2025-02-04 17:47:26 +03:00 · 2011-06-20 21:23:45 +02:00 · 2011-06-20 21:23:45 +02:00 · e5378e600e
commit e5378e600e
parent b98428e630
1 changed files with 92 additions and 87 deletions
--- a/source4/auth/kerberos/kerberos.c
+++ b/source4/auth/kerberos/kerberos.c
@ -97,6 +97,10 @@
 	krb5_principal store_principal;
 	krb5_creds store_creds;
 	const char *self_service = target_service;
 	krb5_creds *s4u2self_creds;
 	krb5_principal self_princ;
 	krb5_ccache tmp_cc;
 	const char *self_realm;
 	/*
 	 * If we are not impersonating, then get this ticket for the
@ -116,106 +120,107 @@
 	store_principal = init_principal;
-	if (impersonate_principal) {
+	if (impersonate_principal == NULL) {
-		krb5_ccache tmp_cc;
+		goto store;
-		krb5_creds *s4u2self_creds;
+	}
 		krb5_principal self_princ;
 		const char *self_realm;
-		/*
+	/*
-		 * As we do not want to expose our TGT in the
+	 * We are trying S4U2Self now:
-		 * krb5_ccache, which is also holds the impersonated creds.
+	 *
-		 *
+	 * As we do not want to expose our TGT in the
-		 * Some low level krb5/gssapi function might use the TGT
+	 * krb5_ccache, which is also holds the impersonated creds.
-		 * identity and let the client act as our machine account.
+	 *
-		 *
+	 * Some low level krb5/gssapi function might use the TGT
-		 * We need to avoid that and use a temporary krb5_ccache
+	 * identity and let the client act as our machine account.
-		 * in order to pass our TGT to the krb5_get_creds() function.
+	 *
-		 */
+	 * We need to avoid that and use a temporary krb5_ccache
-		code = krb5_cc_new_unique(ctx, NULL, NULL, &tmp_cc);
+	 * in order to pass our TGT to the krb5_get_creds() function.
-		if (code != 0) {
+	 */
-			krb5_free_cred_contents(ctx, &store_creds);
+	code = krb5_cc_new_unique(ctx, NULL, NULL, &tmp_cc);
-			return code;
+	if (code != 0) {
 		}
 		code = krb5_cc_initialize(ctx, tmp_cc, store_creds.client);
 		if (code != 0) {
 			krb5_cc_destroy(ctx, tmp_cc);
 			krb5_free_cred_contents(ctx, &store_creds);
 			return code;
 		}
 		code = krb5_cc_store_cred(ctx, tmp_cc, &store_creds);
 		krb5_free_cred_contents(ctx, &store_creds);
-		if (code != 0) {
+		return code;
-			krb5_cc_destroy(ctx, tmp_cc);
+	}
 			return code;
 		}
-		/*
+	code = krb5_cc_initialize(ctx, tmp_cc, store_creds.client);
-		 * For S4U2Self we need our own service principal,
+	if (code != 0) {
-		 * which belongs to our own realm (available on
+		krb5_cc_destroy(ctx, tmp_cc);
-		 * our client principal.
+		krb5_free_cred_contents(ctx, &store_creds);
-		 */
+		return code;
-		self_realm = krb5_principal_get_realm(ctx, init_principal);
+	}
-		code = krb5_parse_name(ctx, self_service, &self_princ);
+	code = krb5_cc_store_cred(ctx, tmp_cc, &store_creds);
-		if (code != 0) {
+	krb5_free_cred_contents(ctx, &store_creds);
-			krb5_cc_destroy(ctx, tmp_cc);
+	if (code != 0) {
-			return code;
+		krb5_cc_destroy(ctx, tmp_cc);
-		}
+		return code;
 	}
-		code = krb5_principal_set_realm(ctx, self_princ, self_realm);
+	/*
-		if (code != 0) {
+	 * For S4U2Self we need our own service principal,
-			krb5_free_principal(ctx, self_princ);
+	 * which belongs to our own realm (available on
-			krb5_cc_destroy(ctx, tmp_cc);
+	 * our client principal).
-			return code;
+	 */
-		}
+	self_realm = krb5_principal_get_realm(ctx, init_principal);
-		code = krb5_get_creds_opt_alloc(ctx, &options);
+	code = krb5_parse_name(ctx, self_service, &self_princ);
-		if (code != 0) {
+	if (code != 0) {
-			krb5_free_principal(ctx, self_princ);
+		krb5_cc_destroy(ctx, tmp_cc);
-			krb5_cc_destroy(ctx, tmp_cc);
+		return code;
-			return code;
+	}
 		}
-		code = krb5_get_creds_opt_set_impersonate(ctx, options,
+	code = krb5_principal_set_realm(ctx, self_princ, self_realm);
-							  impersonate_principal);
+	if (code != 0) {
-		if (code != 0) {
+		krb5_free_principal(ctx, self_princ);
-			krb5_get_creds_opt_free(ctx, options);
+		krb5_cc_destroy(ctx, tmp_cc);
-			krb5_free_principal(ctx, self_princ);
+		return code;
-			krb5_cc_destroy(ctx, tmp_cc);
+	}
 			return code;
 		}
-		code = krb5_get_creds(ctx, options, tmp_cc,
+	code = krb5_get_creds_opt_alloc(ctx, &options);
-				      self_princ, &s4u2self_creds);
+	if (code != 0) {
 		krb5_free_principal(ctx, self_princ);
 		krb5_cc_destroy(ctx, tmp_cc);
 		return code;
 	}
 	code = krb5_get_creds_opt_set_impersonate(ctx, options,
 						  impersonate_principal);
 	if (code != 0) {
 		krb5_get_creds_opt_free(ctx, options);
 		krb5_free_principal(ctx, self_princ);
 		krb5_cc_destroy(ctx, tmp_cc);
-		if (code != 0) {
+		return code;
 			return code;
 		}
 		/*
 		 * Now make sure we store the impersonated principal
 		 * and creds instead of the TGT related stuff
 		 * in the krb5_ccache of the caller.
 		 */
 		code = krb5_copy_creds_contents(ctx, s4u2self_creds, &store_creds);
 		krb5_free_creds(ctx, s4u2self_creds);
 		if (code != 0) {
 			return code;
 		}
 		/*
 		 * It's important to store the principal the KDC
 		 * returned, as otherwise the caller would not find
 		 * the S4U2Self ticket in the krb5_ccache lookup.
 		 */
 		store_principal = store_creds.client;
 	}
 	code = krb5_get_creds(ctx, options, tmp_cc,
 			      self_princ, &s4u2self_creds);
 	krb5_get_creds_opt_free(ctx, options);
 	krb5_free_principal(ctx, self_princ);
 	krb5_cc_destroy(ctx, tmp_cc);
 	if (code != 0) {
 		return code;
 	}
 	/*
 	 * Now make sure we store the impersonated principal
 	 * and creds instead of the TGT related stuff
 	 * in the krb5_ccache of the caller.
 	 */
 	code = krb5_copy_creds_contents(ctx, s4u2self_creds,
 					&store_creds);
 	krb5_free_creds(ctx, s4u2self_creds);
 	if (code != 0) {
 		return code;
 	}
 	/*
 	 * It's important to store the principal the KDC
 	 * returned, as otherwise the caller would not find
 	 * the S4U2Self ticket in the krb5_ccache lookup.
 	 */
 	store_principal = store_creds.client;
 store:
 	code = krb5_cc_initialize(ctx, store_cc, store_principal);
 	if (code != 0) {
 		krb5_free_cred_contents(ctx, &store_creds);