r3451: Finish off kerberos salting patch. Needs testing !

Jeremy. (This used to be commit ff4cb6b5e80731856d6f3f7eebd8fc23902e3580)
author: Jeremy Allison <jra@samba.org> 2004-11-02 02:21:26 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 10:53:07 -0500
commit: 37117a10142e6ad320f994cab4442b12529685ee (patch)
tree: e834a5c6d53d4f210405b1939b35d90c17affcac
parent: 3688bb079e8d817dcfc3b9e5eb9d07e7b95a806f (diff)
download: samba-37117a10142e6ad320f994cab4442b12529685ee.tar.gz
samba-37117a10142e6ad320f994cab4442b12529685ee.tar.bz2
samba-37117a10142e6ad320f994cab4442b12529685ee.zip
3 files changed, 63 insertions, 54 deletions
diff --git a/source3/configure.in b/source3/configure.in
index c7335c5df0..d32d684358 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -2615,27 +2615,7 @@ if test x"$with_ads_support" != x"no"; then
 
   # Do no harm to the values of CFLAGS and LIBS while testing for
   # Kerberos support.
-
-  #################################################
-  # check for krb5-config from recent MIT and Heimdal kerberos 5
-  AC_PATH_PROG(KRB5_CONFIG, krb5-config)
-  AC_MSG_CHECKING(for working krb5-config)
-  if test -x "$KRB5_CONFIG"; then
-    ac_save_CFLAGS=$CFLAGS
-    CFLAGS="";export CFLAGS
-    ac_save_LDFLAGS=$LDFLAGS
-    LDFLAGS="";export LDFLAGS
-    KRB5_LIBS="`$KRB5_CONFIG --libs gssapi`"
-    KRB5_CFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`" 
-    KRB5_CPPFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
-    CFLAGS=$ac_save_CFLAGS;export CFLAGS
-    LDFLAGS=$ac_save_LDFLAGS;export LDFLAGS
-    FOUND_KRB5=yes
-    AC_MSG_RESULT(yes)
-  else
-    AC_MSG_RESULT(no. Fallback to previous krb5 detection strategy)
-  fi
-  
+ 
   if test x$FOUND_KRB5 = x"no"; then
     #################################################
     # check for location of Kerberos 5 install
@@ -2656,12 +2636,36 @@ if test x"$with_ads_support" != x"no"; then
         KRB5_CPPFLAGS="-I$withval/include"
         KRB5_LDFLAGS="-L$withval/lib"
         FOUND_KRB5=yes
+	if test -x "$withval/bin/krb5-config"; then
+		KRB5_CONFIG=$withval/bin/krb5-config
+	fi
         ;;
       esac ],
       AC_MSG_RESULT(no krb5-path given)
     )
   fi
 
+  #################################################
+  # check for krb5-config from recent MIT and Heimdal kerberos 5
+  AC_PATH_PROG(KRB5_CONFIG, krb5-config)
+  AC_MSG_CHECKING(for working krb5-config)
+  if test -x "$KRB5_CONFIG"; then
+    ac_save_CFLAGS=$CFLAGS
+    CFLAGS="";export CFLAGS
+    ac_save_LDFLAGS=$LDFLAGS
+    LDFLAGS="";export LDFLAGS
+    KRB5_LIBS="`$KRB5_CONFIG --libs gssapi`"
+    KRB5_LDFLAGS="`$KRB5_CONFIG --libs gssapi | sed s/-lgss.*//`"
+    KRB5_CFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`" 
+    KRB5_CPPFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
+    CFLAGS=$ac_save_CFLAGS;export CFLAGS
+    LDFLAGS=$ac_save_LDFLAGS;export LDFLAGS
+    FOUND_KRB5=yes
+    AC_MSG_RESULT(yes)
+  else
+    AC_MSG_RESULT(no. Fallback to previous krb5 detection strategy)
+  fi
+ 
   if test x$FOUND_KRB5 = x"no"; then
     #################################################
     # see if this box has the SuSE location for the heimdal krb implementation
@@ -2700,9 +2704,9 @@ if test x"$with_ads_support" != x"no"; then
   ac_save_CPPFLAGS=$CPPFLAGS
   ac_save_LDFLAGS=$LDFLAGS
 
