Split normal kinit from s4u2 flavored kinit
authorSimo Sorce <idra@samba.org>
Thu, 26 Apr 2012 16:06:24 +0000 (12:06 -0400)
committerSimo Sorce <idra@samba.org>
Thu, 26 Apr 2012 23:07:56 +0000 (19:07 -0400)
This makes it simpler to slowly integrate MIT support and also amkes it
somewhat clearer what operation is really requested.
The 24u2 part is really only used by the cifs proxy code so we can temporarily
disable it in the MIT build w/o major consequences.

lib/krb5_wrap/krb5_samba.c
lib/krb5_wrap/krb5_samba.h
source4/auth/kerberos/kerberos_util.c

index e629da8223534d2ab8eb0e73950ecd661eedc136..0a4302dd6949061c5068d6f98c6bf5579075d007 100644 (file)
@@ -1643,12 +1643,54 @@ done:
        return code;
 }
 
        return code;
 }
 
+krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc,
+                                          krb5_principal principal,
+                                          const char *password,
+                                          const char *target_service,
+                                          krb5_get_init_creds_opt *krb_options,
+                                          time_t *expire_time,
+                                          time_t *kdc_time)
+{
+       krb5_error_code code = 0;
+       krb5_creds my_creds;
+
+       code = krb5_get_init_creds_password(ctx, &my_creds, principal,
+                                           password, NULL, NULL, 0,
+                                           target_service, krb_options);
+       if (code) {
+               return code;
+       }
+
+       code = krb5_cc_initialize(ctx, cc, principal);
+       if (code) {
+               goto done;
+       }
+
+       code = krb5_cc_store_cred(ctx, cc, &my_creds);
+       if (code) {
+               goto done;
+       }
+
+       if (expire_time) {
+               *expire_time = (time_t) my_creds.times.endtime;
+       }
+
+       if (kdc_time) {
+               *kdc_time = (time_t) my_creds.times.starttime;
+       }
+
+       code = 0;
+done:
+       krb5_free_cred_contents(ctx, &my_creds);
+       return code;
+}
+
+#ifdef SAMBA4_USES_HEIMDAL
 /*
   simulate a kinit, putting the tgt in the given credentials cache.
   Orignally by remus@snapserver.com
 
 /*
   simulate a kinit, putting the tgt in the given credentials cache.
   Orignally by remus@snapserver.com
 
-  The impersonate_principal is the principal if NULL, or the principal to
-  impersonate
+  The impersonate_principal is the principal
 
   The self_service, should be the local service (for S4U2Self if
   impersonate_principal is given).
 
   The self_service, should be the local service (for S4U2Self if
   impersonate_principal is given).
@@ -1657,16 +1699,16 @@ done:
   kpasswd/realm or a remote service (for S4U2Proxy)
 
 */
   kpasswd/realm or a remote service (for S4U2Proxy)
 
 */
-krb5_error_code kerberos_kinit_password_cc(krb5_context ctx,
-                                          krb5_ccache store_cc,
-                                          krb5_principal init_principal,
-                                          const char *init_password,
-                                          krb5_principal impersonate_principal,
-                                          const char *self_service,
-                                          const char *target_service,
-                                          krb5_get_init_creds_opt *krb_options,
-                                          time_t *expire_time,
-                                          time_t *kdc_time)
+krb5_error_code kerberos_kinit_s4u2_cc(krb5_context ctx,
+                                       krb5_ccache store_cc,
+                                       krb5_principal init_principal,
+                                       const char *init_password,
+                                       krb5_principal impersonate_principal,
+                                       const char *self_service,
+                                       const char *target_service,
+                                       krb5_get_init_creds_opt *krb_options,
+                                       time_t *expire_time,
+                                       time_t *kdc_time)
 {
        krb5_error_code code = 0;
        krb5_get_creds_opt options;
 {
        krb5_error_code code = 0;
        krb5_get_creds_opt options;
@@ -1684,21 +1726,12 @@ krb5_error_code kerberos_kinit_password_cc(krb5_context ctx,
        krb5_principal blacklist_principal = NULL;
        krb5_principal whitelist_principal = NULL;
 
        krb5_principal blacklist_principal = NULL;
        krb5_principal whitelist_principal = NULL;
 
