11c8e3
From 0b196043f08ea4c025f19c4519175a3a73e1d185 Mon Sep 17 00:00:00 2001
11c8e3
From: Isaac Boukris <iboukris@gmail.com>
11c8e3
Date: Fri, 27 Sep 2019 18:25:03 +0300
11c8e3
Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support
11c8e3
11c8e3
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
11c8e3
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
11c8e3
---
11c8e3
 source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------
11c8e3
 source4/kdc/mit_samba.c                  |  47 ++-------
11c8e3
 source4/kdc/mit_samba.h                  |   6 +-
11c8e3
 3 files changed, 71 insertions(+), 106 deletions(-)
11c8e3
11c8e3
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
11c8e3
index f35210669c2..b1c7c5dcc5e 100644
11c8e3
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
11c8e3
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
11c8e3
@@ -195,13 +195,17 @@ static krb5_error_code ks_verify_pac(krb5_context context,
11c8e3
 				     krb5_keyblock *krbtgt_key,
11c8e3
 				     krb5_timestamp authtime,
11c8e3
 				     krb5_authdata **tgt_auth_data,
11c8e3
-				     krb5_pac *pac)
11c8e3
+				     krb5_pac *out_pac)
11c8e3
 {
11c8e3
 	struct mit_samba_context *mit_ctx;
11c8e3
 	krb5_authdata **authdata = NULL;
11c8e3
-	krb5_pac ipac = NULL;
11c8e3
-	DATA_BLOB logon_data = { NULL, 0 };
11c8e3
+	krb5_keyblock *header_server_key = NULL;
11c8e3
+	krb5_key_data *impersonator_kd = NULL;
11c8e3
+	krb5_keyblock impersonator_key = {0};
11c8e3
 	krb5_error_code code;
11c8e3
+	krb5_pac pac;
11c8e3
+
11c8e3
+	*out_pac = NULL;
11c8e3
 
11c8e3
 	mit_ctx = ks_get_context(context);
11c8e3
 	if (mit_ctx == NULL) {
11c8e3
@@ -233,41 +237,43 @@ static krb5_error_code ks_verify_pac(krb5_context context,
11c8e3
 	code = krb5_pac_parse(context,
11c8e3
 			      authdata[0]->contents,
11c8e3
 			      authdata[0]->length,
11c8e3
-			      &ipac);
11c8e3
+			      &pac;;
11c8e3
 	if (code != 0) {
11c8e3
 		goto done;
11c8e3
 	}
11c8e3
 
11c8e3
-	/* TODO: verify this is correct
11c8e3
-	 *
11c8e3
-	 * In the constrained delegation case, the PAC is from a service
11c8e3
-	 * ticket rather than a TGT; we must verify the server and KDC
11c8e3
-	 * signatures to assert that the server did not forge the PAC.
11c8e3
+	/*
11c8e3
+	 * For constrained delegation in MIT version < 1.18 we aren't provided
11c8e3
+	 * with the 2nd ticket server key to verify the PAC.
11c8e3
+	 * We can workaround that by fetching the key from the client db entry,
11c8e3
+	 * which is the impersonator account in that version.
11c8e3
+	 * TODO: use the provided entry in the new 1.18 version.
11c8e3
 	 */
11c8e3
 	if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
11c8e3
-		code = krb5_pac_verify(context,
11c8e3
-				       ipac,
11c8e3
-				       authtime,
11c8e3
-				       client_princ,
11c8e3
-				       server_key,
11c8e3
-				       krbtgt_key);
11c8e3
+		/* The impersonator must be local. */
11c8e3
+		if (client == NULL) {
11c8e3
+			code = KRB5KDC_ERR_BADOPTION;
11c8e3
+			goto done;
11c8e3
+		}
11c8e3
+		/* Fetch and decrypt 2nd ticket server's current key. */
11c8e3
+		code = krb5_dbe_find_enctype(context, client, -1, -1, 0,
11c8e3
+					     &impersonator_kd);
11c8e3
+		if (code != 0) {
11c8e3
+			goto done;
11c8e3
+		}
11c8e3
+		code = krb5_dbe_decrypt_key_data(context, NULL,
11c8e3
+						 impersonator_kd,
11c8e3
+						 &impersonator_key, NULL);
11c8e3
+		if (code != 0) {
11c8e3
+			goto done;
11c8e3
+		}
11c8e3
+		header_server_key = &impersonator_key;
11c8e3
 	} else {
11c8e3
-		code = krb5_pac_verify(context,
11c8e3
-				       ipac,
11c8e3
-				       authtime,
11c8e3
-				       client_princ,
11c8e3
-				       krbtgt_key,
11c8e3
-				       NULL);
11c8e3
-	}
11c8e3
-	if (code != 0) {
11c8e3
-		goto done;
11c8e3
+		header_server_key = krbtgt_key;
11c8e3
 	}
11c8e3
 
