This also adds a cli_credentials_get_self_service() helper function.
In order to support S4U2Proxy we need to be able to set
the service principal for the S4U2Self step independent of the
target principal.
metze
cred->principal = NULL;
cred->salt_principal = NULL;
cred->impersonate_principal = NULL;
+ cred->self_service = NULL;
cred->target_service = NULL;
cred->bind_dn = NULL;
const char *principal;
char *salt_principal;
char *impersonate_principal;
+ char *self_service;
char *target_service;
const char *bind_dn;
void cli_credentials_invalidate_ccache(struct cli_credentials *cred,
enum credentials_obtained obtained);
void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal);
-void cli_credentials_set_impersonate_principal(struct cli_credentials *cred, const char *principal);
+void cli_credentials_set_impersonate_principal(struct cli_credentials *cred,
+ const char *principal,
+ const char *self_service);
void cli_credentials_set_target_service(struct cli_credentials *cred, const char *principal);
const char *cli_credentials_get_salt_principal(struct cli_credentials *cred);
const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred);
+const char *cli_credentials_get_self_service(struct cli_credentials *cred);
const char *cli_credentials_get_target_service(struct cli_credentials *cred);
enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds);
* member of the domain to get the groups of a user. This is also
* known as S4U2Self */
-const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred)
+_PUBLIC_ const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred)
{
return cred->impersonate_principal;
}
-_PUBLIC_ void cli_credentials_set_impersonate_principal(struct cli_credentials *cred, const char *principal)
+/*
+ * The 'self_service' is the service principal that
+ * represents the same object (by its objectSid)
+ * as the client principal (typically our machine account).
+ * When trying to impersonate 'impersonate_principal' with
+ * S4U2Self.
+ */
+_PUBLIC_ const char *cli_credentials_get_self_service(struct cli_credentials *cred)
+{
+ return cred->self_service;
+}
+
+_PUBLIC_ void cli_credentials_set_impersonate_principal(struct cli_credentials *cred,
+ const char *principal,
+ const char *self_service)
{
talloc_free(cred->impersonate_principal);
cred->impersonate_principal = talloc_strdup(cred, principal);
+ talloc_free(cred->self_service);
+ cred->self_service = talloc_strdup(cred, self_service);
}
-/* when impersonating for S4U2Self we need to set the target principal
- * to ourself, as otherwise we would need additional rights.
+/*
+ * when impersonating for S4U2proxy we need to set the target principal.
* Similarly, we may only be authorized to do general impersonation to
* some particular services.
*
const char **error_string)
{
krb5_error_code ret;
- const char *password, *target_service;
+ const char *password;
+ const char *self_service;
+ const char *target_service;
time_t kdc_time = 0;
krb5_principal princ;
krb5_principal impersonate_principal;
return ret;
}
+ self_service = cli_credentials_get_self_service(credentials);
target_service = cli_credentials_get_target_service(credentials);
password = cli_credentials_get_password(credentials);
if (password) {
ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache,
princ, password,
- impersonate_principal, target_service,
+ impersonate_principal,
+ self_service,
krb_options,
NULL, &kdc_time);
} else if (impersonate_principal) {
/* Wipe out any existing ccache */
cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
- cli_credentials_set_target_service(credentials, talloc_asprintf(tmp_ctx, "host/%s", test_machine_name));
- cli_credentials_set_impersonate_principal(credentials, cli_credentials_get_principal(cmdline_credentials, tmp_ctx));
+ cli_credentials_set_impersonate_principal(credentials,
+ cli_credentials_get_principal(cmdline_credentials, tmp_ctx),
+ talloc_asprintf(tmp_ctx, "host/%s", test_machine_name));
status = gensec_client_start(tctx, &gensec_client_context, tctx->ev,
lpcfg_gensec_settings(tctx, tctx->lp_ctx));
/* Don't pollute the remaining tests with the changed credentials */
cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
cli_credentials_set_target_service(credentials, NULL);
- cli_credentials_set_impersonate_principal(credentials, NULL);
+ cli_credentials_set_impersonate_principal(credentials, NULL, NULL);
/* Extract the PAC using Samba's code */