diff options
author | Günther Deschner <gd@samba.org> | 2009-11-27 15:52:57 +0100 |
---|---|---|
committer | Günther Deschner <gd@samba.org> | 2009-11-27 16:36:00 +0100 |
commit | 04f8c229de7ffad5f4ec1a0bb68c2c8b4ccf4e15 (patch) | |
tree | 5ec206577ccfe1626198427d757b993c3a21f475 | |
parent | 23d77be6cb8847cbdad859269faf59fea30b27b8 (diff) | |
download | samba-04f8c229de7ffad5f4ec1a0bb68c2c8b4ccf4e15.tar.gz samba-04f8c229de7ffad5f4ec1a0bb68c2c8b4ccf4e15.tar.bz2 samba-04f8c229de7ffad5f4ec1a0bb68c2c8b4ccf4e15.zip |
s3-kerberos: only use krb5 headers where required.
This seems to be the only way to deal with mixed heimdal/MIT setups during
merged build.
Guenther
-rw-r--r-- | client/cifs.upcall.c | 1 | ||||
-rw-r--r-- | source3/configure.in | 5 | ||||
-rw-r--r-- | source3/include/ads.h | 71 | ||||
-rw-r--r-- | source3/include/includes.h | 170 | ||||
-rw-r--r-- | source3/include/krb5_protos.h | 148 | ||||
-rw-r--r-- | source3/include/smb_krb5.h | 72 | ||||
-rw-r--r-- | source3/libads/ads_status.c | 1 | ||||
-rw-r--r-- | source3/libads/authdata.c | 1 | ||||
-rw-r--r-- | source3/libads/kerberos.c | 1 | ||||
-rw-r--r-- | source3/libads/kerberos_keytab.c | 1 | ||||
-rw-r--r-- | source3/libads/kerberos_verify.c | 1 | ||||
-rw-r--r-- | source3/libads/krb5_errs.c | 1 | ||||
-rw-r--r-- | source3/libads/krb5_setpw.c | 1 | ||||
-rw-r--r-- | source3/libnet/libnet.h | 1 | ||||
-rw-r--r-- | source3/libsmb/cliconnect.c | 1 | ||||
-rw-r--r-- | source3/libsmb/clikrb5.c | 4 | ||||
-rw-r--r-- | source3/libsmb/clispnego.c | 1 | ||||
-rw-r--r-- | source3/rpc_client/cli_pipe.c | 1 | ||||
-rw-r--r-- | source3/utils/ntlm_auth.c | 1 | ||||
-rw-r--r-- | source3/winbindd/winbindd_cred_cache.c | 2 | ||||
-rw-r--r-- | source3/winbindd/winbindd_pam.c | 1 |
21 files changed, 257 insertions, 229 deletions
diff --git a/client/cifs.upcall.c b/client/cifs.upcall.c index 063e4237f4..bfc70d15ed 100644 --- a/client/cifs.upcall.c +++ b/client/cifs.upcall.c @@ -27,6 +27,7 @@ create dns_resolver * * /usr/local/sbin/cifs.upcall %k #include "includes.h" #include "../libcli/auth/spnego.h" +#include "smb_krb5.h" #include <keyutils.h> #include <getopt.h> diff --git a/source3/configure.in b/source3/configure.in index 693fe6a061..95e91c2eee 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -3375,10 +3375,7 @@ if test x"$with_ads_support" != x"no"; then samba_cv_HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER=no)]) if test x"$samba_cv_HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER" = x"yes"; then - AC_DEFINE(KRB5_DEPRECATED, 1, - [Whether to use deprecated krb5 interfaces]) - else - AC_DEFINE(KRB5_DEPRECATED,, + AC_DEFINE(HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER, 1, [Whether to use deprecated krb5 interfaces]) fi fi diff --git a/source3/include/ads.h b/source3/include/ads.h index 30f0b1fc0c..d0bae80845 100644 --- a/source3/include/ads.h +++ b/source3/include/ads.h @@ -8,6 +8,24 @@ #include "../libds/common/flags.h" +/* + * This should be under the HAVE_KRB5 flag but since they're used + * in lp_kerberos_method(), they ned to be always available + */ +#define KERBEROS_VERIFY_SECRETS 0 +#define KERBEROS_VERIFY_SYSTEM_KEYTAB 1 +#define KERBEROS_VERIFY_DEDICATED_KEYTAB 2 +#define KERBEROS_VERIFY_SECRETS_AND_KEYTAB 3 + +/* + * If you add any entries to the above, please modify the below expressions + * so they remain accurate. + */ +#define USE_KERBEROS_KEYTAB (KERBEROS_VERIFY_SECRETS != lp_kerberos_method()) +#define USE_SYSTEM_KEYTAB \ + ((KERBEROS_VERIFY_SECRETS_AND_KEYTAB == lp_kerberos_method()) || \ + (KERBEROS_VERIFY_SYSTEM_KEYTAB == lp_kerberos_method())) + #define TOK_ID_KRB_AP_REQ ((const uint8_t *)"\x01\x00") #define TOK_ID_KRB_AP_REP ((const uint8_t *)"\x02\x00") #define TOK_ID_KRB_ERROR ((const uint8_t *)"\x03\x00") @@ -226,62 +244,9 @@ typedef void **ADS_MODLIST; /* Kerberos environment variable names */ #define KRB5_ENV_CCNAME "KRB5CCNAME" -/* Heimdal uses a slightly different name */ -#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5) -#define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5 -#endif - -/* The older versions of heimdal that don't have this - define don't seem