#define KS_CLIENT_ACCESS(ks, cli, clin, srv, srvn, nbn, pwc, ptr) \
(ks)->fns->client_access((ks)->ctx, cli, clin, srv, srvn, nbn, pwc, ptr)
+#define KS_CHECK_S4U2PROXY(ks, ds, tn, ise) \
+ (ks)->fns->check_s4u2proxy((ks)->ctx, ds, tn, ise)
/* from kdb_samba_util.c */
const krb5_data *req_data,
krb5_data *rep_data)
{
+ struct ks_context *ks = GET_KS_CONTEXT(context);
kdb_check_allowed_to_delegate_req *req;
+ hdb_entry_ex *delegating_service;
+ char *target_name = NULL;
+ bool is_enterprise;
krb5_error_code code;
+ int error;
req = (kdb_check_allowed_to_delegate_req *)req_data->data;
- code = KRB5KDC_ERR_POLICY;
-
- /* TODO: there seem to be a bit of impedence mismatch between MIT and
- * Samba interfaces here.
- * In hdb-samba4 hdb_samba4_check_constrained_delegation() it seem that
- * it wants a target principal and client entry, while here we have
- * a target entry and the client's principal.
- * Need to investigate if that's because of the possible use of NT
- * ENTERPRISE PRICNIPAL's
- * Anyway, apparently, currently samba's interface seem not be able to
- * delegate but to one-self, so this can be revisited later */
-
-#if 0
- req->server; /* target entry ? */
- req->proxy; /* server principal (the client requesting the delegation ?) */
-#endif
+
+/*
+ * Names are quite odd and confusing in the current implementation.
+ * The following mappings should help understanding what is what.
+ * req->client -> client to impersonate
+ * req->server; -> delegating service
+ * req->proxy; -> target principal
+*/
+
+ delegating_service = (hdb_entry_ex *)req->server->e_data;
+
+ code = krb5_unparse_name(context, req->proxy, &target_name);
+ if (code) {
+ goto done;
+ }
+
+ is_enterprise = (req->proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL);
+
+ error = KS_CHECK_S4U2PROXY(ks, delegating_service,
+ target_name, is_enterprise);
+ code = ks_map_error(error);
+
+done:
+ free(target_name);
return code;
}
hdb_entry_ex *, const char *,
hdb_entry_ex *, const char *,
const char *, bool, DATA_BLOB *);
+ int (*check_s4u2proxy)(struct mit_samba_context *,
+ hdb_entry_ex *, const char *, bool);
};