|
Packit |
fd8b60 |
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
Packit |
fd8b60 |
/*
|
|
Packit |
fd8b60 |
* Copyright 2009 by the Massachusetts Institute of Technology.
|
|
Packit |
fd8b60 |
* All Rights Reserved.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* Export of this software from the United States of America may
|
|
Packit |
fd8b60 |
* require a specific license from the United States Government.
|
|
Packit |
fd8b60 |
* It is the responsibility of any person or organization contemplating
|
|
Packit |
fd8b60 |
* export to obtain such a license before exporting.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
|
|
Packit |
fd8b60 |
* distribute this software and its documentation for any purpose and
|
|
Packit |
fd8b60 |
* without fee is hereby granted, provided that the above copyright
|
|
Packit |
fd8b60 |
* notice appear in all copies and that both that copyright notice and
|
|
Packit |
fd8b60 |
* this permission notice appear in supporting documentation, and that
|
|
Packit |
fd8b60 |
* the name of M.I.T. not be used in advertising or publicity pertaining
|
|
Packit |
fd8b60 |
* to distribution of the software without specific, written prior
|
|
Packit |
fd8b60 |
* permission. Furthermore if you modify this software you must label
|
|
Packit |
fd8b60 |
* your software as modified software and not distribute it in such a
|
|
Packit |
fd8b60 |
* fashion that it might be confused with the original M.I.T. software.
|
|
Packit |
fd8b60 |
* M.I.T. makes no representations about the suitability of
|
|
Packit |
fd8b60 |
* this software for any purpose. It is provided "as is" without express
|
|
Packit |
fd8b60 |
* or implied warranty.
|
|
Packit |
fd8b60 |
*/
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/*
|
|
Packit |
fd8b60 |
* Test program for protocol transition (S4U2Self) and constrained delegation
|
|
Packit |
fd8b60 |
* (S4U2Proxy)
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* Note: because of name canonicalization, the following tips may help
|
|
Packit |
fd8b60 |
* when configuring with Active Directory:
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* - Create a computer account FOO$
|
|
Packit |
fd8b60 |
* - Set the UPN to host/foo.domain (no suffix); this is necessary to
|
|
Packit |
fd8b60 |
* be able to send an AS-REQ as this principal, otherwise you would
|
|
Packit |
fd8b60 |
* need to use the canonical name (FOO$), which will cause principal
|
|
Packit |
fd8b60 |
* comparison errors in gss_accept_sec_context().
|
|
Packit |
fd8b60 |
* - Add a SPN of host/foo.domain
|
|
Packit |
fd8b60 |
* - Configure the computer account to support constrained delegation with
|
|
Packit |
fd8b60 |
* protocol transition (Trust this computer for delegation to specified
|
|
Packit |
fd8b60 |
* services only / Use any authentication protocol)
|
|
Packit |
fd8b60 |
* - Add host/foo.domain to the keytab (possibly easiest to do this
|
|
Packit |
fd8b60 |
* with ktadd)
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* For S4U2Proxy to work the TGT must be forwardable too.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* Usage eg:
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* kinit -k -t test.keytab -f 'host/test.win.mit.edu@WIN.MIT.EDU'
|
|
Packit |
fd8b60 |
* ./t_s4u p:delegtest@WIN.MIT.EDU p:HOST/WIN-EQ7E4AA2WR8.win.mit.edu@WIN.MIT.EDU test.keytab
|
|
Packit |
fd8b60 |
*/
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#include <stdio.h>
|
|
Packit |
fd8b60 |
#include <stdlib.h>
|
|
Packit |
fd8b60 |
#include <string.h>
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#include "common.h"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
