From aecaddfa1b2a55c9cc91c3644947c3686714ceb5 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 3 Mar 2010 13:24:52 +1100
Subject: s4:credentials Add the functions needed to do S4U2Self with
 cli_credentials

A torture test to demonstrate will be added soon.

Andrew Bartlett
---
 source4/auth/kerberos/kerberos.c | 79 +++++++++++++++++++++++++++++++++-------
 1 file changed, 66 insertions(+), 13 deletions(-)

(limited to 'source4/auth/kerberos/kerberos.c')

diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c
index d4549ee88a..42757640f2 100644
--- a/source4/auth/kerberos/kerberos.c
+++ b/source4/auth/kerberos/kerberos.c
@@ -33,10 +33,15 @@
  
   This version is built to use a keyblock, rather than needing the
   original password.
+
+  The impersonate_principal is the principal if NULL, or the principal to impersonate
+
+  The target_service defaults to the krbtgt if NULL, but could be kpasswd/realm or the local service (if we are doing s4u2self)
 */
  krb5_error_code kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc, 
-				krb5_principal principal, krb5_keyblock *keyblock,
-				time_t *expire_time, time_t *kdc_time)
+					    krb5_principal principal, krb5_keyblock *keyblock,
+					    const char *target_service,
+					    time_t *expire_time, time_t *kdc_time)
 {
 	krb5_error_code code = 0;
 	krb5_creds my_creds;
@@ -49,7 +54,7 @@
 	krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, options);
 
 	if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, principal, keyblock,
-						 0, NULL, options))) {
+						 0, target_service, options))) {
 		return code;
 	}
 	
@@ -82,36 +87,49 @@
 /*
   simulate a kinit, putting the tgt in the given credentials cache. 
   Orignally by remus@snapserver.com
+
+  The impersonate_principal is the principal if NULL, or the principal to impersonate
+
+  The target_service defaults to the krbtgt if NULL, but could be kpasswd/realm or the local service (if we are doing s4u2self)
+
 */
  krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, 
 					    krb5_principal principal, const char *password,
+					    krb5_principal impersonate_principal, const char *target_service,
 					    time_t *expire_time, time_t *kdc_time)
 {
 	krb5_error_code code = 0;
 	krb5_creds my_creds;
-	krb5_get_init_creds_opt *options;
+	krb5_creds *impersonate_creds;
+	krb5_get_init_creds_opt *init_options;
+	krb5_get_creds_opt options;
 
-	if ((code = krb5_get_init_creds_opt_alloc(ctx, &options))) {
+	if ((code = krb5_get_init_creds_opt_alloc(ctx, &init_options))) {
 		return code;
 	}
 
-	krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, options);
+	krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, init_options);
 
+	/* If we are not impersonating, then get this ticket for the
+	 * target service, otherwise a krbtgt, and get the next ticket
+	 * for the target */
 	if ((code = krb5_get_init_creds_password(ctx, &my_creds, principal, password, 
-						 NULL, 
-						 NULL, 0, NULL, options))) {
-		krb5_get_init_creds_opt_free(ctx, options);
+						 NULL, NULL,
+						 0,
+						 impersonate_principal ? NULL : target_service,
+						 init_options))) {
+		krb5_get_init_creds_opt_free(ctx, init_options);
 		return code;
 	}
-	
+
 	if ((code = krb5_cc_initialize(ctx, cc, principal))) {
-		krb5_get_init_creds_opt_free(ctx, options);
+		krb5_get_init_creds_opt_free(ctx, init_options);
 		krb5_free_cred_contents(ctx, &my_creds);
 		return code;
 	}
 	
 	if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
-		krb5_get_init_creds_opt_free(ctx, options);
+		krb5_get_init_creds_opt_free(ctx, init_options);
 		krb5_free_cred_contents(ctx, &my_creds);
 		return code;
 	}
@@ -124,9 +142,44 @@
 		*kdc_time = (time_t) my_creds.times.starttime;
 	}
 
-	krb5_get_init_creds_opt_free(ctx, options);
+	krb5_get_init_creds_opt_free(ctx, init_options);
 	krb5_free_cred_contents(ctx, &my_creds);
 	
+	if (code == 0 && impersonate_principal) {
+		krb5_principal target_princ;
+		if ((code = krb5_get_creds_opt_alloc(ctx, &options))) {
+			return code;
+		}
+
+		if ((code = krb5_get_creds_opt_set_impersonate(ctx, options, impersonate_principal))) {
+			krb5_get_creds_opt_free(ctx, options);
+			return code;
+		}
+
+		if ((code = krb5_parse_name(ctx, target_service, &target_princ))) {
+			krb5_get_creds_opt_free(ctx, options);
+			return code;
+		}
+
+		if ((code = krb5_principal_set_realm(ctx, target_princ, krb5_principal_get_realm(ctx, principal)))) {
+			krb5_get_creds_opt_free(ctx, options);
+			krb5_free_principal(ctx, target_princ);
+			return code;
+		}
+
+		if ((code = krb5_get_creds(ctx, options, cc, target_princ, &impersonate_creds))) {
+			krb5_free_principal(ctx, target_princ);
+			krb5_get_creds_opt_free(ctx, options);
+			return code;
+		}
+
+		krb5_free_principal(ctx, target_princ);
+
+		code = krb5_cc_store_cred(ctx, cc, impersonate_creds);
+		krb5_get_creds_opt_free(ctx, options);
+		krb5_free_creds(ctx, impersonate_creds);
+	}
+
 	return 0;
 }
 
-- 
cgit