11c8e3
-	/* check and update PAC */
11c8e3
-	code = krb5_pac_parse(context,
11c8e3
-			      authdata[0]->contents,
11c8e3
-			      authdata[0]->length,
11c8e3
-			      pac);
11c8e3
+	code = krb5_pac_verify(context, pac, authtime, client_princ,
11c8e3
+			       header_server_key, NULL);
11c8e3
 	if (code != 0) {
11c8e3
 		goto done;
11c8e3
 	}
11c8e3
@@ -275,17 +281,22 @@ static krb5_error_code ks_verify_pac(krb5_context context,
11c8e3
 	code = mit_samba_reget_pac(mit_ctx,
11c8e3
 				   context,
11c8e3
 				   flags,
11c8e3
-				   client_princ,
11c8e3
 				   client,
11c8e3
 				   server,
11c8e3
 				   krbtgt,
11c8e3
 				   krbtgt_key,
11c8e3
-				   pac);
11c8e3
+				   &pac;;
11c8e3
+	if (code != 0) {
11c8e3
+		goto done;
11c8e3
+	}
11c8e3
+
11c8e3
+	*out_pac = pac;
11c8e3
+	pac = NULL;
11c8e3
 
11c8e3
 done:
11c8e3
+	krb5_free_keyblock_contents(context, &impersonator_key);
11c8e3
 	krb5_free_authdata(context, authdata);
11c8e3
-	krb5_pac_free(context, ipac);
11c8e3
-	free(logon_data.data);
11c8e3
+	krb5_pac_free(context, pac);
11c8e3
 
11c8e3
 	return code;
11c8e3
 }
11c8e3
@@ -314,6 +325,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
11c8e3
 	krb5_authdata **pac_auth_data = NULL;
11c8e3
 	krb5_authdata **authdata = NULL;
11c8e3
 	krb5_boolean is_as_req;
11c8e3
+	krb5_const_principal pac_client;
11c8e3
 	krb5_error_code code;
11c8e3
 	krb5_pac pac = NULL;
11c8e3
 	krb5_data pac_data;
11c8e3
@@ -325,11 +337,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
11c8e3
 	krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
11c8e3
 	krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
11c8e3
 
11c8e3
-	/* FIXME: We don't support S4U yet */
11c8e3
-	if (flags & KRB5_KDB_FLAGS_S4U) {
11c8e3
-		return KRB5_KDB_DBTYPE_NOSUP;
11c8e3
-	}
11c8e3
-
11c8e3
 	is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
11c8e3
 
11c8e3
 	/*
11c8e3
@@ -390,6 +397,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
11c8e3
 		ks_client_princ = client->princ;
11c8e3
 	}
11c8e3
 
11c8e3
+	/* In protocol transition, we are currently not provided with the tgt
11c8e3
+	 * client name to verify the PAC, we could probably skip the name
11c8e3
+	 * verification and just verify the signatures, but since we don't
11c8e3
+	 * support cross-realm nor aliases, we can just use server->princ */
11c8e3
+	if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
11c8e3
+		pac_client = server->princ;
11c8e3
+	} else {
11c8e3
+		pac_client = ks_client_princ;
11c8e3
+	}
11c8e3
+
11c8e3
 	if (client_entry == NULL) {
11c8e3
 		client_entry = client;
11c8e3
 	}
11c8e3
@@ -454,7 +471,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
11c8e3
 
