summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-11-27 02:02:44 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:46:48 -0500
commitef9ec9583d2efa78220edd65bd93ead955792b3e (patch)
treeceb1db3a20eea16762dafdce39760715d4650655
parenteb4fbaeee283a517cdb778bde9aba5a26d31334d (diff)
downloadsamba-ef9ec9583d2efa78220edd65bd93ead955792b3e.tar.gz
samba-ef9ec9583d2efa78220edd65bd93ead955792b3e.tar.bz2
samba-ef9ec9583d2efa78220edd65bd93ead955792b3e.zip
r11930: Add socket/packet handling code for kpasswdd
Allow ticket requests with only a netbios name to be considered 'null' addresses, and therefore allowed by default. Use the netbios address as the workstation name for the allowed workstations check with krb5. Andrew Bartlett (This used to be commit 328fa186f2df5cdd42be679d92b5f07f7ed22d87)
-rw-r--r--source4/heimdal/kdc/kerberos5.c20
-rw-r--r--source4/kdc/kdc.c16
-rw-r--r--source4/kdc/pac-glue.c21
3 files changed, 52 insertions, 5 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 3577a14e5f..ccfa35b638 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -758,11 +758,27 @@ check_addresses(krb5_context context,
krb5_error_code ret;
krb5_address addr;
krb5_boolean result;
-
+ krb5_boolean only_netbios = TRUE;
+ int i;
+
if(config->check_ticket_addresses == 0)
return TRUE;
- if(addresses == NULL)
+ if(addresses == NULL)
+ return config->allow_null_ticket_addresses;
+
+ for (i = 0; i < addresses->len; ++i) {
+ if (addresses->val[i].addr_type != KRB5_ADDRESS_NETBIOS) {
+ only_netbios = FALSE;
+ }
+ }
+
+ /* Windows sends it's netbios name, which I can only assume is
+ * used for the 'allowed workstations' check. This is painful, but
+ * we still want to check IP addresses if they happen to be
+ * present. */
+
+ if(only_netbios)
return config->allow_null_ticket_addresses;
ret = krb5_sockaddr2address (context, from, &addr);
diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c
index 4e7865b5f9..f220357708 100644
--- a/source4/kdc/kdc.c
+++ b/source4/kdc/kdc.c
@@ -388,6 +388,19 @@ void kpasswdd_tcp_accept(struct stream_connection *conn)
kdcconn->kdc = kdc;
kdcconn->process = kpasswdd_process;
conn->private = kdcconn;
+ kdcconn->packet = packet_init(kdcconn);
+ if (kdcconn->packet == NULL) {
+ stream_terminate_connection(conn, "kdc_tcp_accept: out of memory");
+ return;
+ }
+ packet_set_private(kdcconn->packet, kdcconn);
+ packet_set_socket(kdcconn->packet, conn->socket);
+ packet_set_callback(kdcconn->packet, kdc_tcp_recv);
+ packet_set_full_request(kdcconn->packet, packet_full_request_u32);
+ packet_set_error_handler(kdcconn->packet, kdc_tcp_recv_error);
+ packet_set_event_context(kdcconn->packet, conn->event.ctx);
+ packet_set_fde(kdcconn->packet, conn->event.fde);
+ packet_set_serialise(kdcconn->packet);
}
static const struct stream_server_ops kpasswdd_tcp_stream_ops = {
@@ -556,9 +569,6 @@ static void kdc_task_init(struct task_server *task)
}
krb5_kdc_default_config(kdc->config);
- /* NAT and the like make this pointless, and painful */
- kdc->config->check_ticket_addresses = FALSE;
-
initialize_krb5_error_table();
ret = smb_krb5_init_context(kdc, &kdc->smb_krb5_context);
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 03b53fa3af..bd4d3e6a2f 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -324,6 +324,8 @@ krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData
TALLOC_CTX *tmp_ctx = talloc_new(entry_ex->private);
struct hdb_ldb_private *private = talloc_get_type(entry_ex->private, struct hdb_ldb_private);
char *name, *workstation = NULL;
+ int i;
+
if (!tmp_ctx) {
return ENOMEM;
}
@@ -331,7 +333,26 @@ krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData
ret = krb5_unparse_name(context, entry_ex->entry.principal, &name);
if (ret != 0) {
talloc_free(tmp_ctx);
+ return ret;
}
+
+ for (i=0; i < addresses->len; i++) {
+ if (addresses->val->addr_type == KRB5_ADDRESS_NETBIOS) {
+ workstation = talloc_strndup(tmp_ctx, addresses->val->address.data, MIN(addresses->val->address.length, 15));
+ if (workstation) {
+ break;
+ }
+ }
+ }
+
+ /* Strip space padding */
+ if (workstation) {
+ i = MIN(strlen(workstation), 15);
+ for (; i > 0 && workstation[i - 1] == ' '; i--) {
+ workstation[i - 1] = '\0';
+ }
+ }
+
nt_status = authsam_account_ok(tmp_ctx,
private->samdb,
MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,