From 5e266225108aa3335476cbe1214cc0f484c4fd02 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 13 Oct 2008 17:27:21 +0200 Subject: s3-kerberos: add impersonate_principal for kerberos_return_pac_X calls. Guenther --- source3/include/proto.h | 2 ++ source3/libads/authdata.c | 26 +++++++++++++++++++++++++- source3/winbindd/winbindd_pam.c | 1 + 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index ae35e04aa3..0dbc1c7fed 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1707,6 +1707,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, bool request_pac, bool add_netbios_addr, time_t renewable_time, + const char *impersonate_princ_s, struct PAC_DATA **pac_ret); NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx, const char *name, @@ -1718,6 +1719,7 @@ NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx, bool request_pac, bool add_netbios_addr, time_t renewable_time, + const char *impersonate_princ_s, struct netr_SamInfo3 **info3); /* The following definitions come from libads/cldap.c */ diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 1499067612..8a6a35130b 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -388,6 +388,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, bool request_pac, bool add_netbios_addr, time_t renewable_time, + const char *impersonate_princ_s, struct PAC_DATA **pac_ret) { krb5_error_code ret; @@ -398,6 +399,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, const char *auth_princ = NULL; const char *local_service = NULL; const char *cc = "MEMORY:kerberos_return_pac"; + krb5_creds *creds = NULL; ZERO_STRUCT(tkt); ZERO_STRUCT(ap_rep); @@ -460,8 +462,26 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, (*expire_time == 0) && (*renew_till_time == 0)) { return NT_STATUS_INVALID_LOGON_TYPE; } +#if 1 + ret = smb_krb5_get_creds(local_service, + time_offset, + cc, + impersonate_princ_s, + &creds); + if (ret) { + DEBUG(1,("failed to get credentials for %s: %s\n", + local_service, error_message(ret))); + status = krb5_to_nt_status(ret); + goto out; + } + ret = smb_krb5_get_tkt_from_creds(creds, &tkt); + if (ret) { + status = krb5_to_nt_status(ret); + goto out; + } +#else ret = cli_krb5_get_ticket(local_service, time_offset, &tkt, @@ -475,7 +495,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, status = krb5_to_nt_status(ret); goto out; } - +#endif status = ads_verify_ticket(mem_ctx, lp_realm(), time_offset, @@ -527,6 +547,7 @@ static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx, bool request_pac, bool add_netbios_addr, time_t renewable_time, + const char *impersonate_princ_s, struct PAC_LOGON_INFO **logon_info) { NTSTATUS status; @@ -543,6 +564,7 @@ static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx, request_pac, add_netbios_addr, renewable_time, + impersonate_princ_s, &pac_data); if (!NT_STATUS_IS_OK(status)) { return status; @@ -577,6 +599,7 @@ NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx, bool request_pac, bool add_netbios_addr, time_t renewable_time, + const char *impersonate_princ_s, struct netr_SamInfo3 **info3) { NTSTATUS status; @@ -592,6 +615,7 @@ NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx, request_pac, add_netbios_addr, renewable_time, + impersonate_princ_s, &logon_info); if (!NT_STATUS_IS_OK(status)) { return status; diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 43f81f79ae..755f703d63 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -627,6 +627,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain, true, true, WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + NULL, info3); if (!internal_ccache) { gain_root_privilege(); -- cgit