sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-30 06:50:24 +03:00
Code

s4:kdc: split s4u2self and s4u2proxy checks

Browse Source 
metze
This commit is contained in:
Stefan Metzmacher 2011-04-07 11:16:55 +02:00
parent 5f48c5df51
commit a7b8593f9c
4 changed files with 55 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
source4/kdc/db-glue.c
View File

@ -1535,14 +1535,12 @@ krb5_error_code samba_kdc_nextkey(krb5_context context,
/* Check if a given entry may delegate or do s4u2self to this target principal
*
* This is currently a very nasty hack - allowing only delegation to itself.
*
* This is shared between the constrained delegation and S4U2Self code.
*/
krb5_error_code
samba_kdc_check_identical_client_and_server(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
hdb_entry_ex *entry,
krb5_const_principal target_principal)
samba_kdc_check_s4u2self(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
hdb_entry_ex *entry,
krb5_const_principal target_principal)
{
krb5_error_code ret;
krb5_principal enterprise_prinicpal = NULL;
@ -1555,11 +1553,11 @@ samba_kdc_check_identical_client_and_server(krb5_context context,
"objectSid", NULL
};
TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_constrained_delegation");
TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_s4u2self");
if (!mem_ctx) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "samba_kdc_fetch: talloc_named() failed!");
krb5_set_error_message(context, ret, "samba_kdc_check_s4u2self: talloc_named() failed!");
return ret;
}
@ -1567,7 +1565,7 @@ samba_kdc_check_identical_client_and_server(krb5_context context,
/* Need to reparse the enterprise principal to find the real target */
if (target_principal->name.name_string.len != 1) {
ret = KRB5_PARSE_MALFORMED;
krb5_set_error_message(context, ret, "samba_kdc_check_constrained_delegation: request for delegation to enterprise principal with wrong (%d) number of components",
krb5_set_error_message(context, ret, "samba_kdc_check_s4u2self: request for delegation to enterprise principal with wrong (%d) number of components",
target_principal->name.name_string.len);
talloc_free(mem_ctx);
return ret;
@ -1659,6 +1657,19 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
return ret;
}
/*
* Check if a given entry may delegate to this target principal
* with S4U2Proxy.
*/
krb5_error_code
samba_kdc_check_s4u2proxy(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
hdb_entry_ex *entry,
krb5_const_principal target_principal)
{
return KRB5KDC_ERR_BADOPTION;
}
NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_context *base_ctx,
struct samba_kdc_db_context **kdc_db_ctx_out)
{

14
source4/kdc/db-glue.h
View File

@ -37,10 +37,10 @@ krb5_error_code samba_kdc_nextkey(krb5_context context,
hdb_entry_ex *entry);
krb5_error_code
samba_kdc_check_identical_client_and_server(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
hdb_entry_ex *entry,
krb5_const_principal target_principal);
samba_kdc_check_s4u2self(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
hdb_entry_ex *entry,
krb5_const_principal target_principal);
krb5_error_code
samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
@ -48,5 +48,11 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
hdb_entry_ex *entry,
krb5_const_principal certificate_principal);
krb5_error_code
samba_kdc_check_s4u2proxy(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
hdb_entry_ex *entry,
krb5_const_principal target_principal);
NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_context *base_ctx,
struct samba_kdc_db_context **kdc_db_ctx_out);

27
source4/kdc/hdb-samba4.c
View File

@ -121,7 +121,7 @@ static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db)
}
static krb5_error_code
hdb_samba4_check_identical_client_and_server(krb5_context context, HDB *db,
hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
hdb_entry_ex *entry,
krb5_const_principal target_principal)
{
@ -130,9 +130,9 @@ hdb_samba4_check_identical_client_and_server(krb5_context context, HDB *db,
kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
struct samba_kdc_db_context);
return samba_kdc_check_identical_client_and_server(context, kdc_db_ctx,
entry,
target_principal);
return samba_kdc_check_s4u2proxy(context, kdc_db_ctx,
entry,
target_principal);
}
static krb5_error_code
@ -150,6 +150,21 @@ hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db,
certificate_principal);
}
static krb5_error_code
hdb_samba4_check_s4u2self(krb5_context context, HDB *db,
hdb_entry_ex *entry,
krb5_const_principal target_principal)
{
struct samba_kdc_db_context *kdc_db_ctx;
kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
struct samba_kdc_db_context);
return samba_kdc_check_s4u2self(context, kdc_db_ctx,
entry,
target_principal);
}
/* This interface is to be called by the KDC and libnet_keytab_dump,
* which is expecting Samba calling conventions.
* It is also called by a wrapper (hdb_samba4_create) from the
@ -197,9 +212,9 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
(*db)->hdb_destroy = hdb_samba4_destroy;
(*db)->hdb_auth_status = NULL;
(*db)->hdb_check_constrained_delegation = hdb_samba4_check_identical_client_and_server;
(*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation;
(*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match;
(*db)->hdb_check_s4u2self = hdb_samba4_check_identical_client_and_server;
(*db)->hdb_check_s4u2self = hdb_samba4_check_s4u2self;
return NT_STATUS_OK;
}

8
source4/kdc/mit_samba.c
View File

@ -330,10 +330,10 @@ static int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
return ret;
}
ret = samba_kdc_check_identical_client_and_server(ctx->context,
ctx->db_ctx,
entry,
target_principal);
ret = samba_kdc_check_s4u2proxy(ctx->context,
ctx->db_ctx,
entry,
target_principal);
krb5_free_principal(ctx->context, target_principal);