From a7b8593f9c8f43f7861d2a0bc0e249f17d8ce7f5 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 7 Apr 2011 11:16:55 +0200 Subject: s4:kdc: split s4u2self and s4u2proxy checks metze --- source4/kdc/db-glue.c | 29 ++++++++++++++++++++--------- source4/kdc/db-glue.h | 14 ++++++++++---- source4/kdc/hdb-samba4.c | 27 +++++++++++++++++++++------ source4/kdc/mit_samba.c | 8 ++++---- 4 files changed, 55 insertions(+), 23 deletions(-) (limited to 'source4/kdc') diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 1d37be4020..72262ac18b 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1535,14 +1535,12 @@ krb5_error_code samba_kdc_nextkey(krb5_context context, /* Check if a given entry may delegate or do s4u2self to this target principal * * This is currently a very nasty hack - allowing only delegation to itself. - * - * This is shared between the constrained delegation and S4U2Self code. */ krb5_error_code -samba_kdc_check_identical_client_and_server(krb5_context context, - struct samba_kdc_db_context *kdc_db_ctx, - hdb_entry_ex *entry, - krb5_const_principal target_principal) +samba_kdc_check_s4u2self(krb5_context context, + struct samba_kdc_db_context *kdc_db_ctx, + hdb_entry_ex *entry, + krb5_const_principal target_principal) { krb5_error_code ret; krb5_principal enterprise_prinicpal = NULL; @@ -1555,11 +1553,11 @@ samba_kdc_check_identical_client_and_server(krb5_context context, "objectSid", NULL }; - TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_constrained_delegation"); + TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_s4u2self"); if (!mem_ctx) { ret = ENOMEM; - krb5_set_error_message(context, ret, "samba_kdc_fetch: talloc_named() failed!"); + krb5_set_error_message(context, ret, "samba_kdc_check_s4u2self: talloc_named() failed!"); return ret; } @@ -1567,7 +1565,7 @@ samba_kdc_check_identical_client_and_server(krb5_context context, /* Need to reparse the enterprise principal to find the real target */ if (target_principal->name.name_string.len != 1) { ret = KRB5_PARSE_MALFORMED; - krb5_set_error_message(context, ret, "samba_kdc_check_constrained_delegation: request for delegation to enterprise principal with wrong (%d) number of components", + krb5_set_error_message(context, ret, "samba_kdc_check_s4u2self: request for delegation to enterprise principal with wrong (%d) number of components", target_principal->name.name_string.len); talloc_free(mem_ctx); return ret; @@ -1659,6 +1657,19 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context, return ret; } +/* + * Check if a given entry may delegate to this target principal + * with S4U2Proxy. + */ +krb5_error_code +samba_kdc_check_s4u2proxy(krb5_context context, + struct samba_kdc_db_context *kdc_db_ctx, + hdb_entry_ex *entry, + krb5_const_principal target_principal) +{ + return KRB5KDC_ERR_BADOPTION; +} + NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_context *base_ctx, struct samba_kdc_db_context **kdc_db_ctx_out) { diff --git a/source4/kdc/db-glue.h b/source4/kdc/db-glue.h index 4f1e06fa7a..18d2c07de6 100644 --- a/source4/kdc/db-glue.h +++ b/source4/kdc/db-glue.h @@ -37,10 +37,10 @@ krb5_error_code samba_kdc_nextkey(krb5_context context, hdb_entry_ex *entry); krb5_error_code -samba_kdc_check_identical_client_and_server(krb5_context context, - struct samba_kdc_db_context *kdc_db_ctx, - hdb_entry_ex *entry, - krb5_const_principal target_principal); +samba_kdc_check_s4u2self(krb5_context context, + struct samba_kdc_db_context *kdc_db_ctx, + hdb_entry_ex *entry, + krb5_const_principal target_principal); krb5_error_code samba_kdc_check_pkinit_ms_upn_match(krb5_context context, @@ -48,5 +48,11 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context, hdb_entry_ex *entry, krb5_const_principal certificate_principal); +krb5_error_code +samba_kdc_check_s4u2proxy(krb5_context context, + struct samba_kdc_db_context *kdc_db_ctx, + hdb_entry_ex *entry, + krb5_const_principal target_principal); + NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_context *base_ctx, struct samba_kdc_db_context **kdc_db_ctx_out); diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 8511b2f27b..f82712e2b2 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -121,7 +121,7 @@ static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db) } static krb5_error_code -hdb_samba4_check_identical_client_and_server(krb5_context context, HDB *db, +hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db, hdb_entry_ex *entry, krb5_const_principal target_principal) { @@ -130,9 +130,9 @@ hdb_samba4_check_identical_client_and_server(krb5_context context, HDB *db, kdc_db_ctx = talloc_get_type_abort(db->hdb_db, struct samba_kdc_db_context); - return samba_kdc_check_identical_client_and_server(context, kdc_db_ctx, - entry, - target_principal); + return samba_kdc_check_s4u2proxy(context, kdc_db_ctx, + entry, + target_principal); } static krb5_error_code @@ -150,6 +150,21 @@ hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db, certificate_principal); } +static krb5_error_code +hdb_samba4_check_s4u2self(krb5_context context, HDB *db, + hdb_entry_ex *entry, + krb5_const_principal target_principal) +{ + struct samba_kdc_db_context *kdc_db_ctx; + + kdc_db_ctx = talloc_get_type_abort(db->hdb_db, + struct samba_kdc_db_context); + + return samba_kdc_check_s4u2self(context, kdc_db_ctx, + entry, + target_principal); +} + /* This interface is to be called by the KDC and libnet_keytab_dump, * which is expecting Samba calling conventions. * It is also called by a wrapper (hdb_samba4_create) from the @@ -197,9 +212,9 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx, (*db)->hdb_destroy = hdb_samba4_destroy; (*db)->hdb_auth_status = NULL; - (*db)->hdb_check_constrained_delegation = hdb_samba4_check_identical_client_and_server; + (*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation; (*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match; - (*db)->hdb_check_s4u2self = hdb_samba4_check_identical_client_and_server; + (*db)->hdb_check_s4u2self = hdb_samba4_check_s4u2self; return NT_STATUS_OK; } diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index dcabe39db6..50b5d1d292 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -330,10 +330,10 @@ static int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, return ret; } - ret = samba_kdc_check_identical_client_and_server(ctx->context, - ctx->db_ctx, - entry, - target_principal); + ret = samba_kdc_check_s4u2proxy(ctx->context, + ctx->db_ctx, + entry, + target_principal); krb5_free_principal(ctx->context, target_principal); -- cgit