static int use_spnego = 0;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
static void
|
|
Packit |
fd8b60 |
test_greet_authz_data(gss_name_t *name)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
OM_uint32 major, minor;
|
|
Packit |
fd8b60 |
gss_buffer_desc attr;
|
|
Packit |
fd8b60 |
gss_buffer_desc value;
|
|
Packit |
fd8b60 |
gss_name_t canon;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
major = gss_canonicalize_name(&minor, *name, &mech_krb5, &canon);
|
|
Packit |
fd8b60 |
check_gsserr("gss_canonicalize_name", major, minor);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
attr.value = "greet:greeting";
|
|
Packit |
fd8b60 |
attr.length = strlen((char *)attr.value);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
value.value = "Hello, acceptor world!";
|
|
Packit |
fd8b60 |
value.length = strlen((char *)value.value);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
major = gss_set_name_attribute(&minor, canon, 1, &attr, &value);
|
|
Packit |
fd8b60 |
if (major == GSS_S_UNAVAILABLE) {
|
|
Packit |
fd8b60 |
(void)gss_release_name(&minor, &canon);
|
|
Packit |
fd8b60 |
return;
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
check_gsserr("gss_set_name_attribute", major, minor);
|
|
Packit |
fd8b60 |
gss_release_name(&minor, name);
|
|
Packit |
fd8b60 |
*name = canon;
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
static void
|
|
Packit |
fd8b60 |
init_accept_sec_context(gss_cred_id_t claimant_cred_handle,
|
|
Packit |
fd8b60 |
gss_cred_id_t verifier_cred_handle,
|
|
Packit |
fd8b60 |
gss_cred_id_t *deleg_cred_handle)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
OM_uint32 major, minor, flags;
|
|
Packit |
fd8b60 |
gss_name_t source_name = GSS_C_NO_NAME, target_name = GSS_C_NO_NAME;
|
|
Packit |
fd8b60 |
gss_ctx_id_t initiator_context, acceptor_context;
|
|
Packit |
fd8b60 |
gss_OID mech = GSS_C_NO_OID;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*deleg_cred_handle = GSS_C_NO_CREDENTIAL;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
major = gss_inquire_cred(&minor, verifier_cred_handle, &target_name, NULL,
|
|
Packit |
fd8b60 |
NULL, NULL);
|
|
Packit |
fd8b60 |
check_gsserr("gss_inquire_cred", major, minor);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
display_canon_name("Target name", target_name, &mech_krb5);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mech = use_spnego ? &mech_spnego : &mech_krb5;
|
|
Packit |
fd8b60 |
display_oid("Target mech", mech);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
|
|
Packit |
fd8b60 |
establish_contexts(mech, claimant_cred_handle, verifier_cred_handle,
|
|
Packit |
fd8b60 |
target_name, flags, &initiator_context,
|
|
Packit |
fd8b60 |
&acceptor_context, &source_name, &mech,
|
|
Packit |
fd8b60 |
deleg_cred_handle);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
display_canon_name("Source name", source_name, &mech_krb5);
|
|
Packit |
fd8b60 |
display_oid("Source mech", mech);
|
|
Packit |
fd8b60 |
enumerate_attributes(source_name, 1);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
(void)gss_release_name(&minor, &source_name);
|
|
Packit |
fd8b60 |
(void)gss_release_name(&minor, &target_name);
|
|
Packit |
fd8b60 |
(void)gss_delete_sec_context(&minor, &initiator_context, NULL);
|
|
Packit |
fd8b60 |
(void)gss_delete_sec_context(&minor, &acceptor_context, NULL);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
static void
|
|
Packit |
fd8b60 |
check_ticket_count(gss_cred_id_t cred, int expected)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
krb5_error_code ret;
|
|
Packit |
fd8b60 |
krb5_context context = NULL;
