From e54d07a9b690b19839f97e2223e27fc4229f8e3d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 7 Apr 2011 14:40:54 +0200
Subject: [PATCH] kdc: check and regenerate the PAC in the s4u2proxy case
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

TODO: we need to add a S4U_DELEGATION_INFO to the PAC later.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
---
 kdc/krb5tgs.c | 51 ++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 38 insertions(+), 13 deletions(-)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 4a533d188..3bc66bb40 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -2007,11 +2007,23 @@ server_lookup:
 	    goto out;
 	}
 
+	ret = _krb5_principalname2krb5_principal(context,
+						 &tp,
+						 adtkt.cname,
+						 adtkt.crealm);
+	if (ret)
+	    goto out;
+
+	ret = krb5_unparse_name(context, tp, &tpn);
+	if (ret)
+	    goto out;
+
 	/* check that ticket is valid */
 	if (adtkt.flags.forwardable == 0) {
 	    kdc_log(context, config, 0,
 		    "Missing forwardable flag on ticket for "
-		    "constrained delegation from %s to %s ", cpn, spn);
+		    "constrained delegation from %s as %s to %s ",
+		    cpn, tpn, spn);
 	    ret = KRB5KDC_ERR_BADOPTION;
 	    goto out;
 	}
@@ -2020,24 +2032,37 @@ server_lookup:
 					   client, sp);
 	if (ret) {
 	    kdc_log(context, config, 0,
-		    "constrained delegation from %s to %s not allowed",
-		    cpn, spn);
+		    "constrained delegation from %s as %s to %s not allowed",
+		    cpn, tpn, spn);
 	    goto out;
 	}
 
-	ret = _krb5_principalname2krb5_principal(context,
-						 &tp,
-						 adtkt.cname,
-						 adtkt.crealm);
-	if (ret)
-	    goto out;
-
-	ret = krb5_unparse_name(context, tp, &tpn);
-	if (ret)
+	ret = verify_flags(context, config, &adtkt, tpn);
+	if (ret) {
 	    goto out;
+	}
 
-	ret = verify_flags(context, config, &adtkt, tpn);
+	krb5_data_free(&rspac);
+	/*
+	 * generate the PAC for the user.
+	 *
+	 * TODO: pass in t->sname and t->realm and build
+	 * a S4U_DELEGATION_INFO blob to the PAC.
+	 */
+	ret = check_PAC(context, config, tp,
+			client, server, krbtgt,
+			&clientkey->key, &tkey_check->key,
+			ekey, &tkey_sign->key,
+			&adtkt, &rspac, &ad_signedpath);
+	if (ret == 0 && !ad_signedpath)
+	    ret = KRB5KDC_ERR_BADOPTION;
 	if (ret) {
+	    const char *msg = krb5_get_error_message(context, ret);
+	    kdc_log(context, config, 0,
+		    "Verify delegated PAC failed to %s for client"
+		    "%s as %s from %s with %s",
+		    spn, cpn, tpn, from, msg);
+	    krb5_free_error_message(context, msg);
 	    goto out;
 	}
 
-- 
2.11.4.GIT