summaryrefslogtreecommitdiffstats
path: root/src/providers
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2012-10-18 16:14:40 +0200
committerJakub Hrozek <jhrozek@redhat.com>2012-11-05 00:14:05 +0100
commitc0680269167475aa9172b20d13ec3ace721a37ff (patch)
treeee3034c1e7a3479e59963c0fc5c5b4bccf00eda0 /src/providers
parent74254ab3c4d6b9ca63488245bc88db7cf7689084 (diff)
downloadsssd-c0680269167475aa9172b20d13ec3ace721a37ff.tar.gz
sssd-c0680269167475aa9172b20d13ec3ace721a37ff.tar.xz
sssd-c0680269167475aa9172b20d13ec3ace721a37ff.zip
krb5_auth: check if principal belongs to a different realm
Add a flag if the principal used for authentication does not belong to our realm. This can be used to act differently for users from other realms.
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/krb5/krb5_auth.c7
-rw-r--r--src/providers/krb5/krb5_auth.h1
-rw-r--r--src/providers/krb5/krb5_common.c31
-rw-r--r--src/providers/krb5/krb5_common.h4
4 files changed, 43 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index c98535b1d..72f0711eb 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -427,6 +427,13 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
DEBUG(1, ("krb5_get_simple_upn failed.\n"));
goto done;
}
+ } else {
+ ret = compare_principal_realm(kr->upn, realm,
+ &kr->upn_from_different_realm);
+ if (ret != 0) {
+ DEBUG(SSSDBG_OP_FAILURE, ("compare_principal_realm failed.\n"));
+ goto done;
+ }
}
kr->homedir = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_HOMEDIR,
diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h
index cc079ba93..a23b8b47d 100644
--- a/src/providers/krb5/krb5_auth.h
+++ b/src/providers/krb5/krb5_auth.h
@@ -54,6 +54,7 @@ struct krb5child_req {
bool active_ccache_present;
bool valid_tgt_present;
bool run_as_user;
+ bool upn_from_different_realm;
};
errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd,
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index 006dac1ce..45f126f7b 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -881,3 +881,34 @@ errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx,
*_upn = upn;
return EOK;
}
+
+errno_t compare_principal_realm(const char *upn, const char *realm,
+ bool *different_realm)
+{
+ size_t upn_len;
+ size_t realm_len;
+ char *at_sign;
+
+ if (upn == NULL || realm == NULL || different_realm == NULL) {
+ return EINVAL;
+ }
+
+ upn_len = strlen(upn);
+ realm_len = strlen(realm);
+ at_sign = strchr(upn, '@');
+
+ /* if coming from the same realm the upn must be at least the size of the
+ * realm plus 1 for the '@' char. */
+ if (upn_len == 0 || realm_len == 0 || upn_len <= realm_len + 1 ||
+ at_sign == NULL) {
+ return EINVAL;
+ }
+
+ if (strcmp(realm, at_sign + 1) == 0) {
+ *different_realm = false;
+ } else {
+ *different_realm = true;
+ }
+
+ return EOK;
+}
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 51bd26773..bc63bf983 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -177,6 +177,10 @@ errno_t remove_krb5_info_files(TALLOC_CTX *mem_ctx, const char *realm);
errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx,
const char *username, const char **_upn);
+errno_t compare_principal_realm(const char *upn, const char *realm,
+ bool *different_realm);
+
+
int sssm_krb5_auth_init(struct be_ctx *bectx,
struct bet_ops **ops,
void **pvt_auth_data);