11c8e3
 			code = ks_verify_pac(context,
11c8e3
 					     flags,
11c8e3
-					     ks_client_princ,
11c8e3
+					     pac_client,
11c8e3
 					     client_entry,
11c8e3
 					     server,
11c8e3
 					     krbtgt,
11c8e3
@@ -494,7 +511,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
11c8e3
 		  is_as_req ? "AS-REQ" : "TGS-REQ",
11c8e3
 		  client_name);
11c8e3
 	code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
11c8e3
-			server_key, krbtgt_key, &pac_data);
11c8e3
+			     server_key, krbtgt_key, &pac_data);
11c8e3
 	if (code != 0) {
11c8e3
 		DBG_ERR("krb5_pac_sign failed: %d\n", code);
11c8e3
 		goto done;
11c8e3
@@ -520,12 +537,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
11c8e3
 					      KRB5_AUTHDATA_IF_RELEVANT,
11c8e3
 					      authdata,
11c8e3
 					      signed_auth_data);
11c8e3
-	if (code != 0) {
11c8e3
-		goto done;
11c8e3
-	}
11c8e3
-
11c8e3
-	code = 0;
11c8e3
-
11c8e3
 done:
11c8e3
 	if (client_entry != NULL && client_entry != client) {
11c8e3
 		ks_free_principal(context, client_entry);
11c8e3
@@ -551,32 +562,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
11c8e3
 	 * server; -> delegating service
11c8e3
 	 * proxy; -> target principal
11c8e3
 	 */
11c8e3
-	krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server);
11c8e3
-
11c8e3
-	char *target_name = NULL;
11c8e3
-	bool is_enterprise;
11c8e3
-	krb5_error_code code;
11c8e3
 
11c8e3
 	mit_ctx = ks_get_context(context);
11c8e3
 	if (mit_ctx == NULL) {
11c8e3
 		return KRB5_KDB_DBNOTINITED;
11c8e3
 	}
11c8e3
 
11c8e3
-	code = krb5_unparse_name(context, proxy, &target_name);
11c8e3
-	if (code) {
11c8e3
-		goto done;
11c8e3
-	}
11c8e3
-
11c8e3
-	is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL);
11c8e3
-
11c8e3
-	code = mit_samba_check_s4u2proxy(mit_ctx,
11c8e3
-					 delegating_service,
11c8e3
-					 target_name,
11c8e3
-					 is_enterprise);
11c8e3
-
11c8e3
-done:
11c8e3
-	free(target_name);
11c8e3
-	return code;
11c8e3
+	return mit_samba_check_s4u2proxy(mit_ctx, server, proxy);
11c8e3
 }
11c8e3
 
11c8e3
 
11c8e3
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
11c8e3
index 4239332f0d9..acc3cba6254 100644
11c8e3
--- a/source4/kdc/mit_samba.c
11c8e3
+++ b/source4/kdc/mit_samba.c
11c8e3
@@ -501,7 +501,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
11c8e3
 krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
11c8e3
 				    krb5_context context,
11c8e3
 				    int flags,
11c8e3
-				    krb5_const_principal client_principal,
11c8e3
 				    krb5_db_entry *client,
11c8e3
 				    krb5_db_entry *server,
11c8e3
 				    krb5_db_entry *krbtgt,
11c8e3
@@ -665,7 +664,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
11c8e3
 								  context,
11c8e3
 								  *pac,
11c8e3
 								  server->princ,
11c8e3
-								  discard_const(client_principal),
11c8e3
+								  client->princ,
11c8e3
 								  deleg_blob);
11c8e3
 		if (!NT_STATUS_IS_OK(nt_status)) {
11c8e3
 			DEBUG(0, ("Update delegation info failed: %s\n",
11c8e3
@@ -987,41 +986,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
11c8e3
 }
11c8e3
 
