From: Andreas Schneider <asn@samba.org>
Date: Tue, 14 Dec 2021 10:17:15 +0000 (+0100)
Subject: s4:mitkdc: Implement mit_samba_check_allowed_to_delegate_from() for RBCD
X-Git-Tag: tevent-0.12.0~567
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7be3d1fffecff1d6709880b3293114a8c2d328d;p=thirdparty%2Fsamba.git

s4:mitkdc: Implement mit_samba_check_allowed_to_delegate_from() for RBCD

This just implements a call in the MIT KDB shim layer. It will be used in the
next commits in the KDB plugin.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 900c2ce47e4..056e1809238 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -1492,6 +1492,31 @@ int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
 #endif
 }
 
+krb5_error_code mit_samba_check_allowed_to_delegate_from(
+		struct mit_samba_context *ctx,
+		krb5_const_principal client_principal,
+		krb5_const_principal server_principal,
+		krb5_pac header_pac,
+		const krb5_db_entry *proxy)
+{
+#if KRB5_KDB_DAL_MAJOR_VERSION < 8
+	return KRB5KDC_ERR_POLICY;
+#else
+	struct samba_kdc_entry *proxy_skdc_entry =
+		talloc_get_type_abort(proxy->e_data, struct samba_kdc_entry);
+	krb5_error_code code;
+
+	code = samba_kdc_check_s4u2proxy_rbcd(ctx->context,
+					      ctx->db_ctx,
+					      client_principal,
+					      server_principal,
+					      header_pac,
+					      proxy_skdc_entry);
+
+	return code;
+#endif
+}
+
 static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
 						  NTSTATUS result,
 						  enum samPwdChangeReason reject_reason,
diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h
index 662bf98201d..f34c26a37ac 100644
--- a/source4/kdc/mit_samba.h
+++ b/source4/kdc/mit_samba.h
@@ -85,6 +85,12 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
 int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
 			      const krb5_db_entry *server,
 			      krb5_const_principal target_principal);
+krb5_error_code mit_samba_check_allowed_to_delegate_from(
+		struct mit_samba_context *ctx,
+		krb5_const_principal client,
+		krb5_const_principal server,
+		krb5_pac header_pac,
+		const krb5_db_entry *proxy);
 
 int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
 				      char *pwd,