/* Check if a given entry may delegate or do s4u2self to this target principal
*
* This is currently a very nasty hack - allowing only delegation to itself.
- *
- * This is shared between the constrained delegation and S4U2Self code.
*/
krb5_error_code
-samba_kdc_check_identical_client_and_server(krb5_context context,
- struct samba_kdc_db_context *kdc_db_ctx,
- hdb_entry_ex *entry,
- krb5_const_principal target_principal)
+samba_kdc_check_s4u2self(krb5_context context,
+ struct samba_kdc_db_context *kdc_db_ctx,
+ hdb_entry_ex *entry,
+ krb5_const_principal target_principal)
{
krb5_error_code ret;
krb5_principal enterprise_prinicpal = NULL;
"objectSid", NULL
};
- TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_constrained_delegation");
+ TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_s4u2self");
if (!mem_ctx) {
ret = ENOMEM;
- krb5_set_error_message(context, ret, "samba_kdc_fetch: talloc_named() failed!");
+ krb5_set_error_message(context, ret, "samba_kdc_check_s4u2self: talloc_named() failed!");
return ret;
}
/* Need to reparse the enterprise principal to find the real target */
if (target_principal->name.name_string.len != 1) {
ret = KRB5_PARSE_MALFORMED;
- krb5_set_error_message(context, ret, "samba_kdc_check_constrained_delegation: request for delegation to enterprise principal with wrong (%d) number of components",
+ krb5_set_error_message(context, ret, "samba_kdc_check_s4u2self: request for delegation to enterprise principal with wrong (%d) number of components",
target_principal->name.name_string.len);
talloc_free(mem_ctx);
return ret;
return ret;
}
+/*
+ * Check if a given entry may delegate to this target principal
+ * with S4U2Proxy.
+ */
+krb5_error_code
+samba_kdc_check_s4u2proxy(krb5_context context,
+ struct samba_kdc_db_context *kdc_db_ctx,
+ hdb_entry_ex *entry,
+ krb5_const_principal target_principal)
+{
+ return KRB5KDC_ERR_BADOPTION;
+}
+
NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_context *base_ctx,
struct samba_kdc_db_context **kdc_db_ctx_out)
{
hdb_entry_ex *entry);
krb5_error_code
-samba_kdc_check_identical_client_and_server(krb5_context context,
- struct samba_kdc_db_context *kdc_db_ctx,
- hdb_entry_ex *entry,
- krb5_const_principal target_principal);
+samba_kdc_check_s4u2self(krb5_context context,
+ struct samba_kdc_db_context *kdc_db_ctx,
+ hdb_entry_ex *entry,
+ krb5_const_principal target_principal);
krb5_error_code
samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
hdb_entry_ex *entry,
krb5_const_principal certificate_principal);
+krb5_error_code
+samba_kdc_check_s4u2proxy(krb5_context context,
+ struct samba_kdc_db_context *kdc_db_ctx,
+ hdb_entry_ex *entry,
+ krb5_const_principal target_principal);
+
NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_context *base_ctx,
struct samba_kdc_db_context **kdc_db_ctx_out);
}
static krb5_error_code
-hdb_samba4_check_identical_client_and_server(krb5_context context, HDB *db,
+hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
hdb_entry_ex *entry,
krb5_const_principal target_principal)
{
kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
struct samba_kdc_db_context);
- return samba_kdc_check_identical_client_and_server(context, kdc_db_ctx,
- entry,
- target_principal);
+ return samba_kdc_check_s4u2proxy(context, kdc_db_ctx,
+ entry,
+ target_principal);
}
static krb5_error_code
certificate_principal);
}
+static krb5_error_code
+hdb_samba4_check_s4u2self(krb5_context context, HDB *db,
+ hdb_entry_ex *entry,
+ krb5_const_principal target_principal)
+{
+ struct samba_kdc_db_context *kdc_db_ctx;
+
+ kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
+ struct samba_kdc_db_context);
+
+ return samba_kdc_check_s4u2self(context, kdc_db_ctx,
+ entry,
+ target_principal);
+}
+
/* This interface is to be called by the KDC and libnet_keytab_dump,
* which is expecting Samba calling conventions.
* It is also called by a wrapper (hdb_samba4_create) from the
(*db)->hdb_destroy = hdb_samba4_destroy;
(*db)->hdb_auth_status = NULL;
- (*db)->hdb_check_constrained_delegation = hdb_samba4_check_identical_client_and_server;
+ (*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation;
(*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match;
- (*db)->hdb_check_s4u2self = hdb_samba4_check_identical_client_and_server;
+ (*db)->hdb_check_s4u2self = hdb_samba4_check_s4u2self;
return NT_STATUS_OK;
}
return ret;
}
- ret = samba_kdc_check_identical_client_and_server(ctx->context,
- ctx->db_ctx,
- entry,
- target_principal);
+ ret = samba_kdc_check_s4u2proxy(ctx->context,
+ ctx->db_ctx,
+ entry,
+ target_principal);
krb5_free_principal(ctx->context, target_principal);
git.samba.org / samba.git / commitdiff