11c8e3
 int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
11c8e3
-			      krb5_db_entry *kentry,
11c8e3
-			      const char *target_name,
11c8e3
-			      bool is_nt_enterprise_name)
11c8e3
+			      const krb5_db_entry *server,
11c8e3
+			      krb5_const_principal target_principal)
11c8e3
 {
11c8e3
-#if 1
11c8e3
-	/*
11c8e3
-	 * This is disabled because mit_samba_update_pac_data() does not handle
11c8e3
-	 * S4U_DELEGATION_INFO
11c8e3
-	 */
11c8e3
-
11c8e3
-	return KRB5KDC_ERR_BADOPTION;
11c8e3
-#else
11c8e3
-	krb5_principal target_principal;
11c8e3
-	int flags = 0;
11c8e3
-	int ret;
11c8e3
-
11c8e3
-	if (is_nt_enterprise_name) {
11c8e3
-		flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
11c8e3
-	}
11c8e3
-
11c8e3
-	ret = krb5_parse_name_flags(ctx->context, target_name,
11c8e3
-				    flags, &target_principal);
11c8e3
-	if (ret) {
11c8e3
-		return ret;
11c8e3
-	}
11c8e3
-
11c8e3
-	ret = samba_kdc_check_s4u2proxy(ctx->context,
11c8e3
-					ctx->db_ctx,
11c8e3
-					skdc_entry,
11c8e3
-					target_principal);
11c8e3
-
11c8e3
-	krb5_free_principal(ctx->context, target_principal);
11c8e3
-
11c8e3
-	return ret;
11c8e3
-#endif
11c8e3
+	struct samba_kdc_entry *server_skdc_entry =
11c8e3
+		 talloc_get_type_abort(server->e_data,
11c8e3
+				       struct samba_kdc_entry);
11c8e3
+
11c8e3
+	return samba_kdc_check_s4u2proxy(ctx->context,
11c8e3
+					 ctx->db_ctx,
11c8e3
+					 server_skdc_entry,
11c8e3
+					 target_principal);
11c8e3
 }
11c8e3
 
11c8e3
 static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
11c8e3
diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h
11c8e3
index 636c77ec97c..9cb00c9610e 100644
11c8e3
--- a/source4/kdc/mit_samba.h
11c8e3
+++ b/source4/kdc/mit_samba.h
11c8e3
@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
11c8e3
 krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
11c8e3
 				    krb5_context context,
11c8e3
 				    int flags,
11c8e3
-				    krb5_const_principal client_principal,
11c8e3
 				    krb5_db_entry *client,
11c8e3
 				    krb5_db_entry *server,
11c8e3
 				    krb5_db_entry *krbtgt,
11c8e3
@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
11c8e3
 				  DATA_BLOB *e_data);
11c8e3
 
11c8e3
 int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
11c8e3
-			      krb5_db_entry *kentry,
11c8e3
-			      const char *target_name,
11c8e3
-			      bool is_nt_enterprise_name);
11c8e3
+			      const krb5_db_entry *server,
11c8e3
+			      krb5_const_principal target_principal);
11c8e3
 
11c8e3
 int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
11c8e3
 				      char *pwd,
11c8e3
-- 
11c8e3
2.33.1
11c8e3
11c8e3
11c8e3
From 992d38fa35c01f2f0bdb39d387fa29e8eb8d3d37 Mon Sep 17 00:00:00 2001
11c8e3
From: Isaac Boukris <iboukris@gmail.com>
11c8e3
Date: Fri, 27 Sep 2019 18:35:30 +0300
11c8e3
Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build
11c8e3
11c8e3
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
11c8e3
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
11c8e3
---
11c8e3
 lib/krb5_wrap/krb5_samba.c            | 185 ++++++++++++++++++++++++++
11c8e3
 lib/krb5_wrap/krb5_samba.h            |   2 -
11c8e3
 source4/auth/kerberos/kerberos_util.c |  11 --
11c8e3
 3 files changed, 185 insertions(+), 13 deletions(-)
11c8e3
11c8e3
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
11c8e3
index fff5b4e2a22..791b417d5ba 100644
11c8e3
--- a/lib/krb5_wrap/krb5_samba.c
11c8e3
+++ b/lib/krb5_wrap/krb5_samba.c
11c8e3
@@ -2694,6 +2694,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
11c8e3
 
