From 1d59abc724a9ad01fdc61f3e6cfdf41c9f4cb910 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sat, 27 Mar 2010 23:09:31 +1100
Subject: s4:heimdal Add hooks to check with the DB before we allow s4u2self

This allows us to resolve multiple forms of a name, allowing for
example machine$@REALM to get an S4U2Self ticket for
host/machine@REALM.

Andrew Bartlett
---
 source4/heimdal/lib/hdb/hdb.h | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'source4/heimdal/lib')

diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
index d118555121..ad32a145c0 100644
--- a/source4/heimdal/lib/hdb/hdb.h
+++ b/source4/heimdal/lib/hdb/hdb.h
@@ -235,9 +235,14 @@ typedef struct HDB{
      * Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins
      */
     krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
+
+    /**
+     * Check if s4u2self is allowed from this client to this server
+     */
+    krb5_error_code (*hdb_check_s4u2self)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
 }HDB;
 
-#define HDB_INTERFACE_VERSION	6
+#define HDB_INTERFACE_VERSION	7
 
 struct hdb_so_method {
     int version;
-- 
cgit