source: trunk/server/source4/auth/kerberos/kerberos.c

Last change on this file was 745, checked in by Silvan Scherrer, 13 years ago

Samba Server: updated trunk to 3.6.0
File size: 5.0 KB
Line 
1/*
2 Unix SMB/CIFS implementation.
3 kerberos utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Nalin Dahyabhai 2004.
7 Copyright (C) Jeremy Allison 2004.
8 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22*/
23
24#include "includes.h"
25#include "system/kerberos.h"
26#include "auth/kerberos/kerberos.h"
27
28#ifdef HAVE_KRB5
29
30/*
31 simulate a kinit, putting the tgt in the given credentials cache.
32 Orignally by remus@snapserver.com
33
34 This version is built to use a keyblock, rather than needing the
35 original password.
36
37 The impersonate_principal is the principal if NULL, or the principal to impersonate
38
39 The target_service defaults to the krbtgt if NULL, but could be kpasswd/realm or the local service (if we are doing s4u2self)
40*/
41 krb5_error_code kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc,
42 krb5_principal principal, krb5_keyblock *keyblock,
43 const char *target_service,
44 krb5_get_init_creds_opt *krb_options,
45 time_t *expire_time, time_t *kdc_time)
46{
47 krb5_error_code code = 0;
48 krb5_creds my_creds;
49
50 if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, principal, keyblock,
51 0, target_service, krb_options))) {
52 return code;
53 }
54
55 if ((code = krb5_cc_initialize(ctx, cc, principal))) {
56 krb5_free_cred_contents(ctx, &my_creds);
57 return code;
58 }
59
60 if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
61 krb5_free_cred_contents(ctx, &my_creds);
62 return code;
63 }
64
65 if (expire_time) {
66 *expire_time = (time_t) my_creds.times.endtime;
67 }
68
69 if (kdc_time) {
70 *kdc_time = (time_t) my_creds.times.starttime;
71 }
72
73 krb5_free_cred_contents(ctx, &my_creds);
74
75 return 0;
76}
77
78/*
79 simulate a kinit, putting the tgt in the given credentials cache.
80 Orignally by remus@snapserver.com
81
82 The impersonate_principal is the principal if NULL, or the principal to impersonate
83
84 The target_service defaults to the krbtgt if NULL, but could be kpasswd/realm or the local service (if we are doing s4u2self)
85
86*/
87 krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc,
88 krb5_principal principal, const char *password,
89 krb5_principal impersonate_principal, const char *target_service,
90 krb5_get_init_creds_opt *krb_options,
91 time_t *expire_time, time_t *kdc_time)
92{
93 krb5_error_code code = 0;
94 krb5_creds my_creds;
95 krb5_creds *impersonate_creds;
96 krb5_get_creds_opt options;
97
98 /* If we are not impersonating, then get this ticket for the
99 * target service, otherwise a krbtgt, and get the next ticket
100 * for the target */
101 if ((code = krb5_get_init_creds_password(ctx, &my_creds, principal, password,
102 NULL, NULL,
103 0,
104 impersonate_principal ? NULL : target_service,
105 krb_options))) {
106 return code;
107 }
108
109 if ((code = krb5_cc_initialize(ctx, cc, principal))) {
110 krb5_free_cred_contents(ctx, &my_creds);
111 return code;
112 }
113
114 if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
115 krb5_free_cred_contents(ctx, &my_creds);
116 return code;
117 }
118
119 if (expire_time) {
120 *expire_time = (time_t) my_creds.times.endtime;
121 }
122
123 if (kdc_time) {
124 *kdc_time = (time_t) my_creds.times.starttime;
125 }
126
127 krb5_free_cred_contents(ctx, &my_creds);
128
129 if (code == 0 && impersonate_principal) {
130 krb5_principal target_princ;
131 if ((code = krb5_get_creds_opt_alloc(ctx, &options))) {
132 return code;
133 }
134
135 if ((code = krb5_get_creds_opt_set_impersonate(ctx, options, impersonate_principal))) {
136 krb5_get_creds_opt_free(ctx, options);
137 return code;
138 }
139
140 if ((code = krb5_parse_name(ctx, target_service, &target_princ))) {
141 krb5_get_creds_opt_free(ctx, options);
142 return code;
143 }
144
145 if ((code = krb5_principal_set_realm(ctx, target_princ, krb5_principal_get_realm(ctx, principal)))) {
146 krb5_get_creds_opt_free(ctx, options);
147 krb5_free_principal(ctx, target_princ);
148 return code;
149 }
150
151 if ((code = krb5_get_creds(ctx, options, cc, target_princ, &impersonate_creds))) {
152 krb5_free_principal(ctx, target_princ);
153 krb5_get_creds_opt_free(ctx, options);
154 return code;
155 }
156
157 krb5_free_principal(ctx, target_princ);
158
159 code = krb5_cc_store_cred(ctx, cc, impersonate_creds);
160 krb5_get_creds_opt_free(ctx, options);
161 krb5_free_creds(ctx, impersonate_creds);
162 }
163
164 return 0;
165}
166
167
168#endif
Note: See TracBrowser for help on using the repository browser.