2 Unix SMB/CIFS implementation.
3 kerberos utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Nalin Dahyabhai 2004.
7 Copyright (C) Jeremy Allison 2004.
8 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "system/kerberos.h"
26 #include "auth/kerberos/kerberos.h"
31 simulate a kinit, putting the tgt in the given credentials cache.
32 Orignally by remus@snapserver.com
34 This version is built to use a keyblock, rather than needing the
37 The impersonate_principal is the principal if NULL, or the principal to impersonate
39 The target_service defaults to the krbtgt if NULL, but could be kpasswd/realm or the local service (if we are doing s4u2self)
41 krb5_error_code kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc,
42 krb5_principal principal, krb5_keyblock *keyblock,
43 const char *target_service,
44 time_t *expire_time, time_t *kdc_time)
46 krb5_error_code code = 0;
48 krb5_get_init_creds_opt *options;
50 if ((code = krb5_get_init_creds_opt_alloc(ctx, &options))) {
54 krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, options);
56 if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, principal, keyblock,
57 0, target_service, options))) {
61 if ((code = krb5_cc_initialize(ctx, cc, principal))) {
62 krb5_get_init_creds_opt_free(ctx, options);
63 krb5_free_cred_contents(ctx, &my_creds);
67 if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
68 krb5_get_init_creds_opt_free(ctx, options);
69 krb5_free_cred_contents(ctx, &my_creds);
74 *expire_time = (time_t) my_creds.times.endtime;
78 *kdc_time = (time_t) my_creds.times.starttime;
81 krb5_get_init_creds_opt_free(ctx, options);
82 krb5_free_cred_contents(ctx, &my_creds);
88 simulate a kinit, putting the tgt in the given credentials cache.
89 Orignally by remus@snapserver.com
91 The impersonate_principal is the principal if NULL, or the principal to impersonate
93 The target_service defaults to the krbtgt if NULL, but could be kpasswd/realm or the local service (if we are doing s4u2self)
96 krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc,
97 krb5_principal principal, const char *password,
98 krb5_principal impersonate_principal, const char *target_service,
99 time_t *expire_time, time_t *kdc_time)
101 krb5_error_code code = 0;
103 krb5_creds *impersonate_creds;
104 krb5_get_init_creds_opt *init_options;
105 krb5_get_creds_opt options;
107 if ((code = krb5_get_init_creds_opt_alloc(ctx, &init_options))) {
111 krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, init_options);
113 /* If we are not impersonating, then get this ticket for the
114 * target service, otherwise a krbtgt, and get the next ticket
116 if ((code = krb5_get_init_creds_password(ctx, &my_creds, principal, password,
119 impersonate_principal ? NULL : target_service,
121 krb5_get_init_creds_opt_free(ctx, init_options);
125 if ((code = krb5_cc_initialize(ctx, cc, principal))) {
126 krb5_get_init_creds_opt_free(ctx, init_options);
127 krb5_free_cred_contents(ctx, &my_creds);
131 if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
132 krb5_get_init_creds_opt_free(ctx, init_options);
133 krb5_free_cred_contents(ctx, &my_creds);
138 *expire_time = (time_t) my_creds.times.endtime;
142 *kdc_time = (time_t) my_creds.times.starttime;
145 krb5_get_init_creds_opt_free(ctx, init_options);
146 krb5_free_cred_contents(ctx, &my_creds);
148 if (code == 0 && impersonate_principal) {
149 krb5_principal target_princ;
150 if ((code = krb5_get_creds_opt_alloc(ctx, &options))) {
154 if ((code = krb5_get_creds_opt_set_impersonate(ctx, options, impersonate_principal))) {
155 krb5_get_creds_opt_free(ctx, options);
159 if ((code = krb5_parse_name(ctx, target_service, &target_princ))) {
160 krb5_get_creds_opt_free(ctx, options);
164 if ((code = krb5_principal_set_realm(ctx, target_princ, krb5_principal_get_realm(ctx, principal)))) {
165 krb5_get_creds_opt_free(ctx, options);
166 krb5_free_principal(ctx, target_princ);
170 if ((code = krb5_get_creds(ctx, options, cc, target_princ, &impersonate_creds))) {
171 krb5_free_principal(ctx, target_princ);
172 krb5_get_creds_opt_free(ctx, options);
176 krb5_free_principal(ctx, target_princ);
178 code = krb5_cc_store_cred(ctx, cc, impersonate_creds);
179 krb5_get_creds_opt_free(ctx, options);
180 krb5_free_creds(ctx, impersonate_creds);