s4:kdc Add functions to hdb-samba4 for the new s4u2self callback.

For now, this shares the 'if it's the same host' system with the
constrained delegation code.

Andrew Bartlett

source4/kdc/db-glue.c

@@ -1403,15 +1403,17 @@ krb5_error_code samba_kdc_nextkey(krb5_context context,
 	return samba_kdc_seq(context, kdc_db_ctx, entry);
 }
 
-/* Check if a given entry may delegate to this target principal
+/* Check if a given entry may delegate or do s4u2self to this target principal
  *
  * This is currently a very nasty hack - allowing only delegation to itself.
+ *
+ * This is shared between the constrained delegation and S4U2Self code.
  */
 krb5_error_code
-samba_kdc_check_constrained_delegation(krb5_context context,
-				       struct samba_kdc_db_context *kdc_db_ctx,
-					hdb_entry_ex *entry,
-					krb5_const_principal target_principal)
+samba_kdc_check_identical_client_and_server(krb5_context context,
+					    struct samba_kdc_db_context *kdc_db_ctx,
+					    hdb_entry_ex *entry,
+					    krb5_const_principal target_principal)
 {
 	krb5_error_code ret;
 	krb5_principal enterprise_prinicpal = NULL;

source4/kdc/db-glue.h

@@ -36,10 +36,10 @@ krb5_error_code samba_kdc_nextkey(krb5_context context,
 				  hdb_entry_ex *entry);
 
 krb5_error_code
-samba_kdc_check_constrained_delegation(krb5_context context,
-				       struct samba_kdc_db_context *kdc_db_ctx,
-				       hdb_entry_ex *entry,
-		    		       krb5_const_principal target_principal);
+samba_kdc_check_identical_client_and_server(krb5_context context,
+					    struct samba_kdc_db_context *kdc_db_ctx,
+					    hdb_entry_ex *entry,
+					    krb5_const_principal target_principal);
 
 krb5_error_code
 samba_kdc_check_pkinit_ms_upn_match(krb5_context context,

source4/kdc/hdb-samba4.c

@@ -134,7 +134,7 @@ static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db)
 }
 
 static krb5_error_code
-hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
+hdb_samba4_check_identical_client_and_server(krb5_context context, HDB *db,
 					hdb_entry_ex *entry,
 					krb5_const_principal target_principal)
 {
@@ -143,9 +143,9 @@ hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
 	kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
 					   struct samba_kdc_db_context);
 
-	return samba_kdc_check_constrained_delegation(context, kdc_db_ctx,
-						      entry,
-						      target_principal);
+	return samba_kdc_check_identical_client_and_server(context, kdc_db_ctx,
+							   entry,
+							   target_principal);
 }
 
 static krb5_error_code
@@ -251,8 +251,9 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
 	(*db)->hdb_destroy = hdb_samba4_destroy;
 
 	(*db)->hdb_auth_status = NULL;
-	(*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation;
+	(*db)->hdb_check_constrained_delegation = hdb_samba4_check_identical_client_and_server;
 	(*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match;
+	(*db)->hdb_check_s4u2self = hdb_samba4_check_identical_client_and_server;
 
 	return NT_STATUS_OK;
 }

source4/kdc/mit_samba.c

@@ -351,10 +351,10 @@ static int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
 		return ret;
 	}
 
-	ret = samba_kdc_check_constrained_delegation(ctx->context,
-						     ctx->db_ctx,
-						     entry,
-						     target_principal);
+	ret = samba_kdc_check_identical_client_and_server(ctx->context,
+							  ctx->db_ctx,
+							  entry,
+							  target_principal);
 
 	krb5_free_principal(ctx->context, target_principal);