to use it anyway. I'm told they - always use a subkey */ -#ifndef HAVE_AP_OPTS_USE_SUBKEY -#define AP_OPTS_USE_SUBKEY 0 -#endif - #define WELL_KNOWN_GUID_COMPUTERS "AA312825768811D1ADED00C04FD8D5CD" #define WELL_KNOWN_GUID_USERS "A9D1CA15768811D1ADED00C04FD8D5CD" -#ifndef KRB5_ADDR_NETBIOS -#define KRB5_ADDR_NETBIOS 0x14 -#endif - -#ifndef KRB5KRB_ERR_RESPONSE_TOO_BIG -#define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L) -#endif - -#ifdef HAVE_KRB5 -typedef struct { -#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */ - krb5_address **addrs; -#elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */ - krb5_addresses *addrs; -#else -#error UNKNOWN_KRB5_ADDRESS_TYPE -#endif /* defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) */ -} smb_krb5_addresses; - -#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */ -#define KRB5_KEY_TYPE(k) ((k)->keytype) -#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length) -#define KRB5_KEY_DATA(k) ((k)->keyvalue.data) -#define KRB5_KEY_DATA_CAST void -#else /* MIT */ -#define KRB5_KEY_TYPE(k) ((k)->enctype) -#define KRB5_KEY_LENGTH(k) ((k)->length) -#define KRB5_KEY_DATA(k) ((k)->contents) -#define KRB5_KEY_DATA_CAST krb5_octet -#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */ - -#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */ -#define KRB5_KT_KEY(k) (&(k)->key) -#elif HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */ -#define KRB5_KT_KEY(k) (&(k)->keyblock) -#else -#error krb5_keytab_entry has no key or keyblock member -#endif /* HAVE_KRB5_KEYTAB_ENTRY_KEY */ - -#endif /* HAVE_KRB5 */ - enum ads_extended_dn_flags { ADS_EXTENDED_DN_HEX_STRING = 0, ADS_EXTENDED_DN_STRING = 1 /* not supported on win2k */ diff --git a/source3/include/includes.h b/source3/include/includes.h index 438b346445..37cb611a91 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -20,11 +20,6 @@ along with this program. If not, see <http://www.gnu.org/licenses/>. */ -/* work around broken krb5.h on sles9 */ -#ifdef SIZEOF_LONG -#undef SIZEOF_LONG -#endif - #include "../replace/replace.h" /* make sure we have included the correct config.h */ @@ -146,9 +141,7 @@ #endif #endif /* HAVE_NETGROUP */ -#if HAVE_KRB5_H -#include <krb5.h> -#else +#ifndef HAVE_KRB5_H #undef HAVE_KRB5 #endif @@ -929,167 +922,6 @@ char *talloc_asprintf_strupper_m(TALLOC_CTX *t, const char *fmt, ...) PRINTF_ATT #define XATTR_REPLACE 0x2 /* set value, fail if attr does not exist */ #endif -/* - * This should be under the HAVE_KRB5 flag but since they're used - * in lp_kerberos_method(), they ned to be always available - */ -#define KERBEROS_VERIFY_SECRETS 0 -#define KERBEROS_VERIFY_SYSTEM_KEYTAB 1 -#define KERBEROS_VERIFY_DEDICATED_KEYTAB 2 -#define KERBEROS_VERIFY_SECRETS_AND_KEYTAB 3 - -/* - * If you add any entries to the above, please modify the below expressions - * so they remain accurate. - */ -#define USE_KERBEROS_KEYTAB (KERBEROS_VERIFY_SECRETS != lp_kerberos_method()) -#define USE_SYSTEM_KEYTAB \ - ((KERBEROS_VERIFY_SECRETS_AND_KEYTAB == lp_kerberos_method()) || \ - (KERBEROS_VERIFY_SYSTEM_KEYTAB == lp_kerberos_method())) - -#if defined(HAVE_KRB5) -krb5_error_code smb_krb5_parse_name(krb5_context context, - const char *name, /* in unix charset */ - krb5_principal *principal); - -krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx, - krb5_context context, - krb5_const_principal principal, - char **unix_name); - -#ifndef HAVE_KRB5_SET_REAL_TIME -krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds); -#endif - -krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc); - -#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) -krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock); -#endif - -#ifndef HAVE_KRB5_FREE_UNPARSED_NAME -void krb5_free_unparsed_name(krb5_context ctx, char *val); -#endif - -/* Stub out initialize_krb5_error_table since it is not present in all - * Kerberos implementations. If it's not present, it's not necessary to - * call it. - */ -#ifndef HAVE_INITIALIZE_KRB5_ERROR_TABLE -#define initialize_krb5_error_table() -#endif - -/* Samba wrapper function for krb5 functionality. */ -bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr); -int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype, bool no_salt); -bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt); -krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt); -krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters); -#if defined(HAVE_KRB5_LOCATE_KDC) -krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters); -#endif -krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes); -bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote); -krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry); -krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, int enctype); -void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype); -bool kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2); -void kerberos_free_data_contents(krb5_context context, krb5_data *pdata); -NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx, - DATA_BLOB *pac_data_blob, - krb5_context context, - krb5_keyblock *service_keyblock, - krb5_const_principal client_principal, - time_t tgs_authtime, - struct PAC_DATA **pac_data_out); -void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum, - struct PAC_SIGNATURE_DATA *sig); -krb5_error_code smb_krb5_verify_checksum(krb5_context context, - const krb5_keyblock *keyblock, - krb5_keyusage usage, - krb5_checksum *cksum, - uint8 *data, - size_t length); -time_t get_authtime_from_tkt(krb5_ticket *tkt); -void smb_krb5_free_ap_req(krb5_context context, - krb5_ap_req *ap_req); -krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context, - const krb5_data *inbuf, - krb5_kvno *kvno, - krb5_enctype *enctype); -krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context, - krb5_auth_context *auth_context, - const krb5_data *inbuf, - krb5_const_principal server, - krb5_keytab keytab, - krb5_flags *ap_req_options, - krb5_ticket **ticket, - krb5_keyblock **keyblock); -krb5_error_code smb_krb5_parse_name_norealm(krb5_context context, - const char *name, - krb5_principal *principal); -bool smb_krb5_principal_compare_any_realm(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2); -int cli_krb5_get_ticket(const char *principal, time_t time_offset, - DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, - uint32 extra_ap_opts, const char *ccname, - time_t *tgs_expire, - const char *impersonate_princ_s); -krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *expire_time); -krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code); -krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr); -krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr); -NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error); -krb5_error_code nt_status_to_krb5(NTSTATUS nt_status); -void smb_krb5_free_error(krb5_context context, krb5_error *krberror); -krb5_error_code handle_krberror_packet(krb5_context context, - krb5_data *packet); - -void smb_krb5_get_init_creds_opt_free(krb5_context context, - krb5_get_init_creds_opt *opt); -krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context, - krb5_get_init_creds_opt **opt); -krb5_error_code smb_krb5_mk_error(krb5_context context, - krb5_error_code error_code, - const krb5_principal server, - krb5_data *reply); -krb5_enctype smb_get_enctype_from_kt_entry(krb5_keytab_entry *kt_entry); -krb5_error_code smb_krb5_enctype_to_string(krb5_context context, - krb5_enctype enctype, - char **etype_s); -krb5_error_code smb_krb5_open_keytab(krb5_context context, - const char *keytab_name, - bool write_access, - krb5_keytab *keytab); -krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx, - krb5_context context, - krb5_keytab keytab, - const char **keytab_name); -int smb_krb5_kt_add_entry_ext(krb5_context context, - krb5_keytab keytab, - krb5_kvno kvno, - const char *princ_s, - krb5_enctype *enctypes, - krb5_data password, - bool no_salt, - bool keep_old_entries); -krb5_error_code smb_krb5_get_credentials(krb5_context context, - krb5_ccache ccache, - krb5_principal me, - krb5_principal server, - krb5_principal impersonate_princ, - krb5_creds **out_creds); -krb5_error_code smb_krb5_get_creds(const char *server_s, - time_t time_offset, - const char *cc, - const char *impersonate_princ_s, - krb5_creds **creds_p); -char *smb_krb5_principal_get_realm(krb5_context context, - krb5_principal principal); -#endif /* HAVE_KRB5 */ - - #ifdef HAVE_LDAP /* function declarations not included in proto.h */ diff --git a/source3/include/krb5_protos.h b/source3/include/krb5_protos.h new file mode 100644 index 0000000000..4f8521b167 --- /dev/null +++ b/source3/include/krb5_protos.h @@ -0,0 +1,148 @@ +/* work around broken krb5.h on sles9 */ +#ifdef SIZEOF_LONG +#undef SIZEOF_LONG +#endif + + +#if defined(HAVE_KRB5) +krb5_error_code smb_krb5_parse_name(krb5_context context, + const char *name, /* in unix charset */ + krb5_principal *principal); + +krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx, + krb5_context context, + krb5_const_principal principal, + char **unix_name); + +#ifndef HAVE_KRB5_SET_REAL_TIME +krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds); +#endif + +krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc); + +#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) +krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock); +#endif + +#ifndef HAVE_KRB5_FREE_UNPARSED_NAME +void krb5_free_unparsed_name(krb5_context ctx, char *val); +#endif + +/* Stub out initialize_krb5_error_table since it is not present in all + * Kerberos implementations. If it's not present, it's not necessary to + * call it. + */ +#ifndef HAVE_INITIALIZE_KRB5_ERROR_TABLE +#define initialize_krb5_error_table() +#endif + +/* Samba wrapper function for krb5 functionality. */ +bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr); +int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype, bool no_salt); +bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt); +krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt); +krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters); +#if defined(HAVE_KRB5_LOCATE_KDC) +krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters); +#endif +krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes); +bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote); +krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry); +krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, int enctype); +void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype); +bool kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2); +void kerberos_free_data_contents(krb5_context context, krb5_data *pdata); +NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx, + DATA_BLOB *pac_data_blob, + krb5_context context, + krb5_keyblock *service_keyblock, + krb5_const_principal client_principal, + time_t tgs_authtime, + struct PAC_DATA **pac_data_out); +void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum, + struct PAC_SIGNATURE_DATA *sig); +krb5_error_code smb_krb5_verify_checksum(krb5_context context, + const krb5_keyblock *keyblock, + krb5_keyusage usage, + krb5_checksum *cksum, + uint8 *data, + size_t length); +time_t get_authtime_from_tkt(krb5_ticket *tkt); +void smb_krb5_free_ap_req(krb5_context context, + krb5_ap_req *ap_req); +krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context, + const krb5_data *inbuf, + krb5_kvno *kvno, + krb5_enctype *enctype); +krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context, + krb5_auth_context *auth_context, + const krb5_data *inbuf, + krb5_const_principal server, + krb5_keytab keytab, + krb5_flags *ap_req_options, + krb5_ticket **ticket, + krb5_keyblock **keyblock); +krb5_error_code smb_krb5_parse_name_norealm(krb5_context context, + const char *name, + krb5_principal *principal); +bool smb_krb5_principal_compare_any_realm(krb5_context context, + krb5_const_principal princ1, + krb5_const_principal princ2); +int cli_krb5_get_ticket(const char *principal, time_t time_offset, + DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, + uint32 extra_ap_opts, const char *ccname, + time_t *tgs_expire, + const char *impersonate_princ_s); +krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *expire_time); +krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code); +krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr); +krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr); +NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error); +krb5_error_code