11c8e3
 	return 0;
11c8e3
 }
11c8e3
+
11c8e3
+#else /* MIT */
11c8e3
+
11c8e3
+static bool princ_compare_no_dollar(krb5_context ctx,
11c8e3
+				    krb5_principal a,
11c8e3
+				    krb5_principal b)
11c8e3
+{
11c8e3
+	bool cmp;
11c8e3
+	krb5_principal mod = NULL;
11c8e3
+
11c8e3
+	if (a->length == 1 && b->length == 1 &&
11c8e3
+	    a->data[0].length != 0 && b->data[0].length != 0 &&
11c8e3
+	    a->data[0].data[a->data[0].length -1] !=
11c8e3
+	    b->data[0].data[b->data[0].length -1]) {
11c8e3
+		if (a->data[0].data[a->data[0].length -1] == '$') {
11c8e3
+			mod = a;
11c8e3
+			mod->data[0].length--;
11c8e3
+		} else if (b->data[0].data[b->data[0].length -1] == '$') {
11c8e3
+			mod = b;
11c8e3
+			mod->data[0].length--;
11c8e3
+		}
11c8e3
+	}
11c8e3
+
11c8e3
+	cmp = krb5_principal_compare_flags(ctx, a, b,
11c8e3
+					   KRB5_PRINCIPAL_COMPARE_CASEFOLD);
11c8e3
+
11c8e3
+	if (mod != NULL) {
11c8e3
+		mod->data[0].length++;
11c8e3
+	}
11c8e3
+
11c8e3
+	return cmp;
11c8e3
+}
11c8e3
+
11c8e3
+krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
11c8e3
+					   krb5_ccache store_cc,
11c8e3
+					   krb5_principal init_principal,
11c8e3
+					   const char *init_password,
11c8e3
+					   krb5_principal impersonate_principal,
11c8e3
+					   const char *self_service,
11c8e3
+					   const char *target_service,
11c8e3
+					   krb5_get_init_creds_opt *krb_options,
11c8e3
+					   time_t *expire_time,
11c8e3
+					   time_t *kdc_time)
11c8e3
+{
11c8e3
+	krb5_error_code code;
11c8e3
+	krb5_principal self_princ = NULL;
11c8e3
+	krb5_principal target_princ = NULL;
11c8e3
+	krb5_creds *store_creds;
11c8e3
+	krb5_creds *s4u2self_creds = NULL;
11c8e3
+	krb5_creds *s4u2proxy_creds = NULL;
11c8e3
+	krb5_creds init_creds = {0};
11c8e3
+	krb5_creds mcreds = {0};
11c8e3
+	krb5_flags options = KRB5_GC_NO_STORE;
11c8e3
+	krb5_ccache tmp_cc;
11c8e3
+	bool s4u2proxy;
11c8e3
+
11c8e3
+	code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc);
11c8e3
+	if (code != 0) {
11c8e3
+		return code;
11c8e3
+	}
11c8e3
+
11c8e3
+	code = krb5_get_init_creds_password(ctx, &init_creds,
11c8e3
+					    init_principal,
11c8e3
+					    init_password,
11c8e3
+					    NULL, NULL,
11c8e3
+					    0,
11c8e3
+					    NULL,
11c8e3
+					    krb_options);
11c8e3
+	if (code != 0) {
11c8e3
+		goto done;
11c8e3
+	}
11c8e3
+
11c8e3
+	code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client);
11c8e3
+	if (code != 0) {
11c8e3
+		goto done;
11c8e3
+	}
11c8e3
+
11c8e3
+	code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds);
11c8e3
+	if (code != 0) {
11c8e3
+		goto done;
11c8e3
+	}
11c8e3
+
11c8e3
+	/*
11c8e3
+	 * Check if we also need S4U2Proxy or if S4U2Self is
11c8e3
+	 * enough in order to get a ticket for the target.
11c8e3
+	 */
11c8e3
+	if (target_service == NULL) {
11c8e3
+		s4u2proxy = false;
11c8e3
+	} else if (strcmp(target_service, self_service) == 0) {
11c8e3
+		s4u2proxy = false;
11c8e3
+	} else {
11c8e3
+		s4u2proxy = true;
11c8e3
+	}
11c8e3
+
11c8e3
