summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimo Sorce <idra@samba.org>2012-04-25 17:29:09 -0400
committerSimo Sorce <idra@samba.org>2012-05-04 16:51:28 +0200
commit38a5a2c5c59029889d6c7c6dc80ab087956ca651 (patch)
tree91cef3faaa076439ea4497dc2b84be4577780bdb
parentaa1a0d80de8b8c9116f5d5b576e2422d104e6b75 (diff)
downloadsamba-38a5a2c5c59029889d6c7c6dc80ab087956ca651.tar.gz
samba-38a5a2c5c59029889d6c7c6dc80ab087956ca651.tar.bz2
samba-38a5a2c5c59029889d6c7c6dc80ab087956ca651.zip
Move kerberos_kinit_keyblock_cc to krb5samba lib
Make it also work with MIT where krb5_get_in_tkt_with_keyblock is not available.
-rw-r--r--lib/krb5_wrap/krb5_samba.c91
-rw-r--r--lib/krb5_wrap/krb5_samba.h7
-rw-r--r--source3/configure.in1
-rw-r--r--source4/auth/kerberos/kerberos.c48
-rw-r--r--source4/auth/kerberos/kerberos.h7
-rwxr-xr-x[-rw-r--r--]source4/heimdal_build/wscript_configure1
-rw-r--r--wscript_configure_krb53
7 files changed, 102 insertions, 56 deletions
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index ffbd8d42ad..c853b7558d 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1556,6 +1556,97 @@ krb5_error_code smb_krb5_get_creds(const char *server_s,
}
/*
+ simulate a kinit, putting the tgt in the given credentials cache.
+ Orignally by remus@snapserver.com
+
+ This version is built to use a keyblock, rather than needing the
+ original password.
+
+ The impersonate_principal is the principal if NULL, or the principal
+ to impersonate
+
+ The target_service defaults to the krbtgt if NULL, but could be
+ kpasswd/realm or the local service (if we are doing s4u2self)
+*/
+krb5_error_code kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc,
+ krb5_principal principal,
+ krb5_keyblock *keyblock,
+ const char *target_service,
+ krb5_get_init_creds_opt *krb_options,
+ time_t *expire_time,
+ time_t *kdc_time)
+{
+ krb5_error_code code = 0;
+ krb5_creds my_creds;
+
+#if defined(HAVE_KRB5_GET_INIT_CREDS_KEYBLOCK)
+ code = krb5_get_init_creds_keyblock(ctx, &my_creds, principal,
+ keyblock, 0, target_service,
+ krb_options);
+#elif defined(HAVE_KRB5_GET_INIT_CREDS_KEYTAB)
+{
+#define SMB_CREDS_KEYTAB "MEMORY:tmp_smb_creds_XXXXXX"
+ char tmp_name[sizeof(SMB_CREDS_KEYTAB)];
+ krb5_keytab_entry entry;
+ krb5_keytab keytab;
+
+ memset(&entry, 0, sizeof(entry));
+ entry.principal = principal;
+ *(KRB5_KT_KEY(&entry)) = *keyblock;
+
+ memcpy(tmp_name, SMB_CREDS_KEYTAB, sizeof(SMB_CREDS_KEYTAB));
+ mktemp(tmp_name);
+ if (tmp_name[0] == 0) {
+ return KRB5_KT_BADNAME;
+ }
+ code = krb5_kt_resolve(ctx, tmp_name, &keytab);
+ if (code) {
+ return code;
+ }
+
+ code = krb5_kt_add_entry(ctx, keytab, &entry);
+ if (code) {
+ (void)krb5_kt_close(ctx, keytab);
+ goto done;
+ }
+
+ code = krb5_get_init_creds_keytab(ctx, &my_creds, principal,
+ keytab, 0, target_service,
+ krb_options);
+ (void)krb5_kt_close(ctx, keytab);
+}
+#else
+#error krb5_get_init_creds_keyblock not available!
