kdc: check and regenerate the PAC in the s4u2proxy case
TODO: we need to add a S4U_DELEGATION_INFO to the PAC later. metze Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
This commit is contained in:
Stefan Metzmacher
committed by
Love Hörnquist Åstrand
Love Hörnquist Åstrand
parent
9ab4070800
commit
e54d07a9b6
@@ -2007,24 +2007,6 @@ server_lookup:
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* check that ticket is valid */
|
||||
if (adtkt.flags.forwardable == 0) {
|
||||
kdc_log(context, config, 0,
|
||||
"Missing forwardable flag on ticket for "
|
||||
"constrained delegation from %s to %s ", cpn, spn);
|
||||
ret = KRB5KDC_ERR_BADOPTION;
|
||||
goto out;
|
||||
}
|
||||
|
||||
ret = check_constrained_delegation(context, config, clientdb,
|
||||
client, sp);
|
||||
if (ret) {
|
||||
kdc_log(context, config, 0,
|
||||
"constrained delegation from %s to %s not allowed",
|
||||
cpn, spn);
|
||||
goto out;
|
||||
}
|
||||
|
||||
ret = _krb5_principalname2krb5_principal(context,
|
||||
&tp,
|
||||
adtkt.cname,
|
||||
@@ -2036,11 +2018,54 @@ server_lookup:
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
/* check that ticket is valid */
|
||||
if (adtkt.flags.forwardable == 0) {
|
||||
kdc_log(context, config, 0,
|
||||
"Missing forwardable flag on ticket for "
|
||||
"constrained delegation from %s as %s to %s ",
|
||||
cpn, tpn, spn);
|
||||
ret = KRB5KDC_ERR_BADOPTION;
|
||||
goto out;
|
||||
}
|
||||
|
||||
ret = check_constrained_delegation(context, config, clientdb,
|
||||
client, sp);
|
||||
if (ret) {
|
||||
kdc_log(context, config, 0,
|
||||
"constrained delegation from %s as %s to %s not allowed",
|
||||
cpn, tpn, spn);
|
||||
goto out;
|
||||
}
|
||||
|
||||
ret = verify_flags(context, config, &adtkt, tpn);
|
||||
if (ret) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
krb5_data_free(&rspac);
|
||||
/*
|
||||
* generate the PAC for the user.
|
||||
*
|
||||
* TODO: pass in t->sname and t->realm and build
|
||||
* a S4U_DELEGATION_INFO blob to the PAC.
|
||||
*/
|
||||
ret = check_PAC(context, config, tp,
|
||||
client, server, krbtgt,
|
||||
&clientkey->key, &tkey_check->key,
|
||||
ekey, &tkey_sign->key,
|
||||
&adtkt, &rspac, &ad_signedpath);
|
||||
if (ret == 0 && !ad_signedpath)
|
||||
ret = KRB5KDC_ERR_BADOPTION;
|
||||
if (ret) {
|
||||
const char *msg = krb5_get_error_message(context, ret);
|
||||
kdc_log(context, config, 0,
|
||||
"Verify delegated PAC failed to %s for client"
|
||||
"%s as %s from %s with %s",
|
||||
spn, cpn, tpn, from, msg);
|
||||
krb5_free_error_message(context, msg);
|
||||
goto out;
|
||||
}
|
||||
|
||||
/*
|
||||
* Check that the KDC issued the user's ticket.
|
||||
*/
|
||||
|
||||
Reference in New Issue
Block a user