mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s4:kdc: Remove support code for older versions of MIT Kerberos
The oldest version we now support is 1.21. For every supported version we can be certain that KRB5_KDB_API_VERSION >= 10 and KRB5_KDB_DAL_MAJOR_VERSION >= 9. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
6b580f7368
commit
bbfa98ec05
@ -140,7 +140,7 @@ static void kdb_samba_db_free_principal_e_data(krb5_context context,
|
||||
|
||||
kdb_vftabl kdb_function_table = {
|
||||
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
|
||||
.min_ver = KRB5_KDB_DAL_MAJOR_VERSION == 6 ? 1 : 0,
|
||||
.min_ver = 0,
|
||||
|
||||
.init_library = kdb_samba_init_library,
|
||||
.fini_library = kdb_samba_fini_library,
|
||||
@ -173,10 +173,6 @@ kdb_vftabl kdb_function_table = {
|
||||
|
||||
.free_principal_e_data = kdb_samba_db_free_principal_e_data,
|
||||
|
||||
#if KRB5_KDB_DAL_MAJOR_VERSION >= 9
|
||||
.allowed_to_delegate_from = kdb_samba_db_allowed_to_delegate_from,
|
||||
.issue_pac = kdb_samba_db_issue_pac,
|
||||
#else
|
||||
.sign_authdata = kdb_samba_db_sign_auth_data,
|
||||
#endif
|
||||
};
|
||||
|
@ -194,377 +194,6 @@ static krb5_error_code ks_get_pac(krb5_context context,
|
||||
return code;
|
||||
}
|
||||
|
||||
#if KRB5_KDB_DAL_MAJOR_VERSION < 9
|
||||
static krb5_error_code ks_verify_pac(krb5_context context,
|
||||
unsigned int flags,
|
||||
krb5_const_principal client_princ,
|
||||
krb5_db_entry *client,
|
||||
krb5_db_entry *server,
|
||||
krb5_db_entry *krbtgt,
|
||||
krb5_keyblock *server_key,
|
||||
krb5_keyblock *krbtgt_key,
|
||||
krb5_timestamp authtime,
|
||||
krb5_authdata **tgt_auth_data,
|
||||
krb5_pac *pac)
|
||||
{
|
||||
struct mit_samba_context *mit_ctx;
|
||||
krb5_authdata **authdata = NULL;
|
||||
krb5_pac ipac = NULL;
|
||||
DATA_BLOB logon_data = { NULL, 0 };
|
||||
krb5_error_code code;
|
||||
|
||||
mit_ctx = ks_get_context(context);
|
||||
if (mit_ctx == NULL) {
|
||||
return KRB5_KDB_DBNOTINITED;
|
||||
}
|
||||
|
||||
/* find the existing PAC, if present */
|
||||
code = krb5_find_authdata(context,
|
||||
tgt_auth_data,
|
||||
NULL,
|
||||
KRB5_AUTHDATA_WIN2K_PAC,
|
||||
&authdata);
|
||||
if (code != 0) {
|
||||
return code;
|
||||
}
|
||||
|
||||
/* no pac data */
|
||||
if (authdata == NULL) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
SMB_ASSERT(authdata[0] != NULL);
|
||||
|
||||
if (authdata[1] != NULL) {
|
||||
code = KRB5KDC_ERR_BADOPTION; /* XXX */
|
||||
goto done;
|
||||
}
|
||||
|
||||
code = krb5_pac_parse(context,
|
||||
authdata[0]->contents,
|
||||
authdata[0]->length,
|
||||
&ipac);
|
||||
if (code != 0) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* TODO: verify this is correct
|
||||
*
|
||||
* In the constrained delegation case, the PAC is from a service
|
||||
* ticket rather than a TGT; we must verify the server and KDC
|
||||
* signatures to assert that the server did not forge the PAC.
