1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-05 09:18:06 +03:00

s4-auth/kerberos: Use FAST credentials for armor if specified in cli_credentials

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This commit is contained in:
Andrew Bartlett 2023-11-20 14:12:19 +13:00
parent 0293d233bf
commit c49fd98ed7
3 changed files with 56 additions and 1 deletions

View File

@ -726,7 +726,14 @@ _PUBLIC_ int cli_credentials_get_named_ccache(struct cli_credentials *cred,
return ret; return ret;
} }
ret = kinit_to_ccache(cred, cred, (*ccc)->smb_krb5_context, event_ctx, (*ccc)->ccache, &obtained, error_string); ret = kinit_to_ccache(cred,
cred,
(*ccc)->smb_krb5_context,
lp_ctx,
event_ctx,
(*ccc)->ccache,
&obtained,
error_string);
if (ret) { if (ret) {
return ret; return ret;
} }

View File

@ -23,6 +23,7 @@
krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx, krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx,
struct cli_credentials *credentials, struct cli_credentials *credentials,
struct smb_krb5_context *smb_krb5_context, struct smb_krb5_context *smb_krb5_context,
struct loadparm_context *lp_ctx,
struct tevent_context *event_ctx, struct tevent_context *event_ctx,
krb5_ccache ccache, krb5_ccache ccache,
enum credentials_obtained *obtained, enum credentials_obtained *obtained,

View File

@ -238,6 +238,7 @@ done:
krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx, krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx,
struct cli_credentials *credentials, struct cli_credentials *credentials,
struct smb_krb5_context *smb_krb5_context, struct smb_krb5_context *smb_krb5_context,
struct loadparm_context *lp_ctx,
struct tevent_context *event_ctx, struct tevent_context *event_ctx,
krb5_ccache ccache, krb5_ccache ccache,
enum credentials_obtained *obtained, enum credentials_obtained *obtained,
@ -253,6 +254,7 @@ done:
int tries; int tries;
TALLOC_CTX *mem_ctx = talloc_new(parent_ctx); TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
krb5_get_init_creds_opt *krb_options; krb5_get_init_creds_opt *krb_options;
struct cli_credentials *fast_creds;
if (!mem_ctx) { if (!mem_ctx) {
(*error_string) = strerror(ENOMEM); (*error_string) = strerror(ENOMEM);
@ -325,6 +327,50 @@ done:
krb5_get_init_creds_opt_set_canonicalize(krb_options, true); krb5_get_init_creds_opt_set_canonicalize(krb_options, true);
#endif #endif
fast_creds = cli_credentials_get_krb5_fast_armor_credentials(credentials);
if (fast_creds != NULL) {
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_CCACHE
struct ccache_container *fast_ccc = NULL;
const char *fast_error_string = NULL;
ret = cli_credentials_get_ccache(fast_creds, event_ctx, lp_ctx, &fast_ccc, &fast_error_string);
if (ret != 0) {
(*error_string) = talloc_asprintf(credentials,
"Obtaining the Kerberos FAST armor credentials failed: %s\n",
fast_error_string);
return ret;
}
krb5_get_init_creds_opt_set_fast_ccache(smb_krb5_context->krb5_context,
krb_options,
fast_ccc->ccache);
#else
*error_string = talloc_strdup(credentials,
"Using Kerberos FAST "
"armor credentials not possible "
"with this Kerberos library. "
"Modern MIT or Samba's embedded "
"Heimdal required");
return EINVAL;
#endif
}
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_FLAGS
{
bool require_fast;
/*
* This ensures that if FAST was required, that we proceed
* with no credentials cache, but with (eg) anonymous
* PKINIT
*/
require_fast = cli_credentials_get_krb5_require_fast_armor(credentials);
if (require_fast) {
krb5_get_init_creds_opt_set_fast_flags(smb_krb5_context->krb5_context,
krb_options,
KRB5_FAST_REQUIRED);
}
}
#endif
tries = 2; tries = 2;
while (tries--) { while (tries--) {
#ifdef SAMBA4_USES_HEIMDAL #ifdef SAMBA4_USES_HEIMDAL
@ -437,6 +483,7 @@ done:
ret = kinit_to_ccache(parent_ctx, ret = kinit_to_ccache(parent_ctx,
credentials, credentials,
smb_krb5_context, smb_krb5_context,
lp_ctx,
event_ctx, event_ctx,
ccache, obtained, ccache, obtained,
error_string); error_string);