1 files changed, 92 insertions, 0 deletions

diff --git a/server/util/sss_krb5.c b/server/util/sss_krb5.c
index e96e1ba42..0bc25df17 100644
--- a/server/util/sss_krb5.c
+++ b/server/util/sss_krb5.c
@@ -19,9 +19,11 @@
 */
 #include <stdio.h>
 #include <errno.h>
+#include <talloc.h>
 
 #include "config.h"
 
+#include "util/util.h"
 #include "util/sss_krb5.h"
 
 
@@ -102,3 +104,93 @@ void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name)
     }
 #endif
 }
+
+
+krb5_error_code check_for_valid_tgt(const char *ccname, const char *realm,
+                                    const char *client_princ_str, bool *result)
+{
+    krb5_context context = NULL;
+    krb5_ccache ccache = NULL;
+    krb5_error_code krberr;
+    TALLOC_CTX *tmp_ctx = NULL;
+    krb5_creds mcred;
+    krb5_creds cred;
+    char *server_name = NULL;
+    krb5_principal client_principal = NULL;
+    krb5_principal server_principal = NULL;
+
+    *result = false;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(1, ("talloc_new failed.\n"));
+        return ENOMEM;
+    }
+
+    krberr = krb5_init_context(&context);
+    if (krberr) {
+        DEBUG(1, ("Failed to init kerberos context\n"));
+        goto done;
+    }
+
+    krberr = krb5_cc_resolve(context, ccname, &ccache);
+    if (krberr != 0) {
+        DEBUG(1, ("krb5_cc_resolve failed.\n"));
+        goto done;
+    }
+
+    server_name = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s", realm, realm);
+    if (server_name == NULL) {
+        DEBUG(1, ("talloc_asprintf failed.\n"));
+        goto done;
+    }
+
+    krberr = krb5_parse_name(context, server_name, &server_principal);
+    if (krberr != 0) {
+        DEBUG(1, ("krb5_parse_name failed.\n"));
+        goto done;
+    }
+
+    krberr = krb5_parse_name(context, client_princ_str, &client_principal);
+    if (krberr != 0) {
+        DEBUG(1, ("krb5_parse_name failed.\n"));
+        goto done;
+    }
+
+    memset(&mcred, 0, sizeof(mcred));
+    memset(&cred, 0, sizeof(mcred));
+    mcred.client = client_principal;
+    mcred.server = server_principal;
+
+    krberr = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred);
+    if (krberr != 0) {
+        DEBUG(1, ("krb5_cc_retrieve_cred failed.\n"));
+        krberr = 0;
+        goto done;
+    }
+
+    DEBUG(7, ("TGT end time [%d].\n", cred.times.endtime));
+
+    if (cred.times.endtime > time(NULL)) {
+        DEBUG(3, ("TGT is valid.\n"));
+        *result = true;
+    }
+    krb5_free_cred_contents(context, &cred);
+
+    krberr = 0;
+
+done:
+    if (client_principal != NULL) {
+        krb5_free_principal(context, client_principal);
+    }
+    if (server_principal != NULL) {
+        krb5_free_principal(context, server_principal);
+    }
+    if (ccache != NULL) {
+        krb5_cc_close(context, ccache);
+    }
+    if (context != NULL) krb5_free_context(context);
+    talloc_free(tmp_ctx);
+    return krberr;
+}
+