|
||||
*/
|
||||
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
|
||||
code = krb5_pac_verify(context,
|
||||
ipac,
|
||||
authtime,
|
||||
client_princ,
|
||||
server_key,
|
||||
krbtgt_key);
|
||||
} else {
|
||||
code = krb5_pac_verify(context,
|
||||
ipac,
|
||||
authtime,
|
||||
client_princ,
|
||||
krbtgt_key,
|
||||
NULL);
|
||||
}
|
||||
if (code != 0) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* check and update PAC */
|
||||
code = krb5_pac_parse(context,
|
||||
authdata[0]->contents,
|
||||
authdata[0]->length,
|
||||
pac);
|
||||
if (code != 0) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
code = mit_samba_reget_pac(mit_ctx,
|
||||
context,
|
||||
flags,
|
||||
client_princ,
|
||||
client,
|
||||
server,
|
||||
krbtgt,
|
||||
krbtgt_key,
|
||||
pac);
|
||||
|
||||
done:
|
||||
krb5_free_authdata(context, authdata);
|
||||
krb5_pac_free(context, ipac);
|
||||
free(logon_data.data);
|
||||
|
||||
return code;
|
||||
}
|
||||
|
||||
krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
unsigned int flags,
|
||||
krb5_const_principal client_princ,
|
||||
krb5_const_principal server_princ,
|
||||
krb5_db_entry *client,
|
||||
krb5_db_entry *server,
|
||||
krb5_db_entry *krbtgt,
|
||||
krb5_db_entry *local_krbtgt,
|
||||
krb5_keyblock *client_key,
|
||||
krb5_keyblock *server_key,
|
||||
krb5_keyblock *krbtgt_key,
|
||||
krb5_keyblock *local_krbtgt_key,
|
||||
krb5_keyblock *session_key,
|
||||
krb5_timestamp authtime,
|
||||
krb5_authdata **tgt_auth_data,
|
||||
void *authdata_info,
|
||||
krb5_data ***auth_indicators,
|
||||
krb5_authdata ***signed_auth_data)
|
||||
{
|
||||
krb5_const_principal ks_client_princ = NULL;
|
||||
krb5_db_entry *client_entry = NULL;
|
||||
krb5_authdata **pac_auth_data = NULL;
|
||||
krb5_authdata **authdata = NULL;
|
||||
krb5_boolean is_as_req;
|
||||
krb5_error_code code;
|
||||
krb5_pac pac = NULL;
|
||||
krb5_data pac_data;
|
||||
bool with_pac = false;
|
||||
bool generate_pac = false;
|
||||
char *client_name = NULL;
|
||||
|
||||
|
||||
krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
|
||||
krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
|
||||
|
||||
/* FIXME: We don't support S4U yet */
|
||||
if (flags & KRB5_KDB_FLAGS_S4U) {
|
||||
return KRB5_KDB_DBTYPE_NOSUP;
|
||||
}
|
||||
|
||||
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
|
||||
|
||||
/*
|
||||
* When using s4u2proxy client_princ actually refers to the proxied user
|
||||
* while client->princ to the proxy service asking for the TGS on behalf
|
||||
* of the proxied user. So always use client_princ in preference.
|
||||
*
|
||||
* Note that when client principal is not NULL, client entry might be
|
||||
* NULL for cross-realm case, so we need to make sure to not
|
||||
* dereference NULL pointer here.
|
||||
*/
|
||||
if (client_princ != NULL) {
|
||||
ks_client_princ = client_princ;
|
||||
if (!is_as_req) {
|
||||
krb5_boolean is_equal = false;
|
||||
|
||||
if (client != NULL && client->princ != NULL) {
|
||||
is_equal =
|
||||
krb5_principal_compare(context,
|
||||
client_princ,
|
||||
client->princ);
|
||||
}
|
||||
|
||||
/*
|
||||
* When client principal is the same as supplied client
|
||||
* entry, don't fetch it.
|
||||
*/
|
||||
if (!is_equal) {
|
||||
code = ks_get_principal(context,
|
||||
ks_client_princ,
|
||||
0,
|
||||
&client_entry);
|
||||
if (code != 0) {
|
||||
(void)krb5_unparse_name(context,
|
||||
ks_client_princ,
|
||||
&client_name);
|
||||
|
||||
DBG_DEBUG("We didn't find the client "
|
||||
"principal [%s] in our "
|
||||
"database.\n",
|
||||
client_name);
|
||||
SAFE_FREE(client_name);
|
||||
|
||||
/*
|
||||
* If we didn't find client_princ in our
|
||||
* database it might be from another
|
||||
* realm.
