mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
s3:winbindd: implement the "winbind use krb5 enterprise principals" logic
We can use enterprise principals (e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM) and delegate the routing decisions to the KDCs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
This commit is contained in:
parent
9520652399
commit
a77be15d28
@ -419,6 +419,15 @@ struct winbindd_domain *find_auth_domain(uint8_t flags,
|
|||||||
return find_domain_from_name_noinit(domain_name);
|
return find_domain_from_name_noinit(domain_name);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (lp_winbind_use_krb5_enterprise_principals()) {
|
||||||
|
/*
|
||||||
|
* If we use enterprise principals
|
||||||
|
* we always go trough our primary domain
|
||||||
|
* and follow the WRONG_REALM replies.
|
||||||
|
*/
|
||||||
|
flags &= ~WBFLAG_PAM_CONTACT_TRUSTDOM;
|
||||||
|
}
|
||||||
|
|
||||||
/* we can auth against trusted domains */
|
/* we can auth against trusted domains */
|
||||||
if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
|
if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
|
||||||
domain = find_domain_from_name_noinit(domain_name);
|
domain = find_domain_from_name_noinit(domain_name);
|
||||||
@ -723,7 +732,20 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
|
|||||||
return NT_STATUS_INVALID_PARAMETER;
|
return NT_STATUS_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
|
|
||||||
principal_s = talloc_asprintf(mem_ctx, "%s@%s", name_user, realm);
|
if (lp_winbind_use_krb5_enterprise_principals() &&
|
||||||
|
name_namespace[0] != '\0')
|
||||||
|
{
|
||||||
|
principal_s = talloc_asprintf(mem_ctx,
|
||||||
|
"%s@%s@%s",
|
||||||
|
name_user,
|
||||||
|
name_namespace,
|
||||||
|
realm);
|
||||||
|
} else {
|
||||||
|
principal_s = talloc_asprintf(mem_ctx,
|
||||||
|
"%s@%s",
|
||||||
|
name_user,
|
||||||
|
realm);
|
||||||
|
}
|
||||||
if (principal_s == NULL) {
|
if (principal_s == NULL) {
|
||||||
return NT_STATUS_NO_MEMORY;
|
return NT_STATUS_NO_MEMORY;
|
||||||
}
|
}
|
||||||
@ -1290,30 +1312,16 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
|
|||||||
|
|
||||||
/* what domain should we contact? */
|
/* what domain should we contact? */
|
||||||
|
|
||||||
if ( IS_DC ) {
|
if (lp_winbind_use_krb5_enterprise_principals()) {
|
||||||
contact_domain = find_domain_from_name(name_namespace);
|
contact_domain = find_auth_domain(0, name_namespace);
|
||||||
if (contact_domain == NULL) {
|
|
||||||
DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
|
|
||||||
state->request->data.auth.user, name_domain, name_user, name_domain));
|
|
||||||
result = NT_STATUS_NO_SUCH_USER;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
if (is_myname(name_domain)) {
|
|
||||||
DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
|
|
||||||
result = NT_STATUS_NO_SUCH_USER;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
contact_domain = find_domain_from_name(name_namespace);
|
contact_domain = find_domain_from_name(name_namespace);
|
||||||
if (contact_domain == NULL) {
|
}
|
||||||
DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
|
if (contact_domain == NULL) {
|
||||||
state->request->data.auth.user, name_domain, name_user, name_domain));
|
DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
|
||||||
|
state->request->data.auth.user, name_domain, name_user, name_namespace));
|
||||||
result = NT_STATUS_NO_SUCH_USER;
|
result = NT_STATUS_NO_SUCH_USER;
|
||||||
goto done;
|
goto done;
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (contact_domain->initialized &&
|
if (contact_domain->initialized &&
|
||||||
@ -1326,7 +1334,8 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (!contact_domain->active_directory) {
|
if (!contact_domain->active_directory) {
|
||||||
DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
|
DEBUG(3,("krb5 auth requested but domain (%s) is not Active Directory\n",
|
||||||
|
contact_domain->name));
|
||||||
return NT_STATUS_INVALID_LOGON_TYPE;
|
return NT_STATUS_INVALID_LOGON_TYPE;
|
||||||
}
|
}
|
||||||
try_login:
|
try_login:
|
||||||
|
Loading…
Reference in New Issue
Block a user