From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 5 Mar 2024 13:41:39 +0000 (+0100)
Subject: auth/gensec: add gensec_kerberos_possible() helper
X-Git-Tag: tdb-1.4.11~850
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=996fd13949b9c4aa842971520a6a6d3059559caa;p=thirdparty%2Fsamba.git

auth/gensec: add gensec_kerberos_possible() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
index 4d8eca99881..bf0a158a159 100644
--- a/auth/gensec/gensec_internal.h
+++ b/auth/gensec/gensec_internal.h
@@ -198,4 +198,6 @@ NTSTATUS gensec_child_session_info(struct gensec_security *gensec_security,
 NTTIME gensec_child_expire_time(struct gensec_security *gensec_security);
 const char *gensec_child_final_auth_type(struct gensec_security *gensec_security);
 
+NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security);
+
 #endif /* __GENSEC_H__ */
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index b6b4a722f27..611727d2fcd 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -23,10 +23,14 @@
 #include "includes.h"
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_internal.h"
+#include "auth/credentials/credentials.h"
 #include "auth/common_auth.h"
 #include "../lib/util/asn1.h"
 #include "param/param.h"
 #include "libds/common/roles.h"
+#include "lib/util/util_net.h"
+
+#undef strcasecmp
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
@@ -336,3 +340,62 @@ const char *gensec_child_final_auth_type(struct gensec_security *gensec_security
 
 	return gensec_final_auth_type(gensec_security->child_security);
 }
+
+NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security)
+{
+	struct cli_credentials *creds = gensec_get_credentials(gensec_security);
+	bool auth_requested = cli_credentials_authentication_requested(creds);
+	enum credentials_use_kerberos krb5_state =
+		cli_credentials_get_kerberos_state(creds);
+	char *user_principal = NULL;
+	const char *client_realm = cli_credentials_get_realm(creds);
+	const char *target_principal = gensec_get_target_principal(gensec_security);
+	const char *hostname = gensec_get_target_hostname(gensec_security);
+
+	if (!auth_requested) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if (krb5_state == CRED_USE_KERBEROS_DISABLED) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	errno = 0;
+	user_principal = cli_credentials_get_principal(creds, gensec_security);
+	if (errno != 0) {
+		TALLOC_FREE(user_principal);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (user_principal == NULL) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+	TALLOC_FREE(user_principal);
+
+	if (target_principal != NULL) {
+		return NT_STATUS_OK;
+	}
+
+	if (client_realm == NULL) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if (hostname == NULL) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if (strcasecmp(hostname, "localhost") == 0) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+#define STAR_SMBSERVER "*SMBSERVER"
+	if (strcmp(hostname, STAR_SMBSERVER) == 0) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if (is_ipaddress(hostname)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	return NT_STATUS_OK;
+}