|
||||
*/
|
||||
client_entry = NULL;
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
if (client == NULL) {
|
||||
*signed_auth_data = NULL;
|
||||
return 0;
|
||||
}
|
||||
ks_client_princ = client->princ;
|
||||
}
|
||||
|
||||
if (client_entry == NULL) {
|
||||
client_entry = client;
|
||||
}
|
||||
|
||||
if (is_as_req) {
|
||||
with_pac = mit_samba_princ_needs_pac(client_entry);
|
||||
} else {
|
||||
with_pac = mit_samba_princ_needs_pac(server);
|
||||
}
|
||||
|
||||
code = krb5_unparse_name(context,
|
||||
client_princ,
|
||||
&client_name);
|
||||
if (code != 0) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC) != 0) {
|
||||
generate_pac = true;
|
||||
}
|
||||
|
||||
DBG_DEBUG("*** Sign data for client principal: %s [%s %s%s]\n",
|
||||
client_name,
|
||||
is_as_req ? "AS-REQ" : "TGS_REQ",
|
||||
with_pac ? is_as_req ? "WITH_PAC" : "FIND_PAC" : "NO_PAC",
|
||||
generate_pac ? " GENERATE_PAC" : "");
|
||||
|
||||
/*
|
||||
* Generate PAC for the AS-REQ or check or generate one for the TGS if
|
||||
* needed.
|
||||
*/
|
||||
if (with_pac && generate_pac) {
|
||||
DBG_DEBUG("Generate PAC for AS-REQ [%s]\n", client_name);
|
||||
|
||||
code = krb5_pac_init(context, &pac);
|
||||
if (code != 0) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
code = ks_get_pac(context,
|
||||
flags,
|
||||
client_entry,
|
||||
server,
|
||||
NULL,
|
||||
&pac);
|
||||
if (code != 0) {
|
||||
goto done;
|
||||
}
|
||||
} else if (with_pac && !is_as_req) {
|
||||
/*
|
||||
* Find the PAC in the TGS, if one exists.
|
||||
*/
|
||||
code = krb5_find_authdata(context,
|
||||
tgt_auth_data,
|
||||
NULL,
|
||||
KRB5_AUTHDATA_WIN2K_PAC,
|
||||
&pac_auth_data);
|
||||
if (code != 0) {
|
||||
DBG_ERR("krb5_find_authdata failed: %d\n", code);
|
||||
goto done;
|
||||
}
|
||||
DBG_DEBUG("Found PAC data for TGS-REQ [%s]\n", client_name);
|
||||
|
||||
if (pac_auth_data != NULL && pac_auth_data[0] != NULL) {
|
||||
if (pac_auth_data[1] != NULL) {
|
||||
DBG_ERR("Invalid PAC data!\n");
|
||||
code = KRB5KDC_ERR_BADOPTION;
|
||||
goto done;
|
||||
}
|
||||
|
||||
DBG_DEBUG("Verify PAC for TGS [%s]\n",
|
||||
client_name);
|
||||
|
||||
code = ks_verify_pac(context,
|
||||
flags,
|
||||
ks_client_princ,
|
||||
client_entry,
|
||||
server,
|
||||
krbtgt,
|
||||
server_key,
|
||||
krbtgt_key,
|
||||
authtime,
|
||||
tgt_auth_data,
|
||||
&pac);
|
||||
if (code != 0) {
|
||||
goto done;
|
||||
}
|
||||
} else {
|
||||
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
|
||||
DBG_DEBUG("Generate PAC for constrained"
|
||||
"delegation TGS [%s]\n",
|
||||
client_name);
|
||||
|
||||
code = krb5_pac_init(context, &pac);
|
||||
if (code != 0) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
code = ks_get_pac(context,
|
||||
flags,
|
||||
client_entry,
|
||||
server,
|
||||
NULL,
|
||||
&pac);
|
||||
if (code != 0 && code != ENOENT) {
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (pac == NULL) {
|
||||
DBG_DEBUG("No PAC data - we're done [%s]\n", client_name);
|
||||
*signed_auth_data = NULL;
|
||||
code = 0;
|
||||
goto done;
|
||||
}
|
||||
|
||||
DBG_DEBUG("Signing PAC for %s [%s]\n",
|
||||
is_as_req ? "AS-REQ" : "TGS-REQ",
|
||||
client_name);
|
||||
