kdc: check and regenerate the PAC in the s4u2proxy case
TODO: we need to add a S4U_DELEGATION_INFO to the PAC later. metze Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
This commit is contained in:
Stefan Metzmacher
committed by
Love Hörnquist Åstrand
Love Hörnquist Åstrand
parent
9ab4070800
commit
e54d07a9b6
@@ -2007,24 +2007,6 @@ server_lookup:
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* check that ticket is valid */
|
|
||||||
if (adtkt.flags.forwardable == 0) {
|
|
||||||
kdc_log(context, config, 0,
|
|
||||||
"Missing forwardable flag on ticket for "
|
|
||||||
"constrained delegation from %s to %s ", cpn, spn);
|
|
||||||
ret = KRB5KDC_ERR_BADOPTION;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = check_constrained_delegation(context, config, clientdb,
|
|
||||||
client, sp);
|
|
||||||
if (ret) {
|
|
||||||
kdc_log(context, config, 0,
|
|
||||||
"constrained delegation from %s to %s not allowed",
|
|
||||||
cpn, spn);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = _krb5_principalname2krb5_principal(context,
|
ret = _krb5_principalname2krb5_principal(context,
|
||||||
&tp,
|
&tp,
|
||||||
adtkt.cname,
|
adtkt.cname,
|
||||||
@@ -2036,11 +2018,54 @@ server_lookup:
|
|||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
|
/* check that ticket is valid */
|
||||||
|
if (adtkt.flags.forwardable == 0) {
|
||||||
|
kdc_log(context, config, 0,
|
||||||
|
"Missing forwardable flag on ticket for "
|
||||||
|
"constrained delegation from %s as %s to %s ",
|
||||||
|
cpn, tpn, spn);
|
||||||
|
ret = KRB5KDC_ERR_BADOPTION;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = check_constrained_delegation(context, config, clientdb,
|
||||||
|
client, sp);
|
||||||
|
if (ret) {
|
||||||
|
kdc_log(context, config, 0,
|
||||||
|
"constrained delegation from %s as %s to %s not allowed",
|
||||||
|
cpn, tpn, spn);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
ret = verify_flags(context, config, &adtkt, tpn);
|
ret = verify_flags(context, config, &adtkt, tpn);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
krb5_data_free(&rspac);
|
||||||
|
/*
|
||||||
|
* generate the PAC for the user.
|
||||||
|
*
|
||||||
|
* TODO: pass in t->sname and t->realm and build
|
||||||
|
* a S4U_DELEGATION_INFO blob to the PAC.
|
||||||
|
*/
|
||||||
|
ret = check_PAC(context, config, tp,
|
||||||
|
client, server, krbtgt,
|
||||||
|
&clientkey->key, &tkey_check->key,
|
||||||
|
ekey, &tkey_sign->key,
|
||||||
|
&adtkt, &rspac, &ad_signedpath);
|
||||||
|
if (ret == 0 && !ad_signedpath)
|
||||||
|
ret = KRB5KDC_ERR_BADOPTION;
|
||||||
|
if (ret) {
|
||||||
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
|
kdc_log(context, config, 0,
|
||||||
|
"Verify delegated PAC failed to %s for client"
|
||||||
|
"%s as %s from %s with %s",
|
||||||
|
spn, cpn, tpn, from, msg);
|
||||||
|
krb5_free_error_message(context, msg);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Check that the KDC issued the user's ticket.
|
* Check that the KDC issued the user's ticket.
|
||||||
*/
|
*/
|
||||||
|
|||||||
Reference in New Issue
Block a user