From: Andrew Bartlett Date: Mon, 20 Nov 2023 01:12:19 +0000 (+1300) Subject: s4-auth/kerberos: Use FAST credentials for armor if specified in cli_credentials X-Git-Tag: talloc-2.4.2~484 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c49fd98ed7a547fe37b354d93671a9d2f05c8b34;p=thirdparty%2Fsamba.git s4-auth/kerberos: Use FAST credentials for armor if specified in cli_credentials Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index 85ea97521d4..4463401a767 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -726,7 +726,14 @@ _PUBLIC_ int cli_credentials_get_named_ccache(struct cli_credentials *cred, return ret; } - ret = kinit_to_ccache(cred, cred, (*ccc)->smb_krb5_context, event_ctx, (*ccc)->ccache, &obtained, error_string); + ret = kinit_to_ccache(cred, + cred, + (*ccc)->smb_krb5_context, + lp_ctx, + event_ctx, + (*ccc)->ccache, + &obtained, + error_string); if (ret) { return ret; } diff --git a/source4/auth/kerberos/kerberos_credentials.h b/source4/auth/kerberos/kerberos_credentials.h index 362edf7d6aa..9aeeb386e9b 100644 --- a/source4/auth/kerberos/kerberos_credentials.h +++ b/source4/auth/kerberos/kerberos_credentials.h @@ -23,6 +23,7 @@ krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx, struct cli_credentials *credentials, struct smb_krb5_context *smb_krb5_context, + struct loadparm_context *lp_ctx, struct tevent_context *event_ctx, krb5_ccache ccache, enum credentials_obtained *obtained, diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c index bf5fd0c464e..c0cf8916902 100644 --- a/source4/auth/kerberos/kerberos_util.c +++ b/source4/auth/kerberos/kerberos_util.c @@ -238,6 +238,7 @@ done: krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx, struct cli_credentials *credentials, struct smb_krb5_context *smb_krb5_context, + struct loadparm_context *lp_ctx, struct tevent_context *event_ctx, krb5_ccache ccache, enum credentials_obtained *obtained, @@ -253,6 +254,7 @@ done: int tries; TALLOC_CTX *mem_ctx = talloc_new(parent_ctx); krb5_get_init_creds_opt *krb_options; + struct cli_credentials *fast_creds; if (!mem_ctx) { (*error_string) = strerror(ENOMEM); @@ -325,6 +327,50 @@ done: krb5_get_init_creds_opt_set_canonicalize(krb_options, true); #endif + fast_creds = cli_credentials_get_krb5_fast_armor_credentials(credentials); + + if (fast_creds != NULL) { +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_CCACHE + struct ccache_container *fast_ccc = NULL; + const char *fast_error_string = NULL; + ret = cli_credentials_get_ccache(fast_creds, event_ctx, lp_ctx, &fast_ccc, &fast_error_string); + if (ret != 0) { + (*error_string) = talloc_asprintf(credentials, + "Obtaining the Kerberos FAST armor credentials failed: %s\n", + fast_error_string); + return ret; + } + krb5_get_init_creds_opt_set_fast_ccache(smb_krb5_context->krb5_context, + krb_options, + fast_ccc->ccache); +#else + *error_string = talloc_strdup(credentials, + "Using Kerberos FAST " + "armor credentials not possible " + "with this Kerberos library. " + "Modern MIT or Samba's embedded " + "Heimdal required"); + return EINVAL; +#endif + } + +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_FLAGS + { + bool require_fast; + /* + * This ensures that if FAST was required, that we proceed + * with no credentials cache, but with (eg) anonymous + * PKINIT + */ + require_fast = cli_credentials_get_krb5_require_fast_armor(credentials); + if (require_fast) { + krb5_get_init_creds_opt_set_fast_flags(smb_krb5_context->krb5_context, + krb_options, + KRB5_FAST_REQUIRED); + } + } +#endif + tries = 2; while (tries--) { #ifdef SAMBA4_USES_HEIMDAL @@ -437,6 +483,7 @@ done: ret = kinit_to_ccache(parent_ctx, credentials, smb_krb5_context, + lp_ctx, event_ctx, ccache, obtained, error_string);