summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2010-01-30 19:24:28 -0800
committerJeremy Allison <jra@samba.org>2010-01-30 19:24:28 -0800
commit687e4eba3cced6015fdcaac2c6ba675cdebc1273 (patch)
tree9e184ef885def723674ea725e9f064c04e18729b
parentf42971c520360e69c4cdd64bebb02a5f5ba49b94 (diff)
downloadsamba-687e4eba3cced6015fdcaac2c6ba675cdebc1273.tar.gz
samba-687e4eba3cced6015fdcaac2c6ba675cdebc1273.tar.bz2
samba-687e4eba3cced6015fdcaac2c6ba675cdebc1273.zip
Fix bug #7079 - cliconnect gets realm wrong with trusted domains.
Passing NULL as dest_realm for cli_session_setup_spnego() was always using our own realm (as for a NetBIOS name). Change this to look for the mapped realm using krb5_get_host_realm() if the destination machine name is a DNS name (contains a '.'). Could get fancier with DNS name detection (length, etc.) but this will do for now. Jeremy.
-rw-r--r--source3/configure.in15
-rw-r--r--source3/include/proto.h2
-rw-r--r--source3/libads/kerberos.c52
-rw-r--r--source3/libsmb/cliconnect.c25
4 files changed, 91 insertions, 3 deletions
diff --git a/source3/configure.in b/source3/configure.in
index 7740b3a7fc..f64110b9d4 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3660,6 +3660,9 @@ if test x"$with_ads_support" != x"no"; then
AC_CHECK_FUNC_EXT(krb5_get_creds_opt_set_impersonate, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_get_creds, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_get_credentials_for_user, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_get_host_realm, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_free_host_realm, $KRB5_LIBS)
+
# MIT krb5 1.8 does not expose this call (yet)
AC_CHECK_DECLS(krb5_get_credentials_for_user, [], [], [#include <krb5.h>])
@@ -4002,6 +4005,18 @@ if test x"$with_ads_support" != x"no"; then
[Whether the WRFILE:-keytab is supported])
fi
+ AC_CACHE_CHECK([for krb5_realm type],
+ samba_cv_HAVE_KRB5_REALM_TYPE,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+ [krb5_realm realm;],
+ samba_cv_HAVE_KRB5_REALM_TYPE=yes,
+ samba_cv_HAVE_KRB5_REALM_TYPE=no)])
+
+ if test x"$samba_cv_HAVE_KRB5_REALM_TYPE" = x"yes"; then
+ AC_DEFINE(HAVE_KRB5_REALM_TYPE,1,
+ [Whether the type krb5_realm exists])
+ fi
+
AC_CACHE_CHECK([for krb5_princ_realm returns krb5_realm or krb5_data],
samba_cv_KRB5_PRINC_REALM_RETURNS_REALM,[
AC_TRY_COMPILE([#include <krb5.h>],
diff --git a/source3/include/proto.h b/source3/include/proto.h
index f0ccc92c46..fa4a40c435 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1795,6 +1795,8 @@ char* kerberos_standard_des_salt( void );
bool kerberos_secrets_store_des_salt( const char* salt );
char* kerberos_secrets_fetch_des_salt( void );
char *kerberos_get_default_realm_from_ccache( void );
+char *kerberos_get_realm_from_hostname(const char *hostname);
+
bool kerberos_secrets_store_salting_principal(const char *service,
int enctype,
const char *principal);
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index af8ea39370..7fb4ec33e4 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -525,6 +525,58 @@ char *kerberos_get_default_realm_from_ccache( void )
return realm;
}
+/************************************************************************
+ Routine to get the realm from a given DNS name. Returns malloc'ed memory.
+ Caller must free() if the return value is not NULL.
+************************************************************************/
+
+char *kerberos_get_realm_from_hostname(const char *hostname)
+{
+#if defined(HAVE_KRB5_GET_HOST_REALM) && defined(HAVE_KRB5_FREE_HOST_REALM)
+#if defined(HAVE_KRB5_REALM_TYPE)
+ /* Heimdal. */
+ krb5_realm *realm_list = NULL;
+#else
+ /* MIT */
+ char **realm_list = NULL;
+#endif
+ char *realm = NULL;
+ krb5_error_code kerr;
+ krb5_context ctx = NULL;
+
+ initialize_krb5_error_table();
+ if (krb5_init_context(&ctx)) {
+ return NULL;
+ }
+
+ kerr = krb5_get_host_realm(ctx, hostname, &realm_list);
+ if (kerr != 0) {
+ DEBUG(3,("kerberos_get_realm_from_hostname %s: "
+ "failed %s\n",
+ hostname ? hostname : "(NULL)",
+ error_message(kerr) ));
+ goto out;
+ }
+
+ if (realm_list && realm_list[0]) {
+ realm = SMB_STRDUP(realm_list[0]);
+ }
+
+ out:
+
+ if (ctx) {
+ if (realm_list) {
+ krb5_free_host_realm(ctx, realm_list);
+ realm_list = NULL;
+ }
+ krb5_free_context(ctx);
+ ctx = NULL;
+ }
+ return realm;
+#else
+ return NULL;
+#endif
+}
/************************************************************************
Routine to get the salting principal for this service. This is
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 31f848cb00..a81cb06839 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1287,6 +1287,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
host = strchr_m(cli->desthost, '.');
if (host) {
+ /* We had a '.' in the name. */
machine = SMB_STRNDUP(cli->desthost,
host - cli->desthost);
} else {
@@ -1300,11 +1301,29 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
realm = SMB_STRDUP(dest_realm);
strupper_m(realm);
} else {
- realm = kerberos_get_default_realm_from_ccache();
+ if (host) {
+ /* DNS name. */
+ realm = kerberos_get_realm_from_hostname(cli->desthost);
+ } else {
+ /* NetBIOS name - use our realm. */
+ realm = kerberos_get_default_realm_from_ccache();
+ }
}
+
if (realm && *realm) {
- principal = talloc_asprintf(NULL, "%s$@%s",
- machine, realm);
+ if (host) {
+ /* DNS name. */
+ principal = talloc_asprintf(talloc_tos(),
+ "cifs/%s@%s",
+ cli->desthost,
+ realm);
+ } else {
+ /* NetBIOS name, use machine account. */
+ principal = talloc_asprintf(talloc_tos(),
+ "%s$@%s",
+ machine,
+ realm);
+ }
if (!principal) {
SAFE_FREE(machine);
SAFE_FREE(realm);