|
|
Packit |
fd8b60 |
krb5_creds kcred;
|
|
Packit |
fd8b60 |
krb5_cc_cursor cur;
|
|
Packit |
fd8b60 |
krb5_ccache ccache;
|
|
Packit |
fd8b60 |
int count = 0;
|
|
Packit |
fd8b60 |
gss_key_value_set_desc store;
|
|
Packit |
fd8b60 |
gss_key_value_element_desc elem;
|
|
Packit |
fd8b60 |
OM_uint32 major, minor;
|
|
Packit |
fd8b60 |
const char *ccname = "MEMORY:count";
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
store.count = 1;
|
|
Packit |
fd8b60 |
store.elements = &ele;;
|
|
Packit |
fd8b60 |
elem.key = "ccache";
|
|
Packit |
fd8b60 |
elem.value = ccname;
|
|
Packit |
fd8b60 |
major = gss_store_cred_into(&minor, cred, GSS_C_INITIATE, &mech_krb5, 1, 0,
|
|
Packit |
fd8b60 |
&store, NULL, NULL);
|
|
Packit |
fd8b60 |
check_gsserr("gss_store_cred_into", major, minor);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ret = krb5_init_context(&context);
|
|
Packit |
fd8b60 |
check_k5err(context, "krb5_init_context", ret);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ret = krb5_cc_resolve(context, ccname, &ccache);
|
|
Packit |
fd8b60 |
check_k5err(context, "krb5_cc_resolve", ret);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ret = krb5_cc_start_seq_get(context, ccache, &cur);
|
|
Packit |
fd8b60 |
check_k5err(context, "krb5_cc_start_seq_get", ret);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
while (!krb5_cc_next_cred(context, ccache, &cur, &kcred)) {
|
|
Packit |
fd8b60 |
if (!krb5_is_config_principal(context, kcred.server))
|
|
Packit |
fd8b60 |
count++;
|
|
Packit |
fd8b60 |
krb5_free_cred_contents(context, &kcred);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ret = krb5_cc_end_seq_get(context, ccache, &cur);
|
|
Packit |
fd8b60 |
check_k5err(context, "krb5_cc_end_seq_get", ret);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (expected != count) {
|
|
Packit |
fd8b60 |
printf("Expected %d tickets but got %d\n", expected, count);
|
|
Packit |
fd8b60 |
exit(1);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
krb5_cc_destroy(context, ccache);
|
|
Packit |
fd8b60 |
krb5_free_context(context);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
static void
|
|
Packit |
fd8b60 |
constrained_delegate(gss_OID_set desired_mechs, gss_name_t target,
|
|
Packit |
fd8b60 |
gss_cred_id_t delegated_cred_handle,
|
|
Packit |
fd8b60 |
gss_cred_id_t verifier_cred_handle)
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
OM_uint32 major, minor;
|
|
Packit |
fd8b60 |
gss_ctx_id_t initiator_context = GSS_C_NO_CONTEXT;
|
|
Packit |
fd8b60 |
gss_name_t cred_name = GSS_C_NO_NAME;
|
|
Packit |
fd8b60 |
OM_uint32 time_rec, lifetime;
|
|
Packit |
fd8b60 |
gss_cred_usage_t usage;
|
|
Packit |
fd8b60 |
gss_buffer_desc token;
|
|
Packit |
fd8b60 |
gss_OID_set mechs;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
printf("Constrained delegation tests follow\n");
|
|
Packit |
fd8b60 |
printf("-----------------------------------\n\n");
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (gss_inquire_cred(&minor, verifier_cred_handle, &cred_name,
|
|
Packit |
fd8b60 |
&lifetime, &usage, NULL) == GSS_S_COMPLETE) {
|
|
Packit |
fd8b60 |
display_canon_name("Proxy name", cred_name, &mech_krb5);
|
|
Packit |
fd8b60 |
(void)gss_release_name(&minor, &cred_name);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
display_canon_name("Target name", target, &mech_krb5);
|
|
Packit |
fd8b60 |
if (gss_inquire_cred(&minor, delegated_cred_handle, &cred_name,
|
|
Packit |
fd8b60 |
&lifetime, &usage, &mechs) == GSS_S_COMPLETE) {
|
|
Packit |
fd8b60 |
display_canon_name("Delegated name", cred_name, &mech_krb5);
|
|
Packit |
fd8b60 |
display_oid("Delegated mech", &mechs->elements[0]);
