summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/kerberos/kerberos.c193
1 files changed, 99 insertions, 94 deletions
diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c
index 1ba6952e2b..4acb54fb33 100644
--- a/source4/auth/kerberos/kerberos.c
+++ b/source4/auth/kerberos/kerberos.c
@@ -97,6 +97,10 @@
krb5_principal store_principal;
krb5_creds store_creds;
const char *self_service = target_service;
+ krb5_creds *s4u2self_creds;
+ krb5_principal self_princ;
+ krb5_ccache tmp_cc;
+ const char *self_realm;
/*
* If we are not impersonating, then get this ticket for the
@@ -116,106 +120,107 @@
store_principal = init_principal;
- if (impersonate_principal) {
- krb5_ccache tmp_cc;
- krb5_creds *s4u2self_creds;
- krb5_principal self_princ;
- const char *self_realm;
-
- /*
- * As we do not want to expose our TGT in the
- * krb5_ccache, which is also holds the impersonated creds.
- *
- * Some low level krb5/gssapi function might use the TGT
- * identity and let the client act as our machine account.
- *
- * We need to avoid that and use a temporary krb5_ccache
- * in order to pass our TGT to the krb5_get_creds() function.
- */
- code = krb5_cc_new_unique(ctx, NULL, NULL, &tmp_cc);
- if (code != 0) {
- krb5_free_cred_contents(ctx, &store_creds);
- return code;
- }
-
- code = krb5_cc_initialize(ctx, tmp_cc, store_creds.client);
- if (code != 0) {
- krb5_cc_destroy(ctx, tmp_cc);
- krb5_free_cred_contents(ctx, &store_creds);
- return code;
- }
-
- code = krb5_cc_store_cred(ctx, tmp_cc, &store_creds);
+ if (impersonate_principal == NULL) {
+ goto store;
+ }
+
+ /*
+ * We are trying S4U2Self now:
+ *
+ * As we do not want to expose our TGT in the
+ * krb5_ccache, which is also holds the impersonated creds.
+ *
+ * Some low level krb5/gssapi function might use the TGT
+ * identity and let the client act as our machine account.
+ *
+ * We need to avoid that and use a temporary krb5_ccache
+ * in order to pass our TGT to the krb5_get_creds() function.
+ */
+ code = krb5_cc_new_unique(ctx, NULL, NULL, &tmp_cc);
+ if (code != 0) {
+ krb5_free_cred_contents(ctx, &store_creds);
+ return code;
+ }
+
+ code = krb5_cc_initialize(ctx, tmp_cc, store_creds.client);
+ if (code != 0) {
+ krb5_cc_destroy(ctx, tmp_cc);
krb5_free_cred_contents(ctx, &store_creds);
- if (code != 0) {
- krb5_cc_destroy(ctx, tmp_cc);
- return code;
- }
-
- /*
- * For S4U2Self we need our own service principal,
- * which belongs to our own realm (available on
- * our client principal.
- */
- self_realm = krb5_principal_get_realm(ctx, init_principal);
-
- code = krb5_parse_name(ctx, self_service, &self_princ);
- if (code != 0) {
- krb5_cc_destroy(ctx, tmp_cc);
- return code;
- }
-
- code = krb5_principal_set_realm(ctx, self_princ, self_realm);
- if (code != 0) {
- krb5_free_principal(ctx, self_princ);
- krb5_cc_destroy(ctx, tmp_cc);
- return code;
- }
-
- code = krb5_get_creds_opt_alloc(ctx, &options);
- if (code != 0) {
- krb5_free_principal(ctx, self_princ);
- krb5_cc_destroy(ctx, tmp_cc);
- return code;
- }
-
- code = krb5_get_creds_opt_set_impersonate(ctx, options,
- impersonate_principal);
- if (code != 0) {
- krb5_get_creds_opt_free(ctx, options);
- krb5_free_principal(ctx, self_princ);
- krb5_cc_destroy(ctx, tmp_cc);
- return code;
- }
-
- code = krb5_get_creds(ctx, options, tmp_cc,
- self_princ, &s4u2self_creds);
+ return code;
+ }
+
+ code = krb5_cc_store_cred(ctx, tmp_cc, &store_creds);
+ krb5_free_cred_contents(ctx, &store_creds);
+ if (code != 0) {
+ krb5_cc_destroy(ctx, tmp_cc);
+ return code;
+ }
+
+ /*
+ * For S4U2Self we need our own service principal,
+ * which belongs to our own realm (available on
+ * our client principal).
+ */
+ self_realm = krb5_principal_get_realm(ctx, init_principal);
+
+ code = krb5_parse_name(ctx, self_service, &self_princ);
+ if (code != 0) {
+ krb5_cc_destroy(ctx, tmp_cc);
+ return code;
+ }
+
+ code = krb5_principal_set_realm(ctx, self_princ, self_realm);
+ if (code != 0) {
+ krb5_free_principal(ctx, self_princ);
+ krb5_cc_destroy(ctx, tmp_cc);
+ return code;
+ }
+
+ code = krb5_get_creds_opt_alloc(ctx, &options);
+ if (code != 0) {
+ krb5_free_principal(ctx, self_princ);
+ krb5_cc_destroy(ctx, tmp_cc);
+ return code;
+ }
+
+ code = krb5_get_creds_opt_set_impersonate(ctx, options,
+ impersonate_principal);
+ if (code != 0) {
krb5_get_creds_opt_free(ctx, options);
krb5_free_principal(ctx, self_princ);
krb5_cc_destroy(ctx, tmp_cc);
- if (code != 0) {
- return code;
- }
-
- /*
- * Now make sure we store the impersonated principal
- * and creds instead of the TGT related stuff
- * in the krb5_ccache of the caller.
- */
- code = krb5_copy_creds_contents(ctx, s4u2self_creds, &store_creds);
- krb5_free_creds(ctx, s4u2self_creds);
- if (code != 0) {
- return code;
- }
-
- /*
- * It's important to store the principal the KDC
- * returned, as otherwise the caller would not find
- * the S4U2Self ticket in the krb5_ccache lookup.
- */
- store_principal = store_creds.client;
+ return code;
}
+ code = krb5_get_creds(ctx, options, tmp_cc,
+ self_princ, &s4u2self_creds);
+ krb5_get_creds_opt_free(ctx, options);
+ krb5_free_principal(ctx, self_princ);
+ krb5_cc_destroy(ctx, tmp_cc);
+ if (code != 0) {
+ return code;
+ }
+
+ /*
+ * Now make sure we store the impersonated principal
+ * and creds instead of the TGT related stuff
+ * in the krb5_ccache of the caller.
+ */
+ code = krb5_copy_creds_contents(ctx, s4u2self_creds,
+ &store_creds);
+ krb5_free_creds(ctx, s4u2self_creds);
+ if (code != 0) {
+ return code;
+ }
+
+ /*
+ * It's important to store the principal the KDC
+ * returned, as otherwise the caller would not find
+ * the S4U2Self ticket in the krb5_ccache lookup.
+ */
+ store_principal = store_creds.client;
+
+ store:
code = krb5_cc_initialize(ctx, store_cc, store_principal);
if (code != 0) {
krb5_free_cred_contents(ctx, &store_creds);