code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
|
||||
server_key, krbtgt_key, &pac_data);
|
||||
if (code != 0) {
|
||||
DBG_ERR("krb5_pac_sign failed: %d\n", code);
|
||||
goto done;
|
||||
}
|
||||
|
||||
authdata = calloc(2, sizeof(krb5_authdata *));
|
||||
if (authdata == NULL) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
authdata[0] = malloc(sizeof(krb5_authdata));
|
||||
if (authdata[0] == NULL) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* put in signed data */
|
||||
authdata[0]->magic = KV5M_AUTHDATA;
|
||||
authdata[0]->ad_type = KRB5_AUTHDATA_WIN2K_PAC;
|
||||
authdata[0]->contents = (krb5_octet *)pac_data.data;
|
||||
authdata[0]->length = pac_data.length;
|
||||
|
||||
code = krb5_encode_authdata_container(context,
|
||||
KRB5_AUTHDATA_IF_RELEVANT,
|
||||
authdata,
|
||||
signed_auth_data);
|
||||
if (code != 0) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
code = 0;
|
||||
|
||||
done:
|
||||
if (client_entry != NULL && client_entry != client) {
|
||||
ks_free_principal(context, client_entry);
|
||||
}
|
||||
SAFE_FREE(client_name);
|
||||
krb5_free_authdata(context, authdata);
|
||||
krb5_pac_free(context, pac);
|
||||
|
||||
return code;
|
||||
}
|
||||
#else /* KRB5_KDB_DAL_MAJOR_VERSION >= 9 */
|
||||
static krb5_error_code ks_update_pac(krb5_context context,
|
||||
int flags,
|
||||
krb5_db_entry *client,
|
||||
@ -686,7 +315,6 @@ krb5_error_code kdb_samba_db_issue_pac(krb5_context context,
|
||||
|
||||
return code;
|
||||
}
|
||||
#endif /* KRB5_KDB_DAL_MAJOR_VERSION */
|
||||
|
||||
krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
|
||||
krb5_const_principal client,
|
||||
@ -707,7 +335,6 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
|
||||
}
|
||||
|
||||
|
||||
#if KRB5_KDB_DAL_MAJOR_VERSION >= 9
|
||||
krb5_error_code kdb_samba_db_allowed_to_delegate_from(
|
||||
krb5_context context,
|
||||
krb5_const_principal client_principal,
|
||||
@ -731,7 +358,6 @@ krb5_error_code kdb_samba_db_allowed_to_delegate_from(
|
||||
|
||||
return code;
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
static void samba_bad_password_count(krb5_db_entry *client,
|
||||
|
@ -220,15 +220,12 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
#if KRB5_KDB_API_VERSION >= 10
|
||||
/*
|
||||
* The MIT KDC code that wants the canonical name in all lookups, and
|
||||
* takes care to canonicalize only when appropriate.
|
||||
*/
|
||||
sflags |= SDB_F_FORCE_CANON;
|
||||
#endif
|
||||
|
||||
#if KRB5_KDB_DAL_MAJOR_VERSION >= 9
|
||||
if (kflags & KRB5_KDB_FLAG_REFERRAL_OK) {
|
||||
sflags |= SDB_F_CANON;
|
||||
}
|
||||
@ -249,33 +246,6 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
|
||||
sflags |= SDB_F_FOR_TGS_REQ;
|
||||
}
|
||||
}
|
||||
#else /* KRB5_KDB_DAL_MAJOR_VERSION < 9 */
|
||||
if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
|
||||
sflags |= SDB_F_CANON;
|
||||
}
|
||||
if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
|
||||
KRB5_KDB_FLAG_INCLUDE_PAC)) {
|
||||
/*
|
||||
* KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is equal to
|
||||
* SDB_F_FOR_AS_REQ
|
||||
*
|
||||
* We use ANY to also allow AS_REQ for service principal names
|
||||
* This is supported by Windows.