+	code = krb5_parse_name(ctx, self_service, &self_princ);
11c8e3
+	if (code != 0) {
11c8e3
+		goto done;
11c8e3
+	}
11c8e3
+
11c8e3
+	/* MIT lacks aliases support in S4U, for S4U2Self we require the tgt
11c8e3
+	 * client and the request server to be the same principal name. */
11c8e3
+	if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) {
11c8e3
+		code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
11c8e3
+		goto done;
11c8e3
+	}
11c8e3
+
11c8e3
+	mcreds.client = impersonate_principal;
11c8e3
+	mcreds.server = init_creds.client;
11c8e3
+
11c8e3
+	code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds,
11c8e3
+					     NULL, &s4u2self_creds);
11c8e3
+	if (code != 0) {
11c8e3
+		goto done;
11c8e3
+	}
11c8e3
+
11c8e3
+	if (s4u2proxy) {
11c8e3
+		code = krb5_parse_name(ctx, target_service, &target_princ);
11c8e3
+		if (code != 0) {
11c8e3
+			goto done;
11c8e3
+		}
11c8e3
+
11c8e3
+		mcreds.client = init_creds.client;
11c8e3
+		mcreds.server = target_princ;
11c8e3
+		mcreds.second_ticket = s4u2self_creds->ticket;
11c8e3
+
11c8e3
+		code = krb5_get_credentials(ctx, options |
11c8e3
+					    KRB5_GC_CONSTRAINED_DELEGATION,
11c8e3
+					    tmp_cc, &mcreds, &s4u2proxy_creds);
11c8e3
+		if (code != 0) {
11c8e3
+			goto done;
11c8e3
+		}
11c8e3
+
11c8e3
+		/* Check KDC support of S4U2Proxy extension */
11c8e3
+		if (!krb5_principal_compare(ctx, s4u2self_creds->client,
11c8e3
+					    s4u2proxy_creds->client)) {
11c8e3
+			code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
11c8e3
+			goto done;
11c8e3
+		}
11c8e3
+
11c8e3
+		store_creds = s4u2proxy_creds;
11c8e3
+	} else {
11c8e3
+		store_creds = s4u2self_creds;;
11c8e3
+
11c8e3
+		/* We need to save the ticket with the requested server name
11c8e3
+		 * or the caller won't be able to find it in cache. */
11c8e3
+		if (!krb5_principal_compare(ctx, self_princ,
11c8e3
+			store_creds->server)) {
11c8e3
+			krb5_free_principal(ctx, store_creds->server);
11c8e3
+			store_creds->server = NULL;
11c8e3
+			code = krb5_copy_principal(ctx, self_princ,
11c8e3
+						   &store_creds->server);
11c8e3
+			if (code != 0) {
11c8e3
+				goto done;
11c8e3
+			}
11c8e3
+		}
11c8e3
+	}
11c8e3
+
11c8e3
+	code = krb5_cc_initialize(ctx, store_cc, store_creds->client);
11c8e3
+	if (code != 0) {
11c8e3
+		goto done;
11c8e3
+	}
11c8e3
+
11c8e3
+	code = krb5_cc_store_cred(ctx, store_cc, store_creds);
11c8e3
+	if (code != 0) {
11c8e3
+		goto done;
11c8e3
+	}
11c8e3
+
11c8e3
+	if (expire_time) {
11c8e3
+		*expire_time = (time_t) store_creds->times.endtime;
11c8e3
+	}
11c8e3
+
11c8e3
+	if (kdc_time) {
11c8e3
+		*kdc_time = (time_t) store_creds->times.starttime;
11c8e3
+	}
11c8e3
+
11c8e3
+done:
11c8e3
+	krb5_cc_destroy(ctx, tmp_cc);
11c8e3
+	krb5_free_cred_contents(ctx, &init_creds);
11c8e3
+	krb5_free_creds(ctx, s4u2self_creds);
11c8e3
+	krb5_free_creds(ctx, s4u2proxy_creds);
11c8e3
+	krb5_free_principal(ctx, self_princ);
11c8e3
+	krb5_free_principal(ctx, target_princ);
11c8e3
+
11c8e3
+	return code;
11c8e3
+}
11c8e3
 #endif
11c8e3
 
11c8e3
 #if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
11c8e3
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
11c8e3
index eab67f6d969..b5385c69a33 100644
11c8e3
--- a/lib/krb5_wrap/krb5_samba.h
11c8e3
+++ b/lib/krb5_wrap/krb5_samba.h
11c8e3
@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
11c8e3
 					       krb5_get_init_creds_opt *krb_options,
11c8e3
 					       time_t *expire_time,
11c8e3
 					       time_t *kdc_time);
11c8e3
-#ifdef SAMBA4_USES_HEIMDAL
11c8e3
 krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
11c8e3
 					   krb5_ccache store_cc,
11c8e3
 					   krb5_principal init_principal,
11c8e3
@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
11c8e3
 					   krb5_get_init_creds_opt *krb_options,
11c8e3
 					   time_t *expire_time,
11c8e3
 					   time_t *kdc_time);
11c8e3
-#endif
11c8e3
 
11c8e3
 #if defined(HAVE_KRB5_MAKE_PRINCIPAL)
11c8e3
 #define smb_krb5_make_principal krb5_make_principal
11c8e3
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
11c8e3
index 544d9d853cc..c14d8c72d8c 100644
11c8e3
--- a/source4/auth/kerberos/kerberos_util.c
11c8e3
+++ b/source4/auth/kerberos/kerberos_util.c
11c8e3
@@ -234,9 +234,7 @@ done:
11c8e3
 {
11c8e3
 	krb5_error_code ret;
11c8e3
 	const char *password;
11c8e3
-#ifdef SAMBA4_USES_HEIMDAL
11c8e3
 	const char *self_service;
11c8e3
-#endif
11c8e3
 	const char *target_service;
11c8e3
 	time_t kdc_time = 0;
11c8e3
 	krb5_principal princ;
11c8e3
@@ -268,9 +266,7 @@ done:
11c8e3
 		return ret;
11c8e3
 	}
11c8e3
 
11c8e3
-#ifdef SAMBA4_USES_HEIMDAL
11c8e3
 	self_service = cli_credentials_get_self_service(credentials);
11c8e3
-#endif
11c8e3
 	target_service = cli_credentials_get_target_service(credentials);
11c8e3
 
11c8e3
 	password = cli_credentials_get_password(credentials);
11c8e3
@@ -331,7 +327,6 @@ done:
11c8e3
 #endif
11c8e3
 		if (password) {
11c8e3
 			if (impersonate_principal) {
11c8e3
-#ifdef SAMBA4_USES_HEIMDAL
11c8e3
 				ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context,
11c8e3
 								 ccache,
11c8e3
 								 princ,
11c8e3
@@ -342,12 +337,6 @@ done:
11c8e3
 								 krb_options,
11c8e3
 								 NULL,
11c8e3
 								 &kdc_time);
11c8e3
-#else
11c8e3
-				talloc_free(mem_ctx);
11c8e3
-				(*error_string) = "INTERNAL error: s4u2 ops "
11c8e3
-					"are not supported with MIT build yet";
11c8e3
-				return EINVAL;
11c8e3
-#endif
11c8e3
 			} else {
11c8e3
 				ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context,
11c8e3
 								     ccache,
11c8e3
-- 
11c8e3
2.33.1
11c8e3
11c8e3
11c8e3
From f1951b501ca0fb3e613f04437c99dc1bbf204609 Mon Sep 17 00:00:00 2001
11c8e3
From: Isaac Boukris <iboukris@gmail.com>
11c8e3
Date: Sat, 19 Sep 2020 14:16:20 +0200
11c8e3
Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code
11c8e3
11c8e3
---
11c8e3
 source4/heimdal/lib/hdb/hdb.h | 1 +
11c8e3
 source4/kdc/db-glue.c         | 8 ++++++--
11c8e3
 source4/kdc/mit_samba.c       | 3 +++
11c8e3
 source4/kdc/sdb.h             | 1 +
11c8e3
 4 files changed, 11 insertions(+), 2 deletions(-)
11c8e3
11c8e3
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
11c8e3
index 5ef9d9565f3..dafaffc6c2d 100644
11c8e3
--- a/source4/heimdal/lib/hdb/hdb.h
11c8e3
+++ b/source4/heimdal/lib/hdb/hdb.h
11c8e3
@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
11c8e3
 #define HDB_F_ALL_KVNOS		2048	/* we want all the keys, live or not */
11c8e3
 #define HDB_F_FOR_AS_REQ	4096	/* fetch is for a AS REQ */
11c8e3
 #define HDB_F_FOR_TGS_REQ	8192	/* fetch is for a TGS REQ */
11c8e3
+#define HDB_F_FORCE_CANON	16384	/* force canonicalition */
11c8e3
 
