kim_error kim_identity_is_tgt_service (kim_identity in_identity,
kim_boolean *out_is_tgt_service)
{
kim_error err = KIM_NO_ERROR;
if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err && !out_is_tgt_service) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err) {
kim_count count = krb5_princ_size (in_identity->context, in_identity->principal);
krb5_data *name = krb5_princ_name (in_identity->context, in_identity->principal);
/* krbtgt/<REALM1>@<REALM2> (usually REALM1 == REALM2, but not always) */
*out_is_tgt_service = ((count == 2) &&
(strlen (KRB5_TGS_NAME) == name->length) &&
(strncmp (name->data, KRB5_TGS_NAME, name->length) == 0));
}
return check_error (err);
}
int
main(int argc, char **argv)
{
krb5_context kcontext = NULL;
krb5_keytab kt = NULL;
krb5_keytab_entry entry;
krb5_kt_cursor cursor = NULL;
krb5_error_code krb5_err;
int matched = 0;
char svc_name[] = "host";
int svc_name_len = strlen (svc_name);
krb5_err = krb5_init_context(&kcontext);
if (krb5_err) { goto Error; }
krb5_err = krb5_kt_default(kcontext, &kt);
if (krb5_err) { goto Error; }
krb5_err = krb5_kt_start_seq_get(kcontext, kt, &cursor);
if (krb5_err) { goto Error; }
while ((matched == 0) && (krb5_err = krb5_kt_next_entry(kcontext, kt, &entry, &cursor)) == 0) {
krb5_data *nameData = krb5_princ_name (kcontext, entry.principal);
if (NULL != nameData->data && svc_name_len == nameData->length
&& 0 == strncmp (svc_name, nameData->data, nameData->length)) {
matched = 1;
}
krb5_free_keytab_entry_contents(kcontext, &entry);
}
krb5_err = krb5_kt_end_seq_get(kcontext, kt, &cursor);
Error:
if (NULL != kt) { krb5_kt_close (kcontext, kt); }
if (NULL != kcontext) { krb5_free_context (kcontext); }
// Return 0 if we got match or -1 if err or no match
return (0 != krb5_err) ? -1 : matched ? 0 : -1;
}
krb5_error_code
sam_get_db_entry(krb5_context context, krb5_principal client,
int *sam_type, struct _krb5_db_entry_new **db_entry)
{
struct _krb5_db_entry_new *assoc = NULL;
krb5_principal newp = NULL;
int probeslot;
void *ptr = NULL;
krb5_error_code retval;
if (db_entry)
*db_entry = NULL;
retval = krb5_copy_principal(context, client, &newp);
if (retval) {
com_err("krb5kdc", retval, "copying client name for preauth probe");
return retval;
}
probeslot = krb5_princ_size(context, newp)++;
ptr = realloc(krb5_princ_name(context, newp),
krb5_princ_size(context, newp) * sizeof(krb5_data));
if (ptr == NULL) {
retval = ENOMEM;
goto cleanup;
}
krb5_princ_name(context, newp) = ptr;
for(sam_ptr = sam_inst_map; sam_ptr->name; sam_ptr++) {
if (*sam_type && *sam_type != sam_ptr->sam_type)
continue;
krb5_princ_component(context,newp,probeslot)->data = sam_ptr->name;
krb5_princ_component(context,newp,probeslot)->length =
strlen(sam_ptr->name);
retval = krb5_db_get_principal(context, newp, 0, &assoc);
if (!retval)
break;
}
cleanup:
if (ptr) {
krb5_princ_component(context,newp,probeslot)->data = 0;
krb5_princ_component(context,newp,probeslot)->length = 0;
krb5_free_principal(context, newp);
}
if (probeslot)
krb5_princ_size(context, newp)--;
if (retval)
return retval;
if (sam_ptr->sam_type) {
/* Found entry of type sam_ptr->sam_type */
if (sam_type)
*sam_type = sam_ptr->sam_type;
if (db_entry)
*db_entry = assoc;
else
krb5_db_free_principal(context, assoc);
return 0;
} else {
return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
}
}
khm_int32 KHMAPI
khm_get_identity_expiration_time(krb5_context ctx, krb5_ccache cc,
khm_handle ident,
krb5_timestamp * pexpiration)
{
krb5_principal principal = 0;
char * princ_name = NULL;
krb5_creds creds;
krb5_error_code code;
krb5_error_code cc_code;
krb5_cc_cursor cur;
krb5_timestamp now, expiration = 0;
wchar_t w_ident_name[KCDB_IDENT_MAXCCH_NAME];
char ident_name[KCDB_IDENT_MAXCCH_NAME];
khm_size cb;
khm_int32 rv = KHM_ERROR_NOT_FOUND;
if (!ctx || !cc || !ident || !pexpiration)
return KHM_ERROR_GENERAL;
code = pkrb5_cc_get_principal(ctx, cc, &principal);
if ( code )
return KHM_ERROR_INVALID_PARAM;
cb = sizeof(w_ident_name);
kcdb_identity_get_name(ident, w_ident_name, &cb);
UnicodeStrToAnsi(ident_name, sizeof(ident_name), w_ident_name);
code = pkrb5_unparse_name(ctx, principal, &princ_name);
/* compare principal to ident. */
if ( code || !princ_name ||
strcmp(princ_name, ident_name) ) {
if (princ_name)
pkrb5_free_unparsed_name(ctx, princ_name);
pkrb5_free_principal(ctx, principal);
return KHM_ERROR_UNKNOWN;
}
pkrb5_free_unparsed_name(ctx, princ_name);
pkrb5_free_principal(ctx, principal);
code = pkrb5_timeofday(ctx, &now);
if (code)
return KHM_ERROR_UNKNOWN;
cc_code = pkrb5_cc_start_seq_get(ctx, cc, &cur);
while (!(cc_code = pkrb5_cc_next_cred(ctx, cc, &cur, &creds))) {
krb5_data * c0 = krb5_princ_name(ctx, creds.server);
krb5_data * c1 = krb5_princ_component(ctx, creds.server, 1);
krb5_data * r = krb5_princ_realm(ctx, creds.server);
if ( c0 && c1 && r && c1->length == r->length &&
!strncmp(c1->data,r->data,r->length) &&
!strncmp("krbtgt",c0->data,c0->length) ) {
/* we have a TGT, check for the expiration time.
* if it is valid and renewable, use the renew time
*/
if (!(creds.ticket_flags & TKT_FLG_INVALID) &&
creds.times.starttime < (now + TIMET_TOLERANCE) &&
(creds.times.endtime + TIMET_TOLERANCE) > now) {
expiration = creds.times.endtime;
if ((creds.ticket_flags & TKT_FLG_RENEWABLE) &&
(creds.times.renew_till > creds.times.endtime)) {
expiration = creds.times.renew_till;
}
}
}
}
if (cc_code == KRB5_CC_END) {
cc_code = pkrb5_cc_end_seq_get(ctx, cc, &cur);
rv = KHM_ERROR_SUCCESS;
*pexpiration = expiration;
}
return rv;
}