+#endif
+ if (code) {
+ return code;
+ }
+
+ code = krb5_cc_initialize(ctx, cc, principal);
+ if (code) {
+ goto done;
+ }
+
+ code = krb5_cc_store_cred(ctx, cc, &my_creds);
+ if (code) {
+ goto done;
+ }
+
+ if (expire_time) {
+ *expire_time = (time_t) my_creds.times.endtime;
+ }
+
+ if (kdc_time) {
+ *kdc_time = (time_t) my_creds.times.starttime;
+ }
+
+ code = 0;
+done:
+ krb5_free_cred_contents(ctx, &my_creds);
+ return code;
+}
+
+/*
* smb_krb5_principal_get_realm
*
* @brief Get realm of a principal
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 6a0f9dc2fd..771c43de44 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -198,6 +198,13 @@ krb5_error_code smb_krb5_get_creds(const char *server_s,
const char *cc,
const char *impersonate_princ_s,
krb5_creds **creds_p);
+krb5_error_code kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc,
+ krb5_principal principal,
+ krb5_keyblock *keyblock,
+ const char *target_service,
+ krb5_get_init_creds_opt *krb_options,
+ time_t *expire_time,
+ time_t *kdc_time);
char *smb_krb5_principal_get_realm(krb5_context context,
krb5_principal principal);
diff --git a/source3/configure.in b/source3/configure.in
index 0253e076dc..8790ea713b 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3614,6 +3614,7 @@ if test x"$with_ads_support" != x"no"; then
AC_CHECK_FUNC_EXT(krb5_get_credentials_for_user, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_get_host_realm, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_free_host_realm, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_get_init_creds_keytab, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(gss_krb5_import_cred, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(gss_get_name_attribute, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(gsskrb5_extract_authz_data_from_sec_context, $KRB5_LIBS)
diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c
index 0fc9d143ab..b4e989d2ae 100644
--- a/source4/auth/kerberos/kerberos.c
+++ b/source4/auth/kerberos/kerberos.c
@@ -30,54 +30,6 @@
/*
simulate a kinit, putting the tgt in the given credentials cache.
Orignally by remus@snapserver.com
-
- This version is built to use a keyblock, rather than needing the
- original password.
-
- The impersonate_principal is the principal if NULL, or the principal to impersonate
-
- The target_service defaults to the krbtgt if NULL, but could be kpasswd/realm or the local service (if we are doing s4u2self)
-*/
- krb5_error_code kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc,
- krb5_principal principal, krb5_keyblock *keyblock,
- const char *target_service,
- krb5_get_init_creds_opt *krb_options,
- time_t *expire_time, time_t *kdc_time)
-{
- krb5_error_code code = 0;
- krb5_creds my_creds;
-
- if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, principal, keyblock,
- 0, target_service, krb_options))) {
- return code;
- }
-
- if ((code = krb5_cc_initialize(ctx, cc, principal))) {
- krb5_free_cred_contents(ctx, &my_creds);
- return code;
- }
-
- if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
- krb5_free_cred_contents(ctx, &my_creds);
- return code;
- }
-
- if (expire_time) {
- *expire_time = (time_t) my_creds.times.endtime;
- }
-
- if (kdc_time) {
- *kdc_time = (time_t) my_creds.times.starttime;
- }
-
- krb5_free_cred_contents(ctx, &my_creds);
-
- return 0;
-}
-
-/*
- simulate a kinit, putting the tgt in the given credentials cache.
- Orignally by remus@snapserver.com
The impersonate_principal is the principal if NULL, or the principal to impersonate
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index cc02aee27f..018f6b80b1 100644
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -74,13 +74,6 @@ const krb5_data *krb5_princ_component(krb5_context context, krb5_principal princ
#endif
/* Samba wrapper function for krb5 functionality. */
-krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc,
- krb5_principal principal, const char *password,
- krb5_principal impersonate_principal,
- const char *self_service,
- const char *target_service,
- krb5_get_init_creds_opt *krb_options,
- time_t *expire_time, time_t *kdc_time);
krb5_error_code kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc,
krb5_principal principal, krb5_keyblock *keyblock,
const char *target_service,
diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure
index 1c03b34106..6383880229 100644..100755
--- a/source4/heimdal_build/wscript_configure
+++ b/source4/heimdal_build/wscript_configure
@@ -114,6 +114,7 @@ conf.define('HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC', 1)
conf.define('HAVE_KRB5_GET_INIT_CREDS_OPT_FREE', 1)
conf.define('HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR', 1)
conf.define('HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST', 1)
+conf.define('HAVE_KRB5_GET_INIT_CREDS_KEYBLOCK', 1)
conf.define('HAVE_KRB5_GET_PW_SALT', 1)
conf.define('HAVE_KRB5_GET_RENEWED_CREDS', 1)
conf.define('HAVE_KRB5_KEYBLOCK_KEYVALUE', 1)
diff --git a/wscript_configure_krb5 b/wscript_configure_krb5
index 2fb1c586fd..1faa212e5f 100644
--- a/wscript_configure_krb5
+++ b/wscript_configure_krb5
@@ -57,7 +57,8 @@ conf.CHECK_FUNCS('''
krb5_get_init_creds_opt_free krb5_get_init_creds_opt_get_error
krb5_enctype_to_string krb5_fwd_tgt_creds krb5_auth_con_set_req_cksumtype
krb5_get_creds_opt_alloc krb5_get_creds_opt_set_impersonate krb5_get_creds
- krb5_get_credentials_for_user krb5_get_host_realm krb5_free_host_realm''',
+ krb5_get_credentials_for_user krb5_get_host_realm krb5_free_host_realm
+ krb5_get_init_creds_keyblock krb5_get_init_creds_keytab''',
lib='krb5 k5crypto')
conf.CHECK_DECLS('''krb5_get_credentials_for_user
krb5_auth_con_set_req_cksumtype''',