Skip to content
Snippets Groups Projects
Commit fb77f69b authored by Jakub Moscicki's avatar Jakub Moscicki
Browse files

support multiple proxy principals

parent d9af2e60
No related branches found
No related tags found
No related merge requests found
......@@ -18,6 +18,8 @@
# http://k5wiki.kerberos.org/wiki/Manual_Testing#Services4User_testing
#
#
# 2017-03-07 v 0.3 Jakub Moscicki <jakub.moscicki@cern.ch>
# - support multiple proxy principals
# 2013-10-14 v 0.2 Jaroslaw Polok <jaroslaw.polok@cern.ch>
# - some verbose info
# 2013-10-13 v 0.1 Jaroslaw Polok <jaroslaw.polok@cern.ch>
......@@ -74,7 +76,7 @@ errorout("At least one of -c(ache) or -e(xecute) must be specified, see kS4U --h
my($krb5ccache,$tempccache,$krb5keytab,$krb5princ,$krb5princ_for_user,$krb5princ_for_proxy,
$krb5creds,$krb5creds_out,$krb5ccache_out,$outccache);
$krb5creds,@krb5creds_out,$krb5ccache_out,$outccache);
Authen::Krb5::init_context() or errorout(Authen::Krb5::error()." while initializing context.",1);
Authen::Krb5::init_ets() or errorout(Authen::Krb5::error()." while initializing error tables.",1);
......@@ -101,13 +103,18 @@ if (!$proxy) {
msg("Acquiring credentials for user ($user) for service ($service) using credentials of principal ($service) [S4U2Self]") if ($verbose);
$krb5creds_out = Authen::Krb5::get_credentials_for_user($krb5princ_for_user, $krb5princ, $krb5ccache) or errorout(Authen::Krb5::error()." while getting credentials for user ($user).",1);
my $creds = Authen::Krb5::get_credentials_for_user($krb5princ_for_user, $krb5princ, $krb5ccache) or errorout(Authen::Krb5::error()." while getting credentials for user ($user).",1);
push @krb5creds_out, $creds
} else {
msg("Acquiring credentials for user ($user) for service ($proxy) using credentials of principal ($service) [S4U2Proxy]") if ($verbose);
foreach my $p (split(',', $proxy)) {
msg("Acquiring credentials for user ($user) for service ($p) using credentials of principal ($service) [S4U2Proxy]") if ($verbose);
$krb5princ_for_proxy = Authen::Krb5::parse_name($proxy) or errorout(Authen::Krb5::error()." while parsing for user principal ($proxy).",1);
$krb5creds_out = Authen::Krb5::get_credentials_for_proxy($krb5princ_for_user,$krb5princ,$krb5princ_for_proxy,$krb5ccache,$krb5keytab) or errorout(Authen::Krb5::error()." while getting user ($user) credentials for proxy ($proxy).",1);
$krb5princ_for_proxy = Authen::Krb5::parse_name($p) or errorout(Authen::Krb5::error()." while parsing for user principal ($p).",1);
my $creds = Authen::Krb5::get_credentials_for_proxy($krb5princ_for_user,$krb5princ,$krb5princ_for_proxy,$krb5ccache,$krb5keytab) or errorout(Authen::Krb5::error()." while getting user ($user) credentials for proxy ($p).",1);
push @krb5creds_out, $creds
}
}
if($ccache) {
......@@ -120,7 +127,9 @@ $krb5ccache_out = Authen::Krb5::cc_resolve($outccache) or errorout(Authen::Krb5:
$krb5ccache_out->initialize($krb5princ_for_user) or errorout(Authen::Krb5::error()." while initalizing ccache. ($outccache).",1);
$krb5ccache_out->store_cred($krb5creds_out) or errorout(Authen::Krb5::error()." while storing user ($user) credentials in ccache ($outccache).",1);
for my $creds (@krb5creds_out) {
$krb5ccache_out->store_cred($creds) or errorout(Authen::Krb5::error()." while storing user ($user) credentials in ccache ($outccache).",1);
}
if ($ccache) {
msg("Kerberos ccache for user ($user) for service ($service) [S4U2Self]: ") if (!$proxy && $verbose);
......@@ -195,10 +204,12 @@ Obtain credentials on behalf of USER Kerberos principal (can be specified as USE
Use this SERVICE1 principal to obtain credentials for user (can be specified as SERVICE1/HOST.DOMAIN[@REALM])
=item B<--proxy SERVICE2>
=item B<--proxy SERVICE2,...>
SERVICE1 principal is used to obtain credentials for SERVICE2 for user USER (can be specified as SERVICE2/HOST.DOMAIN[@REALM])
Multiple proxy services may be seperated by commas.
=item B<--keytab KEYTAB>
Kerberos keytab file containing key(s) for SERVICE1.
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment