diff options
| author | Sam Hartman <hartmans@mit.edu> | 2006-09-21 01:48:50 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2006-09-21 01:48:50 +0000 |
| commit | 25860eac35980ab0d8d786fe1d06ced26a04d2db (patch) | |
| tree | 74e4b87fee38208ea1378bb6868c009964e9cf3f /src/include/krb5 | |
| parent | b2239415f139c8822715180716e41b4f9606232e (diff) | |
| download | krb5-25860eac35980ab0d8d786fe1d06ced26a04d2db.tar.gz krb5-25860eac35980ab0d8d786fe1d06ced26a04d2db.tar.xz krb5-25860eac35980ab0d8d786fe1d06ced26a04d2db.zip | |
Set the canonicalize flag in TGS requests and accept cross-realm referral tickets.
We do not yet accept tickets in which the server name changes.
* krb5_sname_to_principal: If there is no domain realm mapping return null realm
*krb5_get_cred_via_tkt: New behavior as described below
1) the referrals case:
- check for TGT for initial realm
- if a remote realm was specified (which must have happened via a
domain_realm mapping), obtain a TGT for it the standard way and
start with that.
- use client realm for server if not specified
- iterate through this loop:
- request ticket with referrals turned on
- if that fails:
- if this was the first request, punt to non-referrals case
- otherwise, retry once without referrals turned on then terminate
either way
- if it works, either use the service ticket or follow the referral path
- if loop count exceeded, hardfail
2) the nonreferrals case
- this is mostly the old walk_realm_tree TGT-finding (which allows
limited shortcut referrals per 4120) followed by a standard tgs-req.
- originally requested principal is used for this, although if we were
handed something without a realm, determine a fallback realm based on
DNS TXT records or a truncation of the domain name.
ticket: 2652
Owner: amb
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18598 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/include/krb5')
| -rw-r--r-- | src/include/krb5/krb5.hin | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 23f93c7a9b..418a21c0a4 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -260,6 +260,16 @@ typedef const krb5_principal_data *krb5_const_principal; : NULL) /* + * Constants for realm referrals. + */ +#define KRB5_REFERRAL_REALM "" + +/* + * Referral-specific functions. + */ +krb5_boolean KRB5_CALLCONV krb5_is_referral_realm(krb5_data *); + +/* * end "base-defs.h" */ @@ -554,6 +564,9 @@ krb5_error_code KRB5_CALLCONV #define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID 26 #define KRB5_KEYUSAGE_PA_SAM_RESPONSE 27 +/* Defined in KDC referrals draft */ +#define KRB5_KEYUSAGE_PA_REFERRAL 26 /* XXX note conflict with above */ + krb5_boolean KRB5_CALLCONV krb5_c_valid_enctype (krb5_enctype ktype); krb5_boolean KRB5_CALLCONV krb5_c_valid_cksumtype @@ -690,7 +703,7 @@ krb5_error_code krb5_decrypt_data /* #define KDC_OPT_RESERVED 0x00080000 */ /* #define KDC_OPT_RESERVED 0x00040000 */ #define KDC_OPT_REQUEST_ANONYMOUS 0x00020000 -/* #define KDC_OPT_RESERVED 0x00010000 */ +#define KDC_OPT_CANONICALIZE 0x00010000 /* #define KDC_OPT_RESERVED 0x00008000 */ /* #define KDC_OPT_RESERVED 0x00004000 */ /* #define KDC_OPT_RESERVED 0x00002000 */ @@ -873,7 +886,8 @@ krb5_error_code krb5_decrypt_data #define KRB5_PADATA_SAM_RESPONSE 13 /* draft challenge system response */ #define KRB5_PADATA_PK_AS_REQ 14 /* PKINIT */ #define KRB5_PADATA_PK_AS_REP 15 /* PKINIT */ -#define KRB5_PADATA_ETYPE_INFO2 19 +#define KRB5_PADATA_ETYPE_INFO2 19 +#define KRB5_PADATA_REFERRAL 25 /* draft referral system */ #define KRB5_PADATA_SAM_CHALLENGE_2 30 /* draft challenge system, updated */ #define KRB5_PADATA_SAM_RESPONSE_2 31 /* draft challenge system, updated */ @@ -2242,6 +2256,10 @@ krb5_error_code KRB5_CALLCONV krb5_get_host_realm (krb5_context, const char *, char *** ); +krb5_error_code KRB5_CALLCONV krb5_get_fallback_host_realm + (krb5_context, + krb5_data *, + char *** ); krb5_error_code KRB5_CALLCONV krb5_free_host_realm (krb5_context, char * const * ); |