mit_samba: Implement s4u2proxy delegation

diff --git a/src/plugins/kdb/samba/kdb_samba.h b/src/plugins/kdb/samba/kdb_samba.h
index 2def9218475ebeba87ccccfe9506f62c8be07c59..aebfb35c57a6edac27199bb1e8b34b044aa6c564 100644 (file)
--- a/src/plugins/kdb/samba/kdb_samba.h
+++ b/src/plugins/kdb/samba/kdb_samba.h
@@ -96,6 +96,8 @@ struct ks_context {
 
 #define KS_CLIENT_ACCESS(ks, cli, clin, srv, srvn, nbn, pwc, ptr) \
     (ks)->fns->client_access((ks)->ctx, cli, clin, srv, srvn, nbn, pwc, ptr)
+#define KS_CHECK_S4U2PROXY(ks, ds, tn, ise) \
+    (ks)->fns->check_s4u2proxy((ks)->ctx, ds, tn, ise)
 
 /* from kdb_samba_util.c */
 

diff --git a/src/plugins/kdb/samba/kdb_samba_policies.c b/src/plugins/kdb/samba/kdb_samba_policies.c
index 239f77bcff560567ae1546f183f3401e01702139..ee9891e04fa7fbc168729d10eeb82e2ee532ddad 100644 (file)
--- a/src/plugins/kdb/samba/kdb_samba_policies.c
+++ b/src/plugins/kdb/samba/kdb_samba_policies.c
@@ -44,26 +44,39 @@ ks_db_check_allowed_to_delegate(krb5_context context,
                                 const krb5_data *req_data,
                                 krb5_data *rep_data)
 {
+    struct ks_context *ks = GET_KS_CONTEXT(context);
     kdb_check_allowed_to_delegate_req *req;
+    hdb_entry_ex *delegating_service;
+    char *target_name = NULL;
+    bool is_enterprise;
     krb5_error_code code;
+    int error;
 
     req = (kdb_check_allowed_to_delegate_req *)req_data->data;
-    code = KRB5KDC_ERR_POLICY;
-
-    /* TODO: there seem to be a bit of impedence mismatch between MIT and
-     * Samba interfaces here.
-     * In hdb-samba4 hdb_samba4_check_constrained_delegation() it seem that
-     * it wants a target principal and client entry, while here we have
-     * a target entry and the client's principal.
-     * Need to investigate if that's because of the possible use of NT
-     * ENTERPRISE PRICNIPAL's
-     * Anyway, apparently, currently samba's interface seem not be able to
-     * delegate but to one-self, so this can be revisited later */
-
-#if 0
-    req->server; /* target entry ? */
-    req->proxy; /* server principal (the client requesting the delegation ?) */
-#endif
+
+/*
+ *  Names are quite odd and confusing in the current implementation.
+ *  The following mappings should help understanding what is what.
+ *  req->client ->  client to impersonate
+ *  req->server; -> delegating service
+ *  req->proxy; -> target principal
+*/
+
+    delegating_service = (hdb_entry_ex *)req->server->e_data;
+
+    code = krb5_unparse_name(context, req->proxy, &target_name);
+    if (code) {
+        goto done;
+    }
+
+    is_enterprise = (req->proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL);
+
+    error = KS_CHECK_S4U2PROXY(ks, delegating_service,
+                               target_name, is_enterprise);
+    code = ks_map_error(error);
+
+done:
+    free(target_name);
     return code;
 }
 

diff --git a/src/plugins/kdb/samba/mit_samba_interface.h b/src/plugins/kdb/samba/mit_samba_interface.h
index f03d61e8e7c137040ab2215cd6059f9476f8db4e..9b0da99e2cbb8a1d184d58061f1765442e1783ad 100644 (file)
--- a/src/plugins/kdb/samba/mit_samba_interface.h
+++ b/src/plugins/kdb/samba/mit_samba_interface.h
@@ -54,4 +54,6 @@ struct mit_samba_function_table {
                          hdb_entry_ex *, const char *,
                          hdb_entry_ex *, const char *,
                          const char *, bool, DATA_BLOB *);
+    int (*check_s4u2proxy)(struct mit_samba_context *,
+                           hdb_entry_ex *, const char *, bool);
 };