11c8e3
 /* hdb_capability_flags */
11c8e3
 #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
11c8e3
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
11c8e3
index aff74f2ee71..d16b4c3329a 100644
11c8e3
--- a/source4/kdc/db-glue.c
11c8e3
+++ b/source4/kdc/db-glue.c
11c8e3
@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
11c8e3
 			}
11c8e3
 		}
11c8e3
 
11c8e3
-	} else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
11c8e3
+	} else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ?
11c8e3
 		ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
11c8e3
 		if (ret) {
11c8e3
 			krb5_clear_error_message(context);
11c8e3
 			goto out;
11c8e3
 		}
11c8e3
-	} else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) {
11c8e3
+	} else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){
11c8e3
 		/*
11c8e3
 		 * SDB_F_CANON maps from the canonicalize flag in the
11c8e3
 		 * packet, and has a different meaning between AS-REQ
11c8e3
 		 * and TGS-REQ.  We only change the principal in the AS-REQ case
11c8e3
+		 *
11c8e3
+		 * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants
11c8e3
+		 * the canonical name in all lookups, and takes care to canonicalize
11c8e3
+		 * only when appropriate.
11c8e3
 		 */
11c8e3
 		ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
11c8e3
 		if (ret) {
11c8e3
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
11c8e3
index acc3cba6254..f0b9df8b613 100644
11c8e3
--- a/source4/kdc/mit_samba.c
11c8e3
+++ b/source4/kdc/mit_samba.c
11c8e3
@@ -224,6 +224,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
11c8e3
 	if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
11c8e3
 		sflags |= SDB_F_CANON;
11c8e3
 	}
11c8e3
+#if KRB5_KDB_API_VERSION >= 10
11c8e3
+	sflags |= SDB_F_FORCE_CANON;
11c8e3
+#endif
11c8e3
 	if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
11c8e3
 		      KRB5_KDB_FLAG_INCLUDE_PAC)) {
11c8e3
 		/*
11c8e3
diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
11c8e3
index c929acccce6..a9115ec23d7 100644
11c8e3
--- a/source4/kdc/sdb.h
11c8e3
+++ b/source4/kdc/sdb.h
11c8e3
@@ -116,6 +116,7 @@ struct sdb_entry_ex {
11c8e3
 #define SDB_F_KVNO_SPECIFIED	128	/* we want a particular KVNO */
11c8e3
 #define SDB_F_FOR_AS_REQ	4096	/* fetch is for a AS REQ */
11c8e3
 #define SDB_F_FOR_TGS_REQ	8192	/* fetch is for a TGS REQ */
11c8e3
+#define SDB_F_FORCE_CANON	16384	/* force canonicalition */
11c8e3
 
11c8e3
 void sdb_free_entry(struct sdb_entry_ex *e);
11c8e3
 void free_sdb_entry(struct sdb_entry *s);
11c8e3
-- 
11c8e3
2.33.1
11c8e3