diff options
author | Stefan Metzmacher <metze@samba.org> | 2011-06-24 11:53:37 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2011-06-24 18:53:48 +0200 |
commit | 7229b0d5b2515cc4d487b80f77dc532104aa68d3 (patch) | |
tree | 7f46176603c8949e4c956d82ff5066e59135df48 | |
parent | b96efe069bd0a8d67c8d787a96415f8b02205462 (diff) | |
download | samba-7229b0d5b2515cc4d487b80f77dc532104aa68d3.tar.gz samba-7229b0d5b2515cc4d487b80f77dc532104aa68d3.tar.xz samba-7229b0d5b2515cc4d487b80f77dc532104aa68d3.zip |
HEIMDAL:kdc: pass down the server hdb_entry_ex to check_constrained_delegation()
This way we can compare the already canonicalized principals,
while still passing the client specified target principal down
to the backend specific constrained_delegation() hook.
metze
-rw-r--r-- | source4/heimdal/kdc/krb5tgs.c | 24 |
1 files changed, 19 insertions, 5 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 16f8434a5c..14db1f1412 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -505,18 +505,32 @@ check_constrained_delegation(krb5_context context, krb5_kdc_configuration *config, HDB *clientdb, hdb_entry_ex *client, - krb5_const_principal server) + hdb_entry_ex *server, + krb5_const_principal target) { const HDB_Ext_Constrained_delegation_acl *acl; krb5_error_code ret; int i; + /* + * constrained_delegation (S4U2Proxy) only works within + * the same realm. We use the already canonicalized version + * of the principals here, while "target" is the principal + * provided by the client. + */ + if(!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) { + ret = KRB5KDC_ERR_BADOPTION; + kdc_log(context, config, 0, + "Bad request for constrained delegation"); + return ret; + } + /* if client delegates to itself, that ok */ - if (krb5_principal_compare(context, client->entry.principal, server) == TRUE) + if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE) return 0; if (clientdb->hdb_check_constrained_delegation) { - ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, server); + ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target); if (ret == 0) return 0; } else { @@ -528,7 +542,7 @@ check_constrained_delegation(krb5_context context, if (acl) { for (i = 0; i < acl->len; i++) { - if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE) + if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE) return 0; } } @@ -2026,7 +2040,7 @@ server_lookup: } ret = check_constrained_delegation(context, config, clientdb, - client, sp); + client, server, sp); if (ret) { kdc_log(context, config, 0, "constrained delegation from %s as %s to %s not allowed", |