|
|
Packit |
fd8b60 |
(void)gss_release_name(&minor, &cred_name);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
printf("\n");
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
major = gss_init_sec_context(&minor, delegated_cred_handle,
|
|
Packit |
fd8b60 |
&initiator_context, target,
|
|
Packit |
fd8b60 |
mechs ? &mechs->elements[0] : &mech_krb5,
|
|
Packit |
fd8b60 |
GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG,
|
|
Packit |
fd8b60 |
GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS,
|
|
Packit |
fd8b60 |
GSS_C_NO_BUFFER, NULL, &token, NULL,
|
|
Packit |
fd8b60 |
&time_rec);
|
|
Packit |
fd8b60 |
check_gsserr("gss_init_sec_context", major, minor);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
(void)gss_release_buffer(&minor, &token);
|
|
Packit |
fd8b60 |
(void)gss_delete_sec_context(&minor, &initiator_context, NULL);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Ensure a second call does not acquire new ticket. */
|
|
Packit |
fd8b60 |
major = gss_init_sec_context(&minor, delegated_cred_handle,
|
|
Packit |
fd8b60 |
&initiator_context, target,
|
|
Packit |
fd8b60 |
mechs ? &mechs->elements[0] : &mech_krb5,
|
|
Packit |
fd8b60 |
GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG,
|
|
Packit |
fd8b60 |
GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS,
|
|
Packit |
fd8b60 |
GSS_C_NO_BUFFER, NULL, &token, NULL,
|
|
Packit |
fd8b60 |
&time_rec);
|
|
Packit |
fd8b60 |
check_gsserr("gss_init_sec_context", major, minor);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
(void)gss_release_buffer(&minor, &token);
|
|
Packit |
fd8b60 |
(void)gss_delete_sec_context(&minor, &initiator_context, NULL);
|
|
Packit |
fd8b60 |
(void)gss_release_oid_set(&minor, &mechs);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* We expect three tickets: our TGT, the evidence ticket, and the ticket to
|
|
Packit |
fd8b60 |
* the target service. */
|
|
Packit |
fd8b60 |
check_ticket_count(delegated_cred_handle, 3);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
int
|
|
Packit |
fd8b60 |
main(int argc, char *argv[])
|
|
Packit |
fd8b60 |
{
|
|
Packit |
fd8b60 |
OM_uint32 minor, major;
|
|
Packit |
fd8b60 |
gss_cred_id_t impersonator_cred_handle = GSS_C_NO_CREDENTIAL;
|
|
Packit |
fd8b60 |
gss_cred_id_t user_cred_handle = GSS_C_NO_CREDENTIAL;
|
|
Packit |
fd8b60 |
gss_cred_id_t delegated_cred_handle = GSS_C_NO_CREDENTIAL;
|
|
Packit |
fd8b60 |
gss_name_t user = GSS_C_NO_NAME, target = GSS_C_NO_NAME;
|
|
Packit |
fd8b60 |
gss_OID_set mechs;
|
|
Packit |
fd8b60 |
gss_buffer_set_t bufset = GSS_C_NO_BUFFER_SET;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (argc < 2 || argc > 5) {
|
|
Packit |
fd8b60 |
fprintf(stderr, "Usage: %s [--spnego] [user] "
|
|
Packit |
fd8b60 |
"[proxy-target] [keytab]\n", argv[0]);
|
|
Packit |
fd8b60 |
fprintf(stderr, " proxy-target and keytab are optional\n");
|
|
Packit |
fd8b60 |
exit(1);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (strcmp(argv[1], "--spnego") == 0) {
|
|
Packit |
fd8b60 |
use_spnego++;
|
|
Packit |
fd8b60 |
argc--;
|
|
Packit |
fd8b60 |
argv++;
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
user = import_name(argv[1]);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (argc > 2 && strcmp(argv[2], "-"))
|
|
Packit |
fd8b60 |
target = import_name(argv[2]);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (argc > 3) {
|
|
Packit |
fd8b60 |
major = krb5_gss_register_acceptor_identity(argv[3]);
|
|
Packit |
fd8b60 |
check_gsserr("krb5_gss_register_acceptor_identity", major, 0);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Get default cred. */
|
|
Packit |
