &target_princ))) {
+ krb5_get_creds_opt_free(ctx, options);
+ return code;
+ }
+
+ if ((code = krb5_principal_set_realm(ctx, target_princ, krb5_principal_get_realm(ctx, principal)))) {
+ krb5_get_creds_opt_free(ctx, options);
+ krb5_free_principal(ctx, target_princ);
+ return code;
+ }
+
+ if ((code = krb5_get_creds(ctx, options, cc, target_princ, &impersonate_creds))) {
+ krb5_free_principal(ctx, target_princ);
+ krb5_get_creds_opt_free(ctx, options);
+ return code;
+ }
+
+ krb5_free_principal(ctx, target_princ);
+
+ code = krb5_cc_store_cred(ctx, cc, impersonate_creds);
+ krb5_get_creds_opt_free(ctx, options);
+ krb5_free_creds(ctx, impersonate_creds);
+ }
+
return 0;
}