sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-02 09:47:23 +03:00
Code

auth/gensec: add gensec_kerberos_possible() helper

Browse Source 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Stefan Metzmacher 2024-03-05 14:41:39 +01:00
parent 1275e77933
commit 996fd13949
2 changed files with 65 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
auth/gensec/gensec_internal.h
View File

@ -198,4 +198,6 @@ NTSTATUS gensec_child_session_info(struct gensec_security *gensec_security,
NTTIME gensec_child_expire_time(struct gensec_security *gensec_security);
const char *gensec_child_final_auth_type(struct gensec_security *gensec_security);
NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security);
#endif /* __GENSEC_H__ */

63
auth/gensec/gensec_util.c
View File

@ -23,10 +23,14 @@
#include "includes.h"
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h"
#include "auth/credentials/credentials.h"
#include "auth/common_auth.h"
#include "../lib/util/asn1.h"
#include "param/param.h"
#include "libds/common/roles.h"
#include "lib/util/util_net.h"
#undef strcasecmp
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@ -336,3 +340,62 @@ const char *gensec_child_final_auth_type(struct gensec_security *gensec_security
return gensec_final_auth_type(gensec_security->child_security);
}
NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security)
{
struct cli_credentials *creds = gensec_get_credentials(gensec_security);
bool auth_requested = cli_credentials_authentication_requested(creds);
enum credentials_use_kerberos krb5_state =
cli_credentials_get_kerberos_state(creds);
char *user_principal = NULL;
const char *client_realm = cli_credentials_get_realm(creds);
const char *target_principal = gensec_get_target_principal(gensec_security);
const char *hostname = gensec_get_target_hostname(gensec_security);
if (!auth_requested) {
return NT_STATUS_INVALID_PARAMETER;
}
if (krb5_state == CRED_USE_KERBEROS_DISABLED) {
return NT_STATUS_INVALID_PARAMETER;
}
errno = 0;
user_principal = cli_credentials_get_principal(creds, gensec_security);
if (errno != 0) {
TALLOC_FREE(user_principal);
return NT_STATUS_NO_MEMORY;
}
if (user_principal == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
TALLOC_FREE(user_principal);
if (target_principal != NULL) {
return NT_STATUS_OK;
}
if (client_realm == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
if (hostname == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
if (strcasecmp(hostname, "localhost") == 0) {
return NT_STATUS_INVALID_PARAMETER;
}
#define STAR_SMBSERVER "*SMBSERVER"
if (strcmp(hostname, STAR_SMBSERVER) == 0) {
return NT_STATUS_INVALID_PARAMETER;
}
if (is_ipaddress(hostname)) {
return NT_STATUS_INVALID_PARAMETER;
}
return NT_STATUS_OK;
}