summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2004-07-11 10:47:41 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:56:56 -0500
commitbd38d43214ebe71715776f1c0c1b9edf6e1b28ef (patch)
tree37a226d61dcef6feb8b64f8d3e6a9d308c275582
parent0f3f9090faa0f35b5ead4a4ac6801a5caa43766c (diff)
downloadsamba-bd38d43214ebe71715776f1c0c1b9edf6e1b28ef.tar.gz
samba-bd38d43214ebe71715776f1c0c1b9edf6e1b28ef.tar.bz2
samba-bd38d43214ebe71715776f1c0c1b9edf6e1b28ef.zip
r1443: More changes towards Kerberos in Samba4's GENSEC.
The kerberos context is now tied in life to the GENSEC context. Andrew Bartlett (This used to be commit 64e99170c3b53a14d7f8d29cf78283f2bc22c1f7)
-rw-r--r--source4/libcli/auth/clikrb5.c139
-rw-r--r--source4/libcli/auth/kerberos.h17
2 files changed, 24 insertions, 132 deletions
diff --git a/source4/libcli/auth/clikrb5.c b/source4/libcli/auth/clikrb5.c
index cf0c4b6424..17824ceefe 100644
--- a/source4/libcli/auth/clikrb5.c
+++ b/source4/libcli/auth/clikrb5.c
@@ -23,16 +23,6 @@
#ifdef HAVE_KRB5
-#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE
-#define KRB5_KEY_TYPE(k) ((k)->keytype)
-#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length)
-#define KRB5_KEY_DATA(k) ((k)->keyvalue.data)
-#else
-#define KRB5_KEY_TYPE(k) ((k)->enctype)
-#define KRB5_KEY_LENGTH(k) ((k)->length)
-#define KRB5_KEY_DATA(k) ((k)->contents)
-#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
-
#ifndef HAVE_KRB5_SET_REAL_TIME
/*
* This function is not in the Heimdal mainline.
@@ -160,7 +150,8 @@
}
#endif
- void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt)
+void get_auth_data_from_tkt(TALLOC_CTX *mem_ctx,
+ DATA_BLOB *auth_data, krb5_ticket *tkt)
{
#if defined(HAVE_KRB5_TKT_ENC_PART2)
if (tkt->enc_part2)
@@ -286,12 +277,12 @@ static BOOL ads_cleanup_expired_creds(krb5_context context,
/*
we can't use krb5_mk_req because w2k wants the service to be in a particular format
*/
-static krb5_error_code ads_krb5_mk_req(krb5_context context,
- krb5_auth_context *auth_context,
- const krb5_flags ap_req_options,
- const char *principal,
- krb5_ccache ccache,
- krb5_data *outbuf)
+ krb5_error_code ads_krb5_mk_req(krb5_context context,
+ krb5_auth_context *auth_context,
+ const krb5_flags ap_req_options,
+ const char *principal,
+ krb5_ccache ccache,
+ krb5_data *outbuf)
{
krb5_error_code retval;
krb5_principal server;
@@ -374,111 +365,6 @@ cleanup_princ:
return retval;
}
-/*
- get a kerberos5 ticket for the given service
-*/
-int cli_krb5_get_ticket(const char *principal, time_t time_offset,
- DATA_BLOB *ticket, DATA_BLOB *session_key_krb5)
-{
- krb5_error_code retval;
- krb5_data packet;
- krb5_context context = NULL;
- krb5_ccache ccdef = NULL;
- krb5_auth_context auth_context = NULL;
- krb5_enctype enc_types[] = {
-#ifdef ENCTYPE_ARCFOUR_HMAC
- ENCTYPE_ARCFOUR_HMAC,
-#endif
- ENCTYPE_DES_CBC_MD5,
- ENCTYPE_DES_CBC_CRC,
- ENCTYPE_NULL};
-
- retval = krb5_init_context(&context);
- if (retval) {
- DEBUG(1,("krb5_init_context failed (%s)\n",
- error_message(retval)));
- goto failed;
- }
-
- if (time_offset != 0) {
- krb5_set_real_time(context, time(NULL) + time_offset, 0);
- }
-
- if ((retval = krb5_cc_default(context, &ccdef))) {
- DEBUG(1,("krb5_cc_default failed (%s)\n",
- error_message(retval)));
- goto failed;
- }
-
- if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) {
- DEBUG(1,("krb5_set_default_tgs_ktypes failed (%s)\n",
- error_message(retval)));
- goto failed;
- }
-
- if ((retval = ads_krb5_mk_req(context,
- &auth_context,
- AP_OPTS_USE_SUBKEY,
- principal,
- ccdef, &packet))) {
- goto failed;
- }
-
- get_krb5_smb_session_key(context, auth_context, session_key_krb5, False);
-
- *ticket = data_blob(packet.data, packet.length);
-
-/* Hmm, heimdal dooesn't have this - what's the correct call? */
-#ifdef HAVE_KRB5_FREE_DATA_CONTENTS
- krb5_free_data_contents(context, &packet);
-#endif
-
-failed:
-
- if ( context ) {
-/* Removed by jra. They really need to fix their kerberos so we don't leak memory.
