From f2b63d58da895d11ed490dddd5df30c777369fad Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 27 Mar 2010 23:11:06 +1100 Subject: s4:kdc Add functions to hdb-samba4 for the new s4u2self callback. For now, this shares the 'if it's the same host' system with the constrained delegation code. Andrew Bartlett --- source4/kdc/db-glue.c | 12 +++++++----- source4/kdc/db-glue.h | 8 ++++---- source4/kdc/hdb-samba4.c | 11 ++++++----- source4/kdc/mit_samba.c | 8 ++++---- 4 files changed, 21 insertions(+), 18 deletions(-) (limited to 'source4') diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index a54f8f59cf..8871b0ebf8 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1403,15 +1403,17 @@ krb5_error_code samba_kdc_nextkey(krb5_context context, return samba_kdc_seq(context, kdc_db_ctx, entry); } -/* Check if a given entry may delegate to this target principal +/* Check if a given entry may delegate or do s4u2self to this target principal * * This is currently a very nasty hack - allowing only delegation to itself. + * + * This is shared between the constrained delegation and S4U2Self code. */ krb5_error_code -samba_kdc_check_constrained_delegation(krb5_context context, - struct samba_kdc_db_context *kdc_db_ctx, - hdb_entry_ex *entry, - krb5_const_principal target_principal) +samba_kdc_check_identical_client_and_server(krb5_context context, + struct samba_kdc_db_context *kdc_db_ctx, + hdb_entry_ex *entry, + krb5_const_principal target_principal) { krb5_error_code ret; krb5_principal enterprise_prinicpal = NULL; diff --git a/source4/kdc/db-glue.h b/source4/kdc/db-glue.h index b2291f9eb2..33ba707822 100644 --- a/source4/kdc/db-glue.h +++ b/source4/kdc/db-glue.h @@ -36,10 +36,10 @@ krb5_error_code samba_kdc_nextkey(krb5_context context, hdb_entry_ex *entry); krb5_error_code -samba_kdc_check_constrained_delegation(krb5_context context, - struct samba_kdc_db_context *kdc_db_ctx, - hdb_entry_ex *entry, - krb5_const_principal target_principal); +samba_kdc_check_identical_client_and_server(krb5_context context, + struct samba_kdc_db_context *kdc_db_ctx, + hdb_entry_ex *entry, + krb5_const_principal target_principal); krb5_error_code samba_kdc_check_pkinit_ms_upn_match(krb5_context context, diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index b1568ba0de..fc913292a0 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -134,7 +134,7 @@ static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db) } static krb5_error_code -hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db, +hdb_samba4_check_identical_client_and_server(krb5_context context, HDB *db, hdb_entry_ex *entry, krb5_const_principal target_principal) { @@ -143,9 +143,9 @@ hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db, kdc_db_ctx = talloc_get_type_abort(db->hdb_db, struct samba_kdc_db_context); - return samba_kdc_check_constrained_delegation(context, kdc_db_ctx, - entry, - target_principal); + return samba_kdc_check_identical_client_and_server(context, kdc_db_ctx, + entry, + target_principal); } static krb5_error_code @@ -251,8 +251,9 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx, (*db)->hdb_destroy = hdb_samba4_destroy; (*db)->hdb_auth_status = NULL; - (*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation; + (*db)->hdb_check_constrained_delegation = hdb_samba4_check_identical_client_and_server; (*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match; + (*db)->hdb_check_s4u2self = hdb_samba4_check_identical_client_and_server; return NT_STATUS_OK; } diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index 3faa20938f..328124c409 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -351,10 +351,10 @@ static int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, return ret; } - ret = samba_kdc_check_constrained_delegation(ctx->context, - ctx->db_ctx, - entry, - target_principal); + ret = samba_kdc_check_identical_client_and_server(ctx->context, + ctx->db_ctx, + entry, + target_principal); krb5_free_principal(ctx->context, target_principal); -- cgit