From 3109a3de1f362e9dc42bceb81a393e2dbf80b7b2 Mon Sep 17 00:00:00 2001
From: Simo Sorce <idra@samba.org>
Date: Thu, 26 Apr 2012 12:06:24 -0400
Subject: Split normal kinit from s4u2 flavored kinit

This makes it simpler to slowly integrate MIT support and also amkes it
somewhat clearer what operation is really requested.
The 24u2 part is really only used by the cifs proxy code so we can temporarily
disable it in the MIT build w/o major consequences.
---
 lib/krb5_wrap/krb5_samba.c | 82 +++++++++++++++++++++++++++++++---------------
 lib/krb5_wrap/krb5_samba.h | 20 ++++++++---
 2 files changed, 71 insertions(+), 31 deletions(-)

(limited to 'lib/krb5_wrap')

diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 28cd6471ef..82c25103e7 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1646,12 +1646,54 @@ done:
 	return code;
 }
 
+krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc,
+					   krb5_principal principal,
+					   const char *password,
+					   const char *target_service,
+					   krb5_get_init_creds_opt *krb_options,
+					   time_t *expire_time,
+					   time_t *kdc_time)
+{
+	krb5_error_code code = 0;
+	krb5_creds my_creds;
+
+	code = krb5_get_init_creds_password(ctx, &my_creds, principal,
+					    password, NULL, NULL, 0,
+					    target_service, krb_options);
+	if (code) {
+		return code;
+	}
+
+	code = krb5_cc_initialize(ctx, cc, principal);
+	if (code) {
+		goto done;
+	}
+
+	code = krb5_cc_store_cred(ctx, cc, &my_creds);
+	if (code) {
+		goto done;
+	}
+
+	if (expire_time) {
+		*expire_time = (time_t) my_creds.times.endtime;
+	}
+
+	if (kdc_time) {
+		*kdc_time = (time_t) my_creds.times.starttime;
+	}
+
+	code = 0;
+done:
+	krb5_free_cred_contents(ctx, &my_creds);
+	return code;
+}
+
+#ifdef SAMBA4_USES_HEIMDAL
 /*
   simulate a kinit, putting the tgt in the given credentials cache.
   Orignally by remus@snapserver.com
 
-  The impersonate_principal is the principal if NULL, or the principal to
-  impersonate
+  The impersonate_principal is the principal
 
   The self_service, should be the local service (for S4U2Self if
   impersonate_principal is given).
@@ -1660,16 +1702,16 @@ done:
   kpasswd/realm or a remote service (for S4U2Proxy)
 
 */
-krb5_error_code kerberos_kinit_password_cc(krb5_context ctx,
-					   krb5_ccache store_cc,
-					   krb5_principal init_principal,
-					   const char *init_password,
-					   krb5_principal impersonate_principal,
-					   const char *self_service,
-					   const char *target_service,
-					   krb5_get_init_creds_opt *krb_options,
-					   time_t *expire_time,
-					   time_t *kdc_time)
+krb5_error_code kerberos_kinit_s4u2_cc(krb5_context ctx,
+					krb5_ccache store_cc,
+					krb5_principal init_principal,
+					const char *init_password,
+					krb5_principal impersonate_principal,
+					const char *self_service,
+					const char *target_service,
+					krb5_get_init_creds_opt *krb_options,
+					time_t *expire_time,
+					time_t *kdc_time)
 {
 	krb5_error_code code = 0;
 	krb5_get_creds_opt options;
@@ -1687,21 +1729,12 @@ krb5_error_code kerberos_kinit_password_cc(krb5_context ctx,
 	krb5_principal blacklist_principal = NULL;
 	krb5_principal whitelist_principal = NULL;
 
-	if (impersonate_principal && self_service == NULL) {
-		return EINVAL;
-	}
-
-	/*
-	 * If we are not impersonating, then get this ticket for the
-	 * target service, otherwise a krbtgt, and get the next ticket
-	 * for the target
-	 */
 	code = krb5_get_init_creds_password(ctx, &store_creds,
 					    init_principal,
 					    init_password,
 					    NULL, NULL,
 					    0,
-					    impersonate_principal ? NULL : target_service,
+					    NULL,
 					    krb_options);
 	if (code != 0) {
 		return code;
@@ -1709,10 +1742,6 @@ krb5_error_code kerberos_kinit_password_cc(krb5_context ctx,
 
 	store_principal = init_principal;
 
-	if (impersonate_principal == NULL) {
-		goto store;
-	}
-
 	/*
 	 * We are trying S4U2Self now:
 	 *
@@ -2040,6 +2069,7 @@ krb5_error_code kerberos_kinit_password_cc(krb5_context ctx,
 
 	return 0;
 }
+#endif
 
 /*
  * smb_krb5_principal_get_realm
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index d235563a7b..864cda67bb 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -206,15 +206,25 @@ krb5_error_code kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc,
 					   time_t *expire_time,
 					   time_t *kdc_time);
 krb5_error_code kerberos_kinit_password_cc(krb5_context ctx,
-					   krb5_ccache store_cc,
-					   krb5_principal init_principal,
-					   const char *init_password,
-					   krb5_principal impersonate_principal,
-					   const char *self_service,
+					   krb5_ccache cc,
+					   krb5_principal principal,
+					   const char *password,
 					   const char *target_service,
 					   krb5_get_init_creds_opt *krb_options,
 					   time_t *expire_time,
 					   time_t *kdc_time);
+#ifdef SAMBA4_USES_HEIMDAL
+krb5_error_code kerberos_kinit_s4u2_cc(krb5_context ctx,
+					krb5_ccache store_cc,
+					krb5_principal init_principal,
+					const char *init_password,
+					krb5_principal impersonate_principal,
+					const char *self_service,
+					const char *target_service,
+					krb5_get_init_creds_opt *krb_options,
+					time_t *expire_time,
+					time_t *kdc_time);
+#endif
 char *smb_krb5_principal_get_realm(krb5_context context,
 				   krb5_principal principal);
 
-- 
cgit