diff options
| author | Stefan Metzmacher <metze@samba.org> | 2016-12-29 14:42:49 +0100 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2017-01-10 13:54:17 +0100 |
| commit | 3be1203987de8cf1ae6f30b6e3a6904e3d46990e (patch) | |
| tree | ded7ef9054666b614056c65de22bedeb799f644f /auth/credentials/credentials_krb5.h | |
| parent | ea0c35fbd1e1799fc0162377ffc116cffa8659ab (diff) | |
| download | samba-3be1203987de8cf1ae6f30b6e3a6904e3d46990e.tar.gz | |
krb5_wrap: let smb_krb5_kinit_s4u2_ccache() work if store_creds.client and server have different realms
As the principal in the resulting ccache may not match the realm of the
target principal, we need to store the credentials twice.
The caller uses the ccache principal's realm to construct the
search key for the target principal.
If we get administrator@SAMBADOMAIN via the NTLMSSP authentication
and want to do s4u2selfproxy, we'll get ticket for
client realm: SAMBADOMAIN
client name: administrator
server realm: SAMBA.EXAMPLE.COM
server name: cifs/localdc
This is stored in credential cache, but
the caller will use cifs/localdc@SAMBADOMAIN as
target_principal name when it tries to use the
cache.
So also store the ticket as:
client realm: SAMBADOMAIN
client name: administrator
server realm: SAMBADOMAIN
server name: cifs/localdc
Note that it can always happen that the target is not in the clients
realm, so we always deal with changing realm names, so this is not
a s4u2self/proxy specific thing.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'auth/credentials/credentials_krb5.h')
0 files changed, 0 insertions, 0 deletions