diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2013-09-28 21:49:57 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2013-10-04 10:25:31 +0200 |
commit | 749111e6c2dfbb288c864a6cd2f5ac228f30bec1 (patch) | |
tree | c791878bec8766d2e259cafff70591b893d56f1b /daemons/ipa-kdb/ipa_kdb_mspac.c | |
parent | 0ab40cdf6b354e8b760f604f2f94cf3c2292217e (diff) | |
download | freeipa-749111e6c2dfbb288c864a6cd2f5ac228f30bec1.tar.gz freeipa-749111e6c2dfbb288c864a6cd2f5ac228f30bec1.tar.xz freeipa-749111e6c2dfbb288c864a6cd2f5ac228f30bec1.zip |
KDC: implement transition check for trusted domains
When client principal requests for a ticket for a server principal
and we have to perform transition, check that all three belong to either
our domain or the domains we trust through forest trusts.
In case all three realms (client, transition, and server) match
trusted domains and our domain, issue permission to transition from client
realm to server realm.
Part of https://fedorahosted.org/freeipa/ticket/3909
Diffstat (limited to 'daemons/ipa-kdb/ipa_kdb_mspac.c')
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 08b55af54..e20de3662 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2490,3 +2490,66 @@ done: ldap_msgfree(result); return kerr; } + +krb5_error_code ipadb_check_transited_realms(krb5_context kcontext, + const krb5_data *tr_contents, + const krb5_data *client_realm, + const krb5_data *server_realm) +{ + struct ipadb_context *ipactx; + bool has_transited_contents, has_client_realm, has_server_realm; + int i; + krb5_error_code ret; + + ipactx = ipadb_get_context(kcontext); + if (!ipactx || !ipactx->mspac) { + return KRB5_KDB_DBNOTINITED; + } + + has_transited_contents = false; + has_client_realm = false; + has_server_realm = false; + + /* First, compare client or server realm with ours */ + if (strncasecmp(client_realm->data, ipactx->realm, client_realm->length) == 0) { + has_client_realm = true; + } + if (strncasecmp(server_realm->data, ipactx->realm, server_realm->length) == 0) { + has_server_realm = true; + } + + if ((tr_contents->length == 0) || (tr_contents->data[0] == '\0')) { + /* For in-realm case allow transition */ + if (has_client_realm && has_server_realm) { + return 0; + } + /* Since transited realm is empty, we don't need to check for it, it is a direct trust case */ + has_transited_contents = true; + } + + if (!ipactx->mspac || !ipactx->mspac->trusts) { + return KRB5_PLUGIN_NO_HANDLE; + } + + /* Iterate through list of trusts and check if any of input belongs to any of the trust */ + for(i=0; i < ipactx->mspac->num_trusts ; i++) { + if (!has_transited_contents && + (strncasecmp(tr_contents->data, ipactx->mspac->trusts[i].domain_name, tr_contents->length) == 0)) { + has_transited_contents = true; + } + if (!has_client_realm && + (strncasecmp(client_realm->data, ipactx->mspac->trusts[i].domain_name, client_realm->length) == 0)) { + has_client_realm = true; + } + if (!has_server_realm && + (strncasecmp(server_realm->data, ipactx->mspac->trusts[i].domain_name, server_realm->length) == 0)) { + has_server_realm = true; + } + } + + ret = KRB5KRB_AP_ERR_ILL_CR_TKT; + if (has_client_realm && has_transited_contents && has_server_realm) { + ret = 0; + } + return ret; +} |