diff options
-rw-r--r-- | source4/heimdal/kdc/krb5tgs.c | 45 | ||||
-rw-r--r-- | source4/heimdal/kdc/windc.c | 5 | ||||
-rw-r--r-- | source4/heimdal/kdc/windc_plugin.h | 11 |
3 files changed, 41 insertions, 20 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index e4fdb144eb..f13da57e45 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -279,6 +279,7 @@ static krb5_error_code check_PAC(krb5_context context, krb5_kdc_configuration *config, const krb5_principal client_principal, + const krb5_principal delegated_proxy_principal, hdb_entry_ex *client, hdb_entry_ex *server, hdb_entry_ex *krbtgt, @@ -336,6 +337,7 @@ check_PAC(krb5_context context, } ret = _kdc_pac_verify(context, client_principal, + delegated_proxy_principal, client, server, krbtgt, &pac, &signed_pac); if (ret) { krb5_pac_free(context, pac); @@ -1479,9 +1481,9 @@ tgs_build_reply(krb5_context context, const struct sockaddr *from_addr) { krb5_error_code ret; - krb5_principal cp = NULL, sp = NULL, tp = NULL; + krb5_principal cp = NULL, sp = NULL, tp = NULL, dp = NULL; krb5_principal krbtgt_principal = NULL; - char *spn = NULL, *cpn = NULL, *tpn = NULL; + char *spn = NULL, *cpn = NULL, *tpn = NULL, *dpn = NULL; hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL; HDB *clientdb, *s4u2self_impersonated_clientdb; krb5_realm ref_realm = NULL; @@ -1802,7 +1804,7 @@ server_lookup: krb5_free_error_message(context, msg); } - ret = check_PAC(context, config, cp, + ret = check_PAC(context, config, cp, NULL, client, server, krbtgt, &tkey_check->key, &tkey_check->key, ekey, &tkey_sign->key, @@ -2029,12 +2031,23 @@ server_lookup: if (ret) goto out; + ret = _krb5_principalname2krb5_principal(context, + &dp, + t->sname, + t->realm); + if (ret) + goto out; + + ret = krb5_unparse_name(context, dp, &dpn); + if (ret) + goto out; + /* check that ticket is valid */ if (adtkt.flags.forwardable == 0) { kdc_log(context, config, 0, "Missing forwardable flag on ticket for " - "constrained delegation from %s as %s to %s ", - cpn, tpn, spn); + "constrained delegation from %s (%s) as %s to %s ", + cpn, dpn, tpn, spn); ret = KRB5KDC_ERR_BADOPTION; goto out; } @@ -2043,8 +2056,8 @@ server_lookup: client, server, sp); if (ret) { kdc_log(context, config, 0, - "constrained delegation from %s as %s to %s not allowed", - cpn, tpn, spn); + "constrained delegation from %s (%s) as %s to %s not allowed", + cpn, dpn, tpn, spn); goto out; } @@ -2060,7 +2073,7 @@ server_lookup: * TODO: pass in t->sname and t->realm and build * a S4U_DELEGATION_INFO blob to the PAC. */ - ret = check_PAC(context, config, tp, + ret = check_PAC(context, config, tp, dp, client, server, krbtgt, &clientkey->key, &tkey_check->key, ekey, &tkey_sign->key, @@ -2071,8 +2084,8 @@ server_lookup: const char *msg = krb5_get_error_message(context, ret); kdc_log(context, config, 0, "Verify delegated PAC failed to %s for client" - "%s as %s from %s with %s", - spn, cpn, tpn, from, msg); + "%s (%s) as %s from %s with %s", + spn, cpn, dpn, tpn, from, msg); krb5_free_error_message(context, msg); goto out; } @@ -2093,15 +2106,15 @@ server_lookup: const char *msg = krb5_get_error_message(context, ret); kdc_log(context, config, 0, "KRB5SignedPath check from service %s failed " - "for delegation to %s for client %s " + "for delegation to %s for client %s (%s)" "from %s failed with %s", - spn, tpn, cpn, from, msg); + spn, tpn, dpn, cpn, from, msg); krb5_free_error_message(context, msg); goto out; } kdc_log(context, config, 0, "constrained delegation for %s " - "from %s to %s", tpn, cpn, spn); + "from %s (%s) to %s", tpn, cpn, dpn, spn); } /* @@ -2198,7 +2211,9 @@ out: free(tpn); free(spn); free(cpn); - + if (dpn) + free(dpn); + krb5_data_free(&rspac); krb5_free_keyblock_contents(context, &sessionkey); if(krbtgt_out) @@ -2214,6 +2229,8 @@ out: krb5_free_principal(context, tp); if (cp) krb5_free_principal(context, cp); + if (dp) + krb5_free_principal(context, dp); if (sp) krb5_free_principal(context, sp); if (ref_realm) diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c index 6efbeee9dd..a58cebb8b2 100644 --- a/source4/heimdal/kdc/windc.c +++ b/source4/heimdal/kdc/windc.c @@ -84,6 +84,7 @@ _kdc_pac_generate(krb5_context context, krb5_error_code _kdc_pac_verify(krb5_context context, const krb5_principal client_principal, + const krb5_principal delegated_proxy_principal, hdb_entry_ex *client, hdb_entry_ex *server, hdb_entry_ex *krbtgt, @@ -96,7 +97,9 @@ _kdc_pac_verify(krb5_context context, return 0; ret = windcft->pac_verify(windcctx, context, - client_principal, client, server, krbtgt, pac); + client_principal, + delegated_proxy_principal, + client, server, krbtgt, pac); if (ret == 0) *verified = 1; return ret; diff --git a/source4/heimdal/kdc/windc_plugin.h b/source4/heimdal/kdc/windc_plugin.h index 4755a5ea8f..b328e3ffb3 100644 --- a/source4/heimdal/kdc/windc_plugin.h +++ b/source4/heimdal/kdc/windc_plugin.h @@ -57,10 +57,11 @@ typedef krb5_error_code typedef krb5_error_code (*krb5plugin_windc_pac_verify)(void *, krb5_context, - const krb5_principal, - struct hdb_entry_ex *, - struct hdb_entry_ex *, - struct hdb_entry_ex *, + const krb5_principal, /* new ticket client */ + const krb5_principal, /* delegation proxy */ + struct hdb_entry_ex *,/* client */ + struct hdb_entry_ex *,/* server */ + struct hdb_entry_ex *,/* krbtgt */ krb5_pac *); typedef krb5_error_code @@ -72,7 +73,7 @@ typedef krb5_error_code KDC_REQ *, krb5_data *); -#define KRB5_WINDC_PLUGIN_MINOR 5 +#define KRB5_WINDC_PLUGIN_MINOR 6 #define KRB5_WINDC_PLUGING_MINOR KRB5_WINDC_PLUGIN_MINOR typedef struct krb5plugin_windc_ftable { |