s4-auth/kerberos: Use FAST credentials for armor if specified in cli_credentials

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 85ea97521d4b99164ae485c129db921f9c85887c..4463401a7672969ffd0d14e9f6949cb65debd031 100644 (file)
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -726,7 +726,14 @@ _PUBLIC_ int cli_credentials_get_named_ccache(struct cli_credentials *cred,
                return ret;
        }
 
-       ret = kinit_to_ccache(cred, cred, (*ccc)->smb_krb5_context, event_ctx, (*ccc)->ccache, &obtained, error_string);
+       ret = kinit_to_ccache(cred,
+                             cred,
+                             (*ccc)->smb_krb5_context,
+                             lp_ctx,
+                             event_ctx,
+                             (*ccc)->ccache,
+                             &obtained,
+                             error_string);
        if (ret) {
                return ret;
        }

diff --git a/source4/auth/kerberos/kerberos_credentials.h b/source4/auth/kerberos/kerberos_credentials.h
index 362edf7d6aa409fd216fb62f71460708ae4b00d7..9aeeb386e9b5f82df4a628b1ab12e5617ff1e58c 100644 (file)
--- a/source4/auth/kerberos/kerberos_credentials.h
+++ b/source4/auth/kerberos/kerberos_credentials.h
@@ -23,6 +23,7 @@
 krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx,
                                struct cli_credentials *credentials,
                                struct smb_krb5_context *smb_krb5_context,
+                               struct loadparm_context *lp_ctx,
                                struct tevent_context *event_ctx,
                                krb5_ccache ccache,
                                enum credentials_obtained *obtained,

diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index bf5fd0c464ecc4942ba8e6ac6a1d83b4734ba744..c0cf89169027fa5b6d23116bc025a4539aa8faa1 100644 (file)
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -238,6 +238,7 @@ done:
  krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx,
                                 struct cli_credentials *credentials,
                                 struct smb_krb5_context *smb_krb5_context,
+                                struct loadparm_context *lp_ctx,
                                 struct tevent_context *event_ctx,
                                 krb5_ccache ccache,
                                 enum credentials_obtained *obtained,
@@ -253,6 +254,7 @@ done:
        int tries;
        TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
        krb5_get_init_creds_opt *krb_options;
+       struct cli_credentials *fast_creds;
 
        if (!mem_ctx) {
                (*error_string) = strerror(ENOMEM);
@@ -325,6 +327,50 @@ done:
        krb5_get_init_creds_opt_set_canonicalize(krb_options, true);
 #endif
 
+       fast_creds = cli_credentials_get_krb5_fast_armor_credentials(credentials);
+
+       if (fast_creds != NULL) {
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_CCACHE
+               struct ccache_container *fast_ccc = NULL;
+               const char *fast_error_string = NULL;
+               ret = cli_credentials_get_ccache(fast_creds, event_ctx, lp_ctx, &fast_ccc, &fast_error_string);
+               if (ret != 0) {
+                       (*error_string) = talloc_asprintf(credentials,
+                                                         "Obtaining the Kerberos FAST armor credentials failed: %s\n",
+                                                         fast_error_string);
+                       return ret;
+               }
+               krb5_get_init_creds_opt_set_fast_ccache(smb_krb5_context->krb5_context,
+                                                       krb_options,
+                                                       fast_ccc->ccache);
+#else
+               *error_string = talloc_strdup(credentials,
+                                             "Using Kerberos FAST "
+                                             "armor credentials not possible "
+                                             "with this Kerberos library.  "
+                                             "Modern MIT or Samba's embedded "
+                                             "Heimdal required");
+               return EINVAL;
+#endif
+       }
+
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_FLAGS
+       {
+               bool require_fast;
+               /*
+                * This ensures that if FAST was required, that we proceed
+                * with no credentials cache, but with (eg) anonymous
+                * PKINIT
+                */
+               require_fast = cli_credentials_get_krb5_require_fast_armor(credentials);
+               if (require_fast) {
+                       krb5_get_init_creds_opt_set_fast_flags(smb_krb5_context->krb5_context,
+                                                              krb_options,
+                                                              KRB5_FAST_REQUIRED);
+               }
+       }
+#endif
+
        tries = 2;
        while (tries--) {
 #ifdef SAMBA4_USES_HEIMDAL
@@ -437,6 +483,7 @@ done:
                ret = kinit_to_ccache(parent_ctx,
                                      credentials,
                                      smb_krb5_context,
+                                     lp_ctx,
                                      event_ctx,
                                      ccache, obtained,
                                      error_string);