--- /dev/null
+/*
+ * Copyright (c) 2021 Andreas Schneider <asn@samba.org>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "lib/replace/replace.h"
+#include "lib/replace/system/kerberos.h"
+#include "lib/util/data_blob.h"
+#include "lib/util/debug.h"
+#include "lib/util/memory.h"
+
+#include <com_err.h>
+#include <kdb.h>
+#include <krb5/certauth_plugin.h>
+
+#include "source4/kdc/mit_samba.h"
+#include "kdb_samba.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
+static krb5_error_code samba_kdb_certauth_authorize(
+ krb5_context context,
+ krb5_certauth_moddata moddata,
+ const uint8_t *cert,
+ size_t cert_len,
+ krb5_const_principal princ,
+ const void *opts,
+ const krb5_db_entry *db_entry,
+ char ***authinds_out)
+{
+ struct mit_samba_context *mit_ctx = NULL;
+ krb5_error_code code;
+ char *principal = NULL;
+
+ mit_ctx = ks_get_context(context);
+ if (mit_ctx == NULL) {
+ return KRB5_PLUGIN_NO_HANDLE;
+ }
+
+ code = krb5_unparse_name(context, db_entry->princ, &principal);
+ if (code != 0) {
+ code = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
+ goto done;
+ }
+
+ DBG_INFO("XXX Doing certauth authorize for %s\n", principal);
+
+ /* TODO FIXME
+ * Parse the certificate to get the principal.
+ */
+
+ code = mit_samba_check_pkinit_ms_upn_match(mit_ctx,
+ db_entry,
+ princ);
+
+done:
+ SAFE_FREE(principal);
+ return code;
+}
+
+
+static krb5_error_code samba_kdb_certauth_init(
+ krb5_context kcontext,
+ krb5_certauth_moddata *moddata_out)
+{
+ DBG_INFO("Initialized samba kdb certauth plugin\n");
+
+ return 0;
+}
+
+static void samba_kdb_certauth_fini(krb5_context context,
+ krb5_certauth_moddata moddata)
+{
+ return;
+}
+
+static void samba_kdb_certauth_free_indicator(krb5_context context,
+ krb5_certauth_moddata moddata,
+ char **authinds)
+{
+ size_t i = 0;
+
+ if ((authinds == NULL) || (moddata == NULL)) {
+ return;
+ }
+
+ for (i = 0; authinds[i]; i++) {
+ SAFE_FREE(authinds[i]);
+ }
+
+ SAFE_FREE(authinds);
+}
+
+/* EXPORTED PUBLIC FUNCTION */
+krb5_error_code certauth_sambakdb_initvt(krb5_context context,
+ int maj_ver,
+ int min_ver,
+ krb5_plugin_vtable vtable);
+
+krb5_error_code certauth_sambakdb_initvt(krb5_context context,
+ int maj_ver,
+ int min_ver,
+ krb5_plugin_vtable vtable)
+{
+ krb5_certauth_vtable vt;
+
+ if (maj_ver != 1) {
+ return KRB5_PLUGIN_VER_NOTSUPP;
+ }
+
+ vt = (krb5_certauth_vtable) vtable;
+
+ vt->name = "sambakdb";
+ vt->authorize = samba_kdb_certauth_authorize;
+ vt->init = samba_kdb_certauth_init;
+ vt->fini = samba_kdb_certauth_fini;
+ vt->free_ind = samba_kdb_certauth_free_indicator;
+
+ return 0;
+}