|
||||
*/
|
||||
sflags |= SDB_F_GET_ANY|SDB_F_FOR_AS_REQ;
|
||||
} else {
|
||||
int equal = smb_krb5_principal_is_tgs(ctx->context, principal);
|
||||
if (equal == -1) {
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
if (equal) {
|
||||
sflags |= SDB_F_GET_KRBTGT;
|
||||
} else {
|
||||
sflags |= SDB_F_GET_SERVER|SDB_F_FOR_TGS_REQ;
|
||||
}
|
||||
}
|
||||
#endif /* KRB5_KDB_DAL_MAJOR_VERSION */
|
||||
|
||||
/* always set this or the created_by data will not be populated by samba's
|
||||
* backend and we will fail to parse the entry later */
|
||||
@ -617,140 +587,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
|
||||
return code;
|
||||
}
|
||||
|
||||
#if KRB5_KDB_DAL_MAJOR_VERSION < 9
|
||||
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
|
||||
krb5_context context,
|
||||
int kdc_flags,
|
||||
krb5_const_principal client_principal,
|
||||
krb5_db_entry *client,
|
||||
krb5_db_entry *server,
|
||||
krb5_db_entry *krbtgt,
|
||||
krb5_keyblock *krbtgt_keyblock,
|
||||
krb5_pac *pac)
|
||||
{
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
krb5_error_code code;
|
||||
struct samba_kdc_entry *client_skdc_entry = NULL;
|
||||
struct samba_kdc_entry *krbtgt_skdc_entry = NULL;
|
||||
struct samba_kdc_entry *server_skdc_entry = NULL;
|
||||
struct samba_kdc_entry *delegated_proxy_entry = NULL;
|
||||
krb5_principal delegated_proxy_principal = NULL;
|
||||
krb5_pac new_pac = NULL;
|
||||
bool is_in_db = false;
|
||||
bool is_trusted = false;
|
||||
uint32_t flags = SAMBA_KDC_FLAG_SKIP_PAC_BUFFER;
|
||||
|
||||
/* Create a memory context early so code can use talloc_stackframe() */
|
||||
tmp_ctx = talloc_named(ctx, 0, "mit_samba_reget_pac context");
|
||||
if (tmp_ctx == NULL) {
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
if (client != NULL) {
|
||||
client_skdc_entry =
|
||||
talloc_get_type_abort(client->e_data,
|
||||
struct samba_kdc_entry);
|
||||
}
|
||||
|
||||
if (server == NULL) {
|
||||
code = EINVAL;
|
||||
goto done;
|
||||
}
|
||||
|
||||
server_skdc_entry =
|
||||
talloc_get_type_abort(server->e_data,
|
||||
struct samba_kdc_entry);
|
||||
|
||||
if (krbtgt == NULL) {
|
||||
code = EINVAL;
|
||||
goto done;
|
||||
}
|
||||
krbtgt_skdc_entry =
|
||||
talloc_get_type_abort(krbtgt->e_data,
|
||||
struct samba_kdc_entry);
|
||||
|
||||
code = samba_krbtgt_is_in_db(krbtgt_skdc_entry,
|
||||
&is_in_db,
|
||||
&is_trusted);
|
||||
if (code != 0) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (is_trusted) {
|
||||
flags |= SAMBA_KDC_FLAG_KRBTGT_IS_TRUSTED;
|
||||
}
|
||||
|
||||
if (is_in_db) {
|
||||
flags |= SAMBA_KDC_FLAG_KRBTGT_IN_DB;
|
||||
|
||||
}
|
||||
|
||||
if (kdc_flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
|
||||
flags |= SAMBA_KDC_FLAG_PROTOCOL_TRANSITION;
|
||||
}
|
||||
|
||||
if (kdc_flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
|
||||
flags |= SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION;
|
||||
delegated_proxy_entry = client_skdc_entry;
|
||||
delegated_proxy_principal = discard_const(client_principal);
