diff options
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/kerberos/kerberos.c | 193 |
1 files changed, 99 insertions, 94 deletions
diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c index 1ba6952e2b..4acb54fb33 100644 --- a/source4/auth/kerberos/kerberos.c +++ b/source4/auth/kerberos/kerberos.c @@ -97,6 +97,10 @@ krb5_principal store_principal; krb5_creds store_creds; const char *self_service = target_service; + krb5_creds *s4u2self_creds; + krb5_principal self_princ; + krb5_ccache tmp_cc; + const char *self_realm; /* * If we are not impersonating, then get this ticket for the @@ -116,106 +120,107 @@ store_principal = init_principal; - if (impersonate_principal) { - krb5_ccache tmp_cc; - krb5_creds *s4u2self_creds; - krb5_principal self_princ; - const char *self_realm; - - /* - * As we do not want to expose our TGT in the - * krb5_ccache, which is also holds the impersonated creds. - * - * Some low level krb5/gssapi function might use the TGT - * identity and let the client act as our machine account. - * - * We need to avoid that and use a temporary krb5_ccache - * in order to pass our TGT to the krb5_get_creds() function. - */ - code = krb5_cc_new_unique(ctx, NULL, NULL, &tmp_cc); - if (code != 0) { - krb5_free_cred_contents(ctx, &store_creds); - return code; - } - - code = krb5_cc_initialize(ctx, tmp_cc, store_creds.client); - if (code != 0) { - krb5_cc_destroy(ctx, tmp_cc); - krb5_free_cred_contents(ctx, &store_creds); - return code; - } - - code = krb5_cc_store_cred(ctx, tmp_cc, &store_creds); + if (impersonate_principal == NULL) { + goto store; + } + + /* + * We are trying S4U2Self now: + * + * As we do not want to expose our TGT in the + * krb5_ccache, which is also holds the impersonated creds. + * + * Some low level krb5/gssapi function might use the TGT + * identity and let the client act as our machine account. + * + * We need to avoid that and use a temporary krb5_ccache + * in order to pass our TGT to the krb5_get_creds() function. + */ + code = krb5_cc_new_unique(ctx, NULL, NULL, &tmp_cc); + if (code != 0) { + krb5_free_cred_contents(ctx, &store_creds); + return code; + } + + code = krb5_cc_initialize(ctx, tmp_cc, store_creds.client); + if (code != 0) { + krb5_cc_destroy(ctx, tmp_cc); krb5_free_cred_contents(ctx, &store_creds); - if (code != 0) { - krb5_cc_destroy(ctx, tmp_cc); - return code; - } - - /* - * For S4U2Self we need our own service principal, - * which belongs to our own realm (available on - * our client principal. - */ - self_realm = krb5_principal_get_realm(ctx, init_principal); - - code = krb5_parse_name(ctx, self_service, &self_princ); - if (code != 0) { - krb5_cc_destroy(ctx, tmp_cc); - return code; - } - - code = krb5_principal_set_realm(ctx, self_princ, self_realm); - if (code != 0) { - krb5_free_principal(ctx, self_princ); - krb5_cc_destroy(ctx, tmp_cc); - return code; - } - - code = krb5_get_creds_opt_alloc(ctx, &options); - if (code != 0) { - krb5_free_principal(ctx, self_princ); - krb5_cc_destroy(ctx, tmp_cc); - return code; - } - - code = krb5_get_creds_opt_set_impersonate(ctx, options, - impersonate_principal); - if (code != 0) { - krb5_get_creds_opt_free(ctx, options); - krb5_free_principal(ctx, self_princ); - krb5_cc_destroy(ctx, tmp_cc); - return code; - } - - code = krb5_get_creds(ctx, options, tmp_cc, - self_princ, &s4u2self_creds); + return code; + } + + code = krb5_cc_store_cred(ctx, tmp_cc, &store_creds); + krb5_free_cred_contents(ctx, &store_creds); + if (code != 0) { + krb5_cc_destroy(ctx, tmp_cc); + return code; + } + + /* + * For S4U2Self we need our own service principal, + * which belongs to our own realm (available on + * our client principal). + */ + self_realm = krb5_principal_get_realm(ctx, init_principal); + + code = krb5_parse_name(ctx, self_service, &self_princ); + if (code != 0) { + krb5_cc_destroy(ctx, tmp_cc); + return code; + } + + code = krb5_principal_set_realm(ctx, self_princ, self_realm); + if (code != 0) { + krb5_free_principal(ctx, self_princ); + krb5_cc_destroy(ctx, tmp_cc); + return code; + } + + code = krb5_get_creds_opt_alloc(ctx, &options); + if (code != 0) { + krb5_free_principal(ctx, self_princ); + krb5_cc_destroy(ctx, tmp_cc); + return code; + } + + code = krb5_get_creds_opt_set_impersonate(ctx, options, + impersonate_principal); + if (code != 0) { krb5_get_creds_opt_free(ctx, options); krb5_free_principal(ctx, self_princ); krb5_cc_destroy(ctx, tmp_cc); - if (code != 0) { - return code; - } - - /* - * Now make sure we store the impersonated principal - * and creds instead of the TGT related stuff - * in the krb5_ccache of the caller. - */ - code = krb5_copy_creds_contents(ctx, s4u2self_creds, &store_creds); - krb5_free_creds(ctx, s4u2self_creds); - if (code != 0) { - return code; - } - - /* - * It's important to store the principal the KDC - * returned, as otherwise the caller would not find - * the S4U2Self ticket in the krb5_ccache lookup. - */ - store_principal = store_creds.client; + return code; } + code = krb5_get_creds(ctx, options, tmp_cc, + self_princ, &s4u2self_creds); + krb5_get_creds_opt_free(ctx, options); + krb5_free_principal(ctx, self_princ); + krb5_cc_destroy(ctx, tmp_cc); + if (code != 0) { + return code; + } + + /* + * Now make sure we store the impersonated principal + * and creds instead of the TGT related stuff + * in the krb5_ccache of the caller. + */ + code = krb5_copy_creds_contents(ctx, s4u2self_creds, + &store_creds); + krb5_free_creds(ctx, s4u2self_creds); + if (code != 0) { + return code; + } + + /* + * It's important to store the principal the KDC + * returned, as otherwise the caller would not find + * the S4U2Self ticket in the krb5_ccache lookup. + */ + store_principal = store_creds.client; + + store: code = krb5_cc_initialize(ctx, store_cc, store_principal); if (code != 0) { krb5_free_cred_contents(ctx, &store_creds); |