- JERRY -- disabled since it causes heimdal 0.6.1rc3 to die
- SuSE 9.1 Pro
-*/
- if (ccdef)
-#if 0 /* redisabled by gd :) at least until any official heimdal version has it fixed. */
- krb5_cc_close(context, ccdef);
-#endif
- if (auth_context)
- krb5_auth_con_free(context, auth_context);
- krb5_free_context(context);
- }
-
- return retval;
-}
-
- BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote)
- {
- krb5_keyblock *skey;
- krb5_error_code err;
- BOOL ret = False;
-
- memset(session_key, 0, 16);
-
- if (remote)
- err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
- else
- err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
- if (err == 0 && skey != NULL) {
- DEBUG(10, ("Got KRB5 session key of length %d\n", KRB5_KEY_LENGTH(skey)));
- *session_key = data_blob(KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
- dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
-
- ret = True;
-
- krb5_free_keyblock(context, skey);
- } else {
- DEBUG(10, ("KRB5 error getting session key %d\n", err));
- }
-
- return ret;
- }
-
#if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) && !defined(HAVE_KRB5_PRINC_COMPONENT)
const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i )
@@ -502,13 +388,4 @@ failed:
#endif
}
-#else /* HAVE_KRB5 */
- /* this saves a few linking headaches */
-int cli_krb5_get_ticket(const char *principal, time_t time_offset,
- DATA_BLOB *ticket, DATA_BLOB *session_key_krb5)
-{
- DEBUG(0,("NO KERBEROS SUPPORT\n"));
- return 1;
-}
-
#endif
diff --git a/source4/libcli/auth/kerberos.h b/source4/libcli/auth/kerberos.h
index 6f63f6eef2..193a1a9438 100644
--- a/source4/libcli/auth/kerberos.h
+++ b/source4/libcli/auth/kerberos.h
@@ -21,6 +21,16 @@
#if defined(HAVE_KRB5)
+#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE
+#define KRB5_KEY_TYPE(k) ((k)->keytype)
+#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length)
+#define KRB5_KEY_DATA(k) ((k)->keyvalue.data)
+#else
+#define KRB5_KEY_TYPE(k) ((k)->enctype)
+#define KRB5_KEY_LENGTH(k) ((k)->length)
+#define KRB5_KEY_DATA(k) ((k)->contents)
+#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
+
#ifndef HAVE_KRB5_SET_REAL_TIME
krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds);
#endif
@@ -40,11 +50,16 @@ void krb5_free_unparsed_name(krb5_context ctx, char *val);
/* Samba wrapper function for krb5 functionality. */
void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr);
int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype);
-void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt);
krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt);
krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes);
void free_kerberos_etypes(krb5_context context, krb5_enctype *enctypes);
BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote);
+krb5_error_code ads_krb5_mk_req(krb5_context context,
+ krb5_auth_context *auth_context,
+ const krb5_flags ap_req_options,
+ const char *principal,
+ krb5_ccache ccache,
+ krb5_data *outbuf);
#endif /* HAVE_KRB5 */