fd8b60 |
mechs = use_spnego ? &mechset_spnego : &mechset_krb5;
|
|
Packit |
fd8b60 |
major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE, mechs,
|
|
Packit |
fd8b60 |
GSS_C_BOTH, &impersonator_cred_handle, NULL,
|
|
Packit |
fd8b60 |
NULL);
|
|
Packit |
fd8b60 |
check_gsserr("gss_acquire_cred", major, minor);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
printf("Protocol transition tests follow\n");
|
|
Packit |
fd8b60 |
printf("-----------------------------------\n\n");
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
test_greet_authz_data(&user);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Get S4U2Self cred. */
|
|
Packit |
fd8b60 |
major = gss_acquire_cred_impersonate_name(&minor, impersonator_cred_handle,
|
|
Packit |
fd8b60 |
user, GSS_C_INDEFINITE, mechs,
|
|
Packit |
fd8b60 |
GSS_C_INITIATE,
|
|
Packit |
fd8b60 |
&user_cred_handle, NULL, NULL);
|
|
Packit |
fd8b60 |
check_gsserr("gss_acquire_cred_impersonate_name", major, minor);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
init_accept_sec_context(user_cred_handle, impersonator_cred_handle,
|
|
Packit |
fd8b60 |
&delegated_cred_handle);
|
|
Packit |
fd8b60 |
printf("\n");
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (target != GSS_C_NO_NAME &&
|
|
Packit |
fd8b60 |
delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
|
|
Packit |
fd8b60 |
constrained_delegate(mechs, target, delegated_cred_handle,
|
|
Packit |
fd8b60 |
impersonator_cred_handle);
|
|
Packit |
fd8b60 |
} else if (target != GSS_C_NO_NAME) {
|
|
Packit |
fd8b60 |
fprintf(stderr, "Warning: no delegated cred handle returned\n\n");
|
|
Packit |
fd8b60 |
fprintf(stderr, "Verify:\n\n");
|
|
Packit |
fd8b60 |
fprintf(stderr, " - The TGT for the impersonating service is "
|
|
Packit |
fd8b60 |
"forwardable\n");
|
|
Packit |
fd8b60 |
fprintf(stderr, " - The T2A4D flag set on the impersonating service's "
|
|
Packit |
fd8b60 |
"UAC\n");
|
|
Packit |
fd8b60 |
fprintf(stderr, " - The user is not marked sensitive and cannot be "
|
|
Packit |
fd8b60 |
"delegated\n");
|
|
Packit |
fd8b60 |
fprintf(stderr, "\n");
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if (delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
|
|
Packit |
fd8b60 |
/* Inquire impersonator status. */
|
|
Packit |
fd8b60 |
major = gss_inquire_cred_by_oid(&minor, user_cred_handle,
|
|
Packit |
fd8b60 |
GSS_KRB5_GET_CRED_IMPERSONATOR,
|
|
Packit |
fd8b60 |
&bufset);
|
|
Packit |
fd8b60 |
check_gsserr("gss_inquire_cred_by_oid", major, minor);
|
|
Packit |
fd8b60 |
if (bufset->count == 0)
|
|
Packit |
fd8b60 |
errout("gss_inquire_cred_by_oid(user) returned NO impersonator");
|
|
Packit |
fd8b60 |
(void)gss_release_buffer_set(&minor, &bufset);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
major = gss_inquire_cred_by_oid(&minor, impersonator_cred_handle,
|
|
Packit |
fd8b60 |
GSS_KRB5_GET_CRED_IMPERSONATOR,
|
|
Packit |
fd8b60 |
&bufset);
|
|
Packit |
fd8b60 |
check_gsserr("gss_inquire_cred_by_oid", major, minor);
|
|
Packit |
fd8b60 |
if (bufset->count != 0)
|
|
Packit |
fd8b60 |
errout("gss_inquire_cred_by_oid(svc) returned an impersonator");
|
|
Packit |
fd8b60 |
(void)gss_release_buffer_set(&minor, &bufset);
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
(void)gss_release_name(&minor, &user);
|
|
Packit |
fd8b60 |
(void)gss_release_name(&minor, &target);
|
|
Packit |
fd8b60 |
(void)gss_release_cred(&minor, &delegated_cred_handle);
|
|
Packit |
fd8b60 |
(void)gss_release_cred(&minor, &impersonator_cred_handle);
|
|
Packit |
fd8b60 |
(void)gss_release_cred(&minor, &user_cred_handle);
|
|
Packit |
fd8b60 |
return 0;
|
|
Packit |
fd8b60 |
}
|