summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2004-11-02 21:28:14 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:53:07 -0500
commit917a53cc5875a7ea0384b906dd262b619eb2178e (patch)
tree269ebeabd508a25eed00d1627cff3c1265376a18
parent951ebacf452ea03e5abe6652b1adc09b845f0d92 (diff)
downloadsamba-917a53cc5875a7ea0384b906dd262b619eb2178e.tar.gz
samba-917a53cc5875a7ea0384b906dd262b619eb2178e.tar.bz2
samba-917a53cc5875a7ea0384b906dd262b619eb2178e.zip
r3492: Fixes from testing kerberos salted principal fix.
Jeremy. (This used to be commit b356a8fdc5a1ac45f2f7f56a0836e794bdecddc6)
-rw-r--r--source3/libads/kerberos.c74
-rw-r--r--source3/libads/kerberos_keytab.c2
-rw-r--r--source3/utils/net_ads.c14
3 files changed, 66 insertions, 24 deletions
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 6004bc8098..32f5951c9f 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -362,8 +362,8 @@ static krb5_error_code get_service_ticket(krb5_context ctx,
}
if ((err = krb5_get_credentials(ctx, 0, ccache, &creds, &new_creds))) {
- DEBUG(5,("get_service_ticket: krb5_get_credentials for %s failed: %s\n",
- service_s, error_message(err)));
+ DEBUG(5,("get_service_ticket: krb5_get_credentials for %s enctype %d failed: %s\n",
+ service_s, enctype, error_message(err)));
goto out;
}
@@ -602,23 +602,12 @@ static void kerberos_derive_salting_principal_for_enctype(const char *service_pr
Go through all the possible enctypes for this principal.
************************************************************************/
- void kerberos_derive_salting_principal(krb5_context context,
+static void kerberos_derive_salting_principal_direct(krb5_context context,
krb5_ccache ccache,
krb5_enctype *enctypes,
char *service_principal)
{
int i;
- BOOL free_ccache = False;
-
- if (ccache == NULL) {
- krb5_error_code ret;
- if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) {
- DEBUG(0, ("kerberos_derive_salting_principal: krb5_cc_resolve for %s failed: %s\n",
- LIBADS_CCACHE_NAME, error_message(ret)));
- return;
- }
- free_ccache = True;
- }
/* Try for each enctype separately, because the rules are
* different for different enctypes. */
@@ -640,9 +629,48 @@ static void kerberos_derive_salting_principal_for_enctype(const char *service_pr
enctypes[i],
enctypes);
}
+}
- if (free_ccache && ccache) {
- krb5_cc_close(context, ccache);
+/************************************************************************
+ Wrapper function for the above.
+ ************************************************************************/
+
+void kerberos_derive_salting_principal(char *service_principal)
+{
+ krb5_context context = NULL;
+ krb5_enctype *enctypes = NULL;
+ krb5_ccache ccache = NULL;
+ krb5_error_code ret = 0;
+
+ initialize_krb5_error_table();
+ if ((ret = krb5_init_context(&context)) != 0) {
+ DEBUG(1,("kerberos_derive_cifs_salting_principals: krb5_init_context failed. %s\n",
+ error_message(ret)));
+ return;
+ }
+ if ((ret = get_kerberos_allowed_etypes(context, &enctypes)) != 0) {
+ DEBUG(1,("kerberos_derive_cifs_salting_principals: get_kerberos_allowed_etypes failed. %s\n",
+ error_message(ret)));
+ goto out;
+ }
+
+ if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) {
+ DEBUG(3, ("get_service_ticket: krb5_cc_resolve for %s failed: %s\n",
+ LIBADS_CCACHE_NAME, error_message(ret)));
+ goto out;
+ }
+
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service_principal);
+
+ out:
+ if (enctypes) {
+ free_kerberos_etypes(context, enctypes);
+ }
+ if (ccache) {
+ krb5_cc_destroy(context, ccache);
+ }
+ if (context) {
+ krb5_free_context(context);
}
}
@@ -681,38 +709,38 @@ BOOL kerberos_derive_cifs_salting_principals(void)
if (asprintf(&service, "%s$", global_myname()) != -1) {
strlower_m(service);
- kerberos_derive_salting_principal(context, ccache, enctypes, service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
if (asprintf(&service, "cifs/%s", global_myname()) != -1) {
strlower_m(service);
- kerberos_derive_salting_principal(context, ccache, enctypes, service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
if (asprintf(&service, "host/%s", global_myname()) != -1) {
strlower_m(service);
- kerberos_derive_salting_principal(context, ccache, enctypes, service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
if (asprintf(&service, "cifs/%s.%s", global_myname(), lp_realm()) != -1) {
strlower_m(service);
- kerberos_derive_salting_principal(context, ccache, enctypes, service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
if (asprintf(&service, "host/%s.%s", global_myname(), lp_realm()) != -1) {
strlower_m(service);
- kerberos_derive_salting_principal(context, ccache, enctypes, service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
name_to_fqdn(my_fqdn, global_myname());
if (asprintf(&service, "cifs/%s", my_fqdn) != -1) {
strlower_m(service);
- kerberos_derive_salting_principal(context, ccache, enctypes, service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
if (asprintf(&service, "host/%s", my_fqdn) != -1) {
strlower_m(service);
- kerberos_derive_salting_principal(context, ccache, enctypes, service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 90f5a376d6..97374508ab 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -128,7 +128,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
}
/* Guess at how the KDC is salting keys for this principal. */
- kerberos_derive_salting_principal(context, NULL, enctypes, princ_s);
+ kerberos_derive_salting_principal(princ_s);
ret = krb5_parse_name(context, princ_s, &princ);
if (ret) {
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 2202ee11e2..9efa45e58f 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -823,6 +823,20 @@ int net_ads_join(int argc, const char **argv)
return -1;
}
+#ifdef HAVE_KRB5
+ if (!kerberos_derive_salting_principal(machine_account)) {
+ DEBUG(1,("Failed to determine salting principal\n"));
+ ads_destroy(&ads);
+ return -1;
+ }
+
+ if (!kerberos_derive_cifs_salting_principals()) {
+ DEBUG(1,("Failed to determine salting principals\n"));
+ ads_destroy(&ads);
+ return -1;
+ }
+#endif
+
if (!secrets_store_domain_sid(short_domain_name, &dom_sid)) {
DEBUG(1,("Failed to save domain sid\n"));
ads_destroy(&ads);