|
||||
}
|
||||
|
||||
code = samba_kdc_verify_pac(tmp_ctx,
|
||||
context,
|
||||
flags,
|
||||
client_skdc_entry,
|
||||
krbtgt_skdc_entry,
|
||||
NULL /* device */,
|
||||
NULL /* device_pac */,
|
||||
*pac);
|
||||
if (code != 0) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* Build an updated PAC */
|
||||
code = krb5_pac_init(context, &new_pac);
|
||||
if (code != 0) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
code = samba_kdc_update_pac(tmp_ctx,
|
||||
context,
|
||||
krbtgt_skdc_entry->kdc_db_ctx->samdb,
|
||||
krbtgt_skdc_entry->kdc_db_ctx->lp_ctx,
|
||||
flags,
|
||||
krbtgt_skdc_entry,
|
||||
client_skdc_entry,
|
||||
server->princ,
|
||||
server_skdc_entry,
|
||||
delegated_proxy_principal,
|
||||
delegated_proxy_entry,
|
||||
NULL /* delegated_proxy_pac */,
|
||||
NULL /* device_krbtgt */,
|
||||
NULL /* device */,
|
||||
NULL /* device_pac */,
|
||||
*pac,
|
||||
new_pac,
|
||||
NULL /* server_audit_info_out */,
|
||||
NULL /* status_out */);
|
||||
if (code != 0) {
|
||||
krb5_pac_free(context, new_pac);
|
||||
if (code == ENOATTR) {
|
||||
krb5_pac_free(context, *pac);
|
||||
*pac = NULL;
|
||||
code = 0;
|
||||
}
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* We now replace the pac */
|
||||
krb5_pac_free(context, *pac);
|
||||
*pac = new_pac;
|
||||
|
||||
done:
|
||||
talloc_free(tmp_ctx);
|
||||
return code;
|
||||
}
|
||||
#else
|
||||
krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx,
|
||||
krb5_context context,
|
||||
int kdc_flags,
|
||||
@ -871,7 +707,6 @@ done:
|
||||
talloc_free(tmp_ctx);
|
||||
return code;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* provide header, function is exported but there are no public headers */
|
||||
|
||||
@ -957,9 +792,6 @@ int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
|
||||
const krb5_db_entry *server,
|
||||
krb5_const_principal target_principal)
|
||||
{
|
||||
#if KRB5_KDB_DAL_MAJOR_VERSION < 9
|
||||
return KRB5KDC_ERR_BADOPTION;
|
||||
#else
|
||||
struct samba_kdc_entry *server_skdc_entry =
|
||||
talloc_get_type_abort(server->e_data, struct samba_kdc_entry);
|
||||
krb5_error_code code;
|
||||
@ -970,7 +802,6 @@ int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
|
||||
target_principal);
|
||||
|
||||
return code;
|
||||
#endif
|
||||
}
|
||||
|
||||
krb5_error_code mit_samba_check_allowed_to_delegate_from(
|
||||
@ -980,9 +811,6 @@ krb5_error_code mit_samba_check_allowed_to_delegate_from(
|
||||
krb5_pac header_pac,
|
||||
const krb5_db_entry *proxy)
|
||||
{
|
||||
#if KRB5_KDB_DAL_MAJOR_VERSION < 8
|
||||
return KRB5KDC_ERR_POLICY;
|
||||
#else
|
||||
struct samba_kdc_entry *proxy_skdc_entry =
|
||||
talloc_get_type_abort(proxy->e_data, struct samba_kdc_entry);
|
||||
krb5_error_code code;
|
||||
@ -995,7 +823,6 @@ krb5_error_code mit_samba_check_allowed_to_delegate_from(
|
||||
proxy_skdc_entry);
|
||||
|
||||
return code;
|
||||
#endif
|
||||
}
|
||||
|
||||
static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
|
||||
|
Loading…
Reference in New Issue
Block a user