-       if (impersonate_principal && self_service == NULL) {
-               return EINVAL;
-       }
-
-       /*
-        * If we are not impersonating, then get this ticket for the
-        * target service, otherwise a krbtgt, and get the next ticket
-        * for the target
-        */
        code = krb5_get_init_creds_password(ctx, &store_creds,
                                            init_principal,
                                            init_password,
                                            NULL, NULL,
                                            0,
        code = krb5_get_init_creds_password(ctx, &store_creds,
                                            init_principal,
                                            init_password,
                                            NULL, NULL,
                                            0,
-                                           impersonate_principal ? NULL : target_service,
+                                           impersonate_principal,
                                            krb_options);
        if (code != 0) {
                return code;
                                            krb_options);
        if (code != 0) {
                return code;
@@ -1706,10 +1739,6 @@ krb5_error_code kerberos_kinit_password_cc(krb5_context ctx,
 
        store_principal = init_principal;
 
 
        store_principal = init_principal;
 
-       if (impersonate_principal == NULL) {
-               goto store;
-       }
-
        /*
         * We are trying S4U2Self now:
         *
        /*
         * We are trying S4U2Self now:
         *
@@ -2037,6 +2066,7 @@ krb5_error_code kerberos_kinit_password_cc(krb5_context ctx,
 
        return 0;
 }
 
        return 0;
 }
+#endif
 
 /*
  * smb_krb5_principal_get_realm
 
 /*
  * smb_krb5_principal_get_realm
index d235563a7b243e64acabc9653c6a18da3c1b7664..864cda67bb90c391d10d65d7165546380118cb8e 100644 (file)
@@ -206,15 +206,25 @@ krb5_error_code kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc,
                                           time_t *expire_time,
                                           time_t *kdc_time);
 krb5_error_code kerberos_kinit_password_cc(krb5_context ctx,
                                           time_t *expire_time,
                                           time_t *kdc_time);
 krb5_error_code kerberos_kinit_password_cc(krb5_context ctx,
-                                          krb5_ccache store_cc,
-                                          krb5_principal init_principal,
-                                          const char *init_password,
-                                          krb5_principal impersonate_principal,
-                                          const char *self_service,
+                                          krb5_ccache cc,
+                                          krb5_principal principal,
+                                          const char *password,
                                           const char *target_service,
                                           krb5_get_init_creds_opt *krb_options,
                                           time_t *expire_time,
                                           time_t *kdc_time);
                                           const char *target_service,
                                           krb5_get_init_creds_opt *krb_options,
                                           time_t *expire_time,
                                           time_t *kdc_time);
+#ifdef SAMBA4_USES_HEIMDAL
+krb5_error_code kerberos_kinit_s4u2_cc(krb5_context ctx,
+                                       krb5_ccache store_cc,
+                                       krb5_principal init_principal,
+                                       const char *init_password,
+                                       krb5_principal impersonate_principal,
+                                       const char *self_service,
+                                       const char *target_service,
+                                       krb5_get_init_creds_opt *krb_options,
+                                       time_t *expire_time,
+                                       time_t *kdc_time);
+#endif
 char *smb_krb5_principal_get_realm(krb5_context context,
                                   krb5_principal principal);
 
 char *smb_krb5_principal_get_realm(krb5_context context,
                                   krb5_principal principal);
 
index 9933ca84c798da4a30a2e521c26ea8c9a3fae33d..31a8405a7ff0635cd036ec76a22b2327851f888d 100644 (file)
@@ -232,13 +232,27 @@ static krb5_error_code impersonate_principal_from_credentials(
                }
 #endif
                if (password) {
                }
 #endif
                if (password) {
-                       ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache, 
-                                                        princ, password,
-                                                        impersonate_principal,
-                                                        self_service,
-                                                        target_service,
-                                                        krb_options,
-                                                        NULL, &kdc_time);
+                       if (impersonate_principal) {
+#ifdef SAMBA4_USES_HEIMDAL
+                               ret = kerberos_kinit_s4u2_cc(
+                                               smb_krb5_context->krb5_context,
+                                               ccache, princ, password,
+                                               impersonate_principal,
+                                               self_service, target_service,
+                                               krb_options, NULL, &kdc_time);
+#else
+                               talloc_free(mem_ctx);
+                               (*error_string) = "INTERNAL error: s4u2 ops "
+                                       "are not supported with MIT build yet";
+                               return EINVAL;
+#endif
+                       } else {
+                               ret = kerberos_kinit_password_cc(
+                                               smb_krb5_context->krb5_context,
+                                               ccache, princ, password,
+                                               target_service,
+                                               krb_options, NULL, &kdc_time);
+                       }
                } else if (impersonate_principal) {
                        talloc_free(mem_ctx);
                        (*error_string) = "INTERNAL error: Cannot impersonate principal with just a keyblock.  A password must be specified in the credentials";
                } else if (impersonate_principal) {
                        talloc_free(mem_ctx);
                        (*error_string) = "INTERNAL error: Cannot impersonate principal with just a keyblock.  A password must be specified in the credentials";