kim_error kim_identity_is_tgt_service (kim_identity in_identity, kim_boolean *out_is_tgt_service) { kim_error err = KIM_NO_ERROR; if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_is_tgt_service) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err) { kim_count count = krb5_princ_size (in_identity->context, in_identity->principal); krb5_data *name = krb5_princ_name (in_identity->context, in_identity->principal); /* krbtgt/<REALM1>@<REALM2> (usually REALM1 == REALM2, but not always) */ *out_is_tgt_service = ((count == 2) && (strlen (KRB5_TGS_NAME) == name->length) && (strncmp (name->data, KRB5_TGS_NAME, name->length) == 0)); } return check_error (err); }
int main(int argc, char **argv) { krb5_context kcontext = NULL; krb5_keytab kt = NULL; krb5_keytab_entry entry; krb5_kt_cursor cursor = NULL; krb5_error_code krb5_err; int matched = 0; char svc_name[] = "host"; int svc_name_len = strlen (svc_name); krb5_err = krb5_init_context(&kcontext); if (krb5_err) { goto Error; } krb5_err = krb5_kt_default(kcontext, &kt); if (krb5_err) { goto Error; } krb5_err = krb5_kt_start_seq_get(kcontext, kt, &cursor); if (krb5_err) { goto Error; } while ((matched == 0) && (krb5_err = krb5_kt_next_entry(kcontext, kt, &entry, &cursor)) == 0) { krb5_data *nameData = krb5_princ_name (kcontext, entry.principal); if (NULL != nameData->data && svc_name_len == nameData->length && 0 == strncmp (svc_name, nameData->data, nameData->length)) { matched = 1; } krb5_free_keytab_entry_contents(kcontext, &entry); } krb5_err = krb5_kt_end_seq_get(kcontext, kt, &cursor); Error: if (NULL != kt) { krb5_kt_close (kcontext, kt); } if (NULL != kcontext) { krb5_free_context (kcontext); } // Return 0 if we got match or -1 if err or no match return (0 != krb5_err) ? -1 : matched ? 0 : -1; }
krb5_error_code sam_get_db_entry(krb5_context context, krb5_principal client, int *sam_type, struct _krb5_db_entry_new **db_entry) { struct _krb5_db_entry_new *assoc = NULL; krb5_principal newp = NULL; int probeslot; void *ptr = NULL; krb5_error_code retval; if (db_entry) *db_entry = NULL; retval = krb5_copy_principal(context, client, &newp); if (retval) { com_err("krb5kdc", retval, "copying client name for preauth probe"); return retval; } probeslot = krb5_princ_size(context, newp)++; ptr = realloc(krb5_princ_name(context, newp), krb5_princ_size(context, newp) * sizeof(krb5_data)); if (ptr == NULL) { retval = ENOMEM; goto cleanup; } krb5_princ_name(context, newp) = ptr; for(sam_ptr = sam_inst_map; sam_ptr->name; sam_ptr++) { if (*sam_type && *sam_type != sam_ptr->sam_type) continue; krb5_princ_component(context,newp,probeslot)->data = sam_ptr->name; krb5_princ_component(context,newp,probeslot)->length = strlen(sam_ptr->name); retval = krb5_db_get_principal(context, newp, 0, &assoc); if (!retval) break; } cleanup: if (ptr) { krb5_princ_component(context,newp,probeslot)->data = 0; krb5_princ_component(context,newp,probeslot)->length = 0; krb5_free_principal(context, newp); } if (probeslot) krb5_princ_size(context, newp)--; if (retval) return retval; if (sam_ptr->sam_type) { /* Found entry of type sam_ptr->sam_type */ if (sam_type) *sam_type = sam_ptr->sam_type; if (db_entry) *db_entry = assoc; else krb5_db_free_principal(context, assoc); return 0; } else { return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; } }
khm_int32 KHMAPI khm_get_identity_expiration_time(krb5_context ctx, krb5_ccache cc, khm_handle ident, krb5_timestamp * pexpiration) { krb5_principal principal = 0; char * princ_name = NULL; krb5_creds creds; krb5_error_code code; krb5_error_code cc_code; krb5_cc_cursor cur; krb5_timestamp now, expiration = 0; wchar_t w_ident_name[KCDB_IDENT_MAXCCH_NAME]; char ident_name[KCDB_IDENT_MAXCCH_NAME]; khm_size cb; khm_int32 rv = KHM_ERROR_NOT_FOUND; if (!ctx || !cc || !ident || !pexpiration) return KHM_ERROR_GENERAL; code = pkrb5_cc_get_principal(ctx, cc, &principal); if ( code ) return KHM_ERROR_INVALID_PARAM; cb = sizeof(w_ident_name); kcdb_identity_get_name(ident, w_ident_name, &cb); UnicodeStrToAnsi(ident_name, sizeof(ident_name), w_ident_name); code = pkrb5_unparse_name(ctx, principal, &princ_name); /* compare principal to ident. */ if ( code || !princ_name || strcmp(princ_name, ident_name) ) { if (princ_name) pkrb5_free_unparsed_name(ctx, princ_name); pkrb5_free_principal(ctx, principal); return KHM_ERROR_UNKNOWN; } pkrb5_free_unparsed_name(ctx, princ_name); pkrb5_free_principal(ctx, principal); code = pkrb5_timeofday(ctx, &now); if (code) return KHM_ERROR_UNKNOWN; cc_code = pkrb5_cc_start_seq_get(ctx, cc, &cur); while (!(cc_code = pkrb5_cc_next_cred(ctx, cc, &cur, &creds))) { krb5_data * c0 = krb5_princ_name(ctx, creds.server); krb5_data * c1 = krb5_princ_component(ctx, creds.server, 1); krb5_data * r = krb5_princ_realm(ctx, creds.server); if ( c0 && c1 && r && c1->length == r->length && !strncmp(c1->data,r->data,r->length) && !strncmp("krbtgt",c0->data,c0->length) ) { /* we have a TGT, check for the expiration time. * if it is valid and renewable, use the renew time */ if (!(creds.ticket_flags & TKT_FLG_INVALID) && creds.times.starttime < (now + TIMET_TOLERANCE) && (creds.times.endtime + TIMET_TOLERANCE) > now) { expiration = creds.times.endtime; if ((creds.ticket_flags & TKT_FLG_RENEWABLE) && (creds.times.renew_till > creds.times.endtime)) { expiration = creds.times.renew_till; } } } } if (cc_code == KRB5_CC_END) { cc_code = pkrb5_cc_end_seq_get(ctx, cc, &cur); rv = KHM_ERROR_SUCCESS; *pexpiration = expiration; } return rv; }