From 9d6847c8f0187a0dd6466420335b5460de5c449e Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 2 Jan 2019 16:54:28 -0500 Subject: Improve S4U2Self realm identification internals Realm identification for S4U2Self requests ([MS-SFU] 3.1.5.1.1.1) uses the AS code path with some differences: we might want to include a subject certificate in pa-data, we want to stop as soon as we get a reply indicating which realm the client is in, and we want to communicate that realm to the caller. The current method of making these changes is fragile--it uses an optimistic preauth type but does not actually pre-authenticate, and it assumes that the AS code will terminate with a predictable error if there is no prompter and a trivial GAK function. Instead, add fields to krb5_get_init_creds_context for realm identification, and support them in the AS state machine, making sure never to invoke preauth modules. Add a new library-internal function k5_identify_realm() to set up an appropriate context, run the state machine, and copy out the client principal of the last request on success. --- src/tests/gssapi/t_s4u.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'src/tests/gssapi/t_s4u.py') diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py index 164fec8..7aff9af 100755 --- a/src/tests/gssapi/t_s4u.py +++ b/src/tests/gssapi/t_s4u.py @@ -198,14 +198,12 @@ r1.run(['./t_s4u', 'p:' + r2.user_princ, '-', r1.keytab], env=no_default, # that we start at the server realm. mark('cross-realm S4U2Self with enterprise name') msgs = ('Getting initial credentials for enterprise\\@abc@SREALM', - 'Processing preauth types: PA-FOR-X509-USER (130)', 'Sending unauthenticated request', '/Realm not local to KDC', 'Following referral to realm UREALM', - 'Processing preauth types: PA-FOR-X509-USER (130)', 'Sending unauthenticated request', '/Additional pre-authentication required', - '/Generic preauthentication failure', + 'Identified realm of client principal as UREALM', 'Getting credentials enterprise\\@abc@UREALM -> user@SREALM', 'TGS reply is for enterprise\@abc@UREALM -> user@SREALM') r1.run(['./t_s4u', 'e:enterprise@abc@NOREALM', '-', r1.keytab], -- cgit v1.1