s4:ntvfs/cifs: add option to use S4U2Proxy

Note: this doesn't work against a Samba4 KDC yet.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jun 22 18:17:43 CEST 2011 on sn-devel-104

diff --git a/source4/ntvfs/cifs/vfs_cifs.c b/source4/ntvfs/cifs/vfs_cifs.c
index 24dee76e46af9b9eb136ef7ca21f22c5c1b59304..91ca08d2de0b68b52d85058640bedb4c63b00e3f 100644 (file)
--- a/source4/ntvfs/cifs/vfs_cifs.c
+++ b/source4/ntvfs/cifs/vfs_cifs.c
@@ -99,10 +99,12 @@ NTSTATUS ntvfs_cifs_init(void);
 #define CIFS_DOMAIN            "cifs:domain"
 #define CIFS_SHARE             "cifs:share"
 #define CIFS_USE_MACHINE_ACCT  "cifs:use-machine-account"
+#define CIFS_USE_S4U2PROXY     "cifs:use-s4u2proxy"
 #define CIFS_MAP_GENERIC       "cifs:map-generic"
 #define CIFS_MAP_TRANS2                "cifs:map-trans2"
 
 #define CIFS_USE_MACHINE_ACCT_DEFAULT  false
+#define CIFS_USE_S4U2PROXY_DEFAULT     false
 #define CIFS_MAP_GENERIC_DEFAULT       false
 #define CIFS_MAP_TRANS2_DEFAULT                true
 
@@ -150,6 +152,7 @@ static NTSTATUS cvfs_connect(struct ntvfs_module_context *ntvfs,
 
        struct cli_credentials *credentials;
        bool machine_account;
+       bool s4u2proxy;
        const char* sharename;
 
        switch (tcon->generic.level) {
@@ -187,6 +190,7 @@ static NTSTATUS cvfs_connect(struct ntvfs_module_context *ntvfs,
        }
 
        machine_account = share_bool_option(scfg, CIFS_USE_MACHINE_ACCT, CIFS_USE_MACHINE_ACCT_DEFAULT);
+       s4u2proxy = share_bool_option(scfg, CIFS_USE_S4U2PROXY, CIFS_USE_S4U2PROXY_DEFAULT);
 
        p = talloc_zero(ntvfs, struct cvfs_private);
        if (!p) {
@@ -226,6 +230,51 @@ static NTSTATUS cvfs_connect(struct ntvfs_module_context *ntvfs,
        } else if (req->session_info->credentials) {
                DEBUG(5, ("CIFS backend: Using delegated credentials\n"));
                credentials = req->session_info->credentials;
+       } else if (s4u2proxy) {
+               struct ccache_container *ccc = NULL;
+               const char *err_str = NULL;
+               int ret;
+               char *impersonate_principal;
+               char *self_service;
+               char *target_service;
+
+               impersonate_principal = talloc_asprintf(req, "%s@%s",
+                                               req->session_info->info->account_name,
+                                               req->session_info->info->domain_name);
+
+               self_service = talloc_asprintf(req, "cifs/%s",
+                                              lpcfg_netbios_name(ntvfs->ctx->lp_ctx));
+
+               target_service = talloc_asprintf(req, "cifs/%s", host);
+
+               DEBUG(5, ("CIFS backend: Using S4U2Proxy credentials\n"));
+
+               credentials = cli_credentials_init(p);
+               cli_credentials_set_conf(credentials, ntvfs->ctx->lp_ctx);
+               if (domain) {
+                       cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED);
+               }
+               status = cli_credentials_set_machine_account(credentials, ntvfs->ctx->lp_ctx);
+               if (!NT_STATUS_IS_OK(status)) {
+                       return status;
+               }
+               cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+               cli_credentials_set_impersonate_principal(credentials,
+                                                         impersonate_principal,
+                                                         self_service);
+               cli_credentials_set_target_service(credentials, target_service);
+               ret = cli_credentials_get_ccache(credentials,
+                                                ntvfs->ctx->event_ctx,
+                                                ntvfs->ctx->lp_ctx,
+                                                &ccc,
+                                                &err_str);
+               if (ret != 0) {
+                       status = NT_STATUS_CROSSREALM_DELEGATION_FAILURE;
+                       DEBUG(1,("S4U2Proxy: cli_credentials_get_ccache() gave: ret[%d] str[%s] - %s\n",
+                               ret, err_str, nt_errstr(status)));
+                       return status;
+               }
+
        } else {
                DEBUG(1,("CIFS backend: NO delegated credentials found: You must supply server, user and password or the client must supply delegated credentials\n"));
                return NT_STATUS_INTERNAL_ERROR;