mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
krb5_wrap: let smb_krb5_kinit_s4u2_ccache() work if store_creds.client and server have different realms
As the principal in the resulting ccache may not match the realm of the target principal, we need to store the credentials twice. The caller uses the ccache principal's realm to construct the search key for the target principal. If we get administrator@SAMBADOMAIN via the NTLMSSP authentication and want to do s4u2selfproxy, we'll get ticket for client realm: SAMBADOMAIN client name: administrator server realm: SAMBA.EXAMPLE.COM server name: cifs/localdc This is stored in credential cache, but the caller will use cifs/localdc@SAMBADOMAIN as target_principal name when it tries to use the cache. So also store the ticket as: client realm: SAMBADOMAIN client name: administrator server realm: SAMBADOMAIN server name: cifs/localdc Note that it can always happen that the target is not in the clients realm, so we always deal with changing realm names, so this is not a s4u2self/proxy specific thing. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
parent
ea0c35fbd1
commit
3be1203987
@ -1942,6 +1942,7 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
|
||||
krb5_principal target_princ;
|
||||
krb5_ccache tmp_cc;
|
||||
const char *self_realm;
|
||||
const char *client_realm = NULL;
|
||||
krb5_principal blacklist_principal = NULL;
|
||||
krb5_principal whitelist_principal = NULL;
|
||||
|
||||
@ -2273,6 +2274,29 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
|
||||
return code;
|
||||
}
|
||||
|
||||
client_realm = krb5_principal_get_realm(ctx, store_creds.client);
|
||||
if (client_realm != NULL) {
|
||||
/*
|
||||
* Because the CANON flag doesn't have any impact
|
||||
* on the impersonate_principal => store_creds.client
|
||||
* realm mapping. We need to store the credentials twice,
|
||||
* once with the returned realm and once with the
|
||||
* realm of impersonate_principal.
|
||||
*/
|
||||
code = krb5_principal_set_realm(ctx, store_creds.server,
|
||||
client_realm);
|
||||
if (code != 0) {
|
||||
krb5_free_cred_contents(ctx, &store_creds);
|
||||
return code;
|
||||
}
|
||||
|
||||
code = krb5_cc_store_cred(ctx, store_cc, &store_creds);
|
||||
if (code != 0) {
|
||||
krb5_free_cred_contents(ctx, &store_creds);
|
||||
return code;
|
||||
}
|
||||
}
|
||||
|
||||
if (expire_time) {
|
||||
*expire_time = (time_t) store_creds.times.endtime;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user