-  CFLAGS="$CFLAGS $KRB5_CFLAGS"
-  CPPFLAGS="$CPPFLAGS $KRB5_CPPFLAGS"
-  LDFLAGS="$LDFLAGS $KRB5_LDFLAGS"
+  CFLAGS="$KRB5_CFLAGS $CFLAGS"
+  CPPFLAGS="$KRB5_CPPFLAGS $CPPFLAGS"
+  LDFLAGS="$KRB5_LDFLAGS $LDFLAGS"
 
   KRB5_LIBS="$KRB5_LDFLAGS $KRB5_LIBS"
 
@@ -2789,7 +2793,7 @@ if test x"$with_ads_support" != x"no"; then
   AC_CHECK_FUNC_EXT(krb5_c_enctype_compare, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_enctypes_compatible_keys, $KRB5_LIBS)
 
-  LIBS="$LIBS $KRB5_LIBS"
+  LIBS="$KRB5_LIBS $LIBS"
   
   AC_CACHE_CHECK([for addrtype in krb5_address],
                 samba_cv_HAVE_ADDRTYPE_IN_KRB5_ADDRESS,[
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 140d7550ad..8524fc5d05 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -262,9 +262,8 @@ NTSTATUS ads_verify_ticket(const char *realm, const DATA_BLOB *ticket,
 		goto out;
 	}
 
-	name_to_fqdn(myname, global_myname());
-	strlower_m(myname);
-	asprintf(&host_princ_s, "host/%s@%s", myname, lp_realm());
+	asprintf(&host_princ_s, "%s$", global_myname());
+	strlower_m(host_princ_s);
 	ret = krb5_parse_name(context, host_princ_s, &host_princ);
 	if (ret) {
 		DEBUG(1,("ads_verify_ticket: krb5_parse_name(%s) failed (%s)\n",
diff --git a/source3/libads/util.c b/source3/libads/util.c
index 9912a7ba83..f5b8873538 100644
--- a/source3/libads/util.c
+++ b/source3/libads/util.c
@@ -24,39 +24,45 @@
 
 ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal)
 {
-    char *tmp_password;
-    char *password;
-    char *new_password;
-    char *service_principal;
-    ADS_STATUS ret;
-    uint32 sec_channel_type;
+	char *password;
+	char *new_password;
+	char *service_principal;
+	ADS_STATUS ret;
+	uint32 sec_channel_type;
     
-    if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) {
-	DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal));
-	return ADS_ERROR_SYSTEM(ENOENT);
-    }
+	if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) {
+		DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal));
+		return ADS_ERROR_SYSTEM(ENOENT);
+	}
 
-    tmp_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
-    new_password = strdup(tmp_password);
+	new_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
     
-    asprintf(&service_principal, "HOST/%s", host_principal);
+	asprintf(&service_principal, "HOST/%s", host_principal);
 
-    ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset);
+	ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset);
 
-    if (!ADS_ERR_OK(ret)) goto failed;
+	if (!ADS_ERR_OK(ret)) {
+		goto failed;
+	}
 
-    if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) {
-	    DEBUG(1,("Failed to save machine password\n"));
-	    return ADS_ERROR_SYSTEM(EACCES);
-    }
+	if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) {
+		DEBUG(1,("Failed to save machine password\n"));
+		ret = ADS_ERROR_SYSTEM(EACCES);
+		goto failed;
+	}
 
-failed:
-    SAFE_FREE(service_principal);
-    SAFE_FREE(new_password);
+	/* Determine if the KDC is salting keys for this principal in a
+	 * non-obvious way. */
+	if (!kerberos_derive_salting_principal(service_principal)) {
+		DEBUG(1,("Failed to determine correct salting principal for %s\n", service_principal));
+		ret = ADS_ERROR_SYSTEM(EACCES);
+		goto failed;
+	}
 
-    return ret;
+failed:
+	SAFE_FREE(service_principal);
+	SAFE_FREE(password);
+	SAFE_FREE(new_password);
+	return ret;
 }
-
-
-
 #endif
author	Jeremy Allison <jra@samba.org>	2004-11-02 02:21:26 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 10:53:07 -0500
commit	37117a10142e6ad320f994cab4442b12529685ee (patch)
tree	e834a5c6d53d4f210405b1939b35d90c17affcac
parent	3688bb079e8d817dcfc3b9e5eb9d07e7b95a806f (diff)
download	samba-37117a10142e6ad320f994cab4442b12529685ee.tar.gz samba-37117a10142e6ad320f994cab4442b12529685ee.tar.bz2 samba-37117a10142e6ad320f994cab4442b12529685ee.zip