nt_status_to_krb5(NTSTATUS nt_status); +void smb_krb5_free_error(krb5_context context, krb5_error *krberror); +krb5_error_code handle_krberror_packet(krb5_context context, + krb5_data *packet); + +void smb_krb5_get_init_creds_opt_free(krb5_context context, + krb5_get_init_creds_opt *opt); +krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context, + krb5_get_init_creds_opt **opt); +krb5_error_code smb_krb5_mk_error(krb5_context context, + krb5_error_code error_code, + const krb5_principal server, + krb5_data *reply); +krb5_enctype smb_get_enctype_from_kt_entry(krb5_keytab_entry *kt_entry); +krb5_error_code smb_krb5_enctype_to_string(krb5_context context, + krb5_enctype enctype, + char **etype_s); +krb5_error_code smb_krb5_open_keytab(krb5_context context, + const char *keytab_name, + bool write_access, + krb5_keytab *keytab); +krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx, + krb5_context context, + krb5_keytab keytab, + const char **keytab_name); +int smb_krb5_kt_add_entry_ext(krb5_context context, + krb5_keytab keytab, + krb5_kvno kvno, + const char *princ_s, + krb5_enctype *enctypes, + krb5_data password, + bool no_salt, + bool keep_old_entries); +krb5_error_code smb_krb5_get_credentials(krb5_context context, + krb5_ccache ccache, + krb5_principal me, + krb5_principal server, + krb5_principal impersonate_princ, + krb5_creds **out_creds); +krb5_error_code smb_krb5_get_creds(const char *server_s, + time_t time_offset, + const char *cc, + const char *impersonate_princ_s, + krb5_creds **creds_p); +char *smb_krb5_principal_get_realm(krb5_context context, + krb5_principal principal); +#endif /* HAVE_KRB5 */ + diff --git a/source3/include/smb_krb5.h b/source3/include/smb_krb5.h new file mode 100644 index 0000000000..3e5c86268a --- /dev/null +++ b/source3/include/smb_krb5.h @@ -0,0 +1,72 @@ +#ifndef _HEADER_smb_krb5_h +#define _HEADER_smb_krb5_h + +#define KRB5_PRIVATE 1 /* this file uses PRIVATE interfaces! */ +/* this file uses DEPRECATED interfaces! */ + +#if defined(HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER) +#define KRB5_DEPRECATED 1 +#else +#define KRB5_DEPRECATED +#endif + +#if HAVE_KRB5_H +#include <krb5.h> +#endif + +#ifndef KRB5_ADDR_NETBIOS +#define KRB5_ADDR_NETBIOS 0x14 +#endif + +#ifndef KRB5KRB_ERR_RESPONSE_TOO_BIG +#define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L) +#endif + +/* Heimdal uses a slightly different name */ +#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5) +#define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5 +#endif + +/* The older versions of heimdal that don't have this + define don't seem to use it anyway. I'm told they + always use a subkey */ +#ifndef HAVE_AP_OPTS_USE_SUBKEY +#define AP_OPTS_USE_SUBKEY 0 +#endif + +#ifdef HAVE_KRB5 +typedef struct { +#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */ + krb5_address **addrs; +#elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */ + krb5_addresses *addrs; +#else +#error UNKNOWN_KRB5_ADDRESS_TYPE +#endif /* defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) */ +} smb_krb5_addresses; + +#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */ +#define KRB5_KEY_TYPE(k) ((k)->keytype) +#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length) +#define KRB5_KEY_DATA(k) ((k)->keyvalue.data) +#define KRB5_KEY_DATA_CAST void +#else /* MIT */ +#define KRB5_KEY_TYPE(k) ((k)->enctype) +#define KRB5_KEY_LENGTH(k) ((k)->length) +#define KRB5_KEY_DATA(k) ((k)->contents) +#define KRB5_KEY_DATA_CAST krb5_octet +#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */ + +#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */ +#define KRB5_KT_KEY(k) (&(k)->key) +#elif HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */ +#define KRB5_KT_KEY(k) (&(k)->keyblock) +#else +#error krb5_keytab_entry has no key or keyblock member +#endif /* HAVE_KRB5_KEYTAB_ENTRY_KEY */ + +#endif /* HAVE_KRB5 */ + +#include "krb5_protos.h" + +#endif /* _HEADER_smb_krb5_h */ diff --git a/source3/libads/ads_status.c b/source3/libads/ads_status.c index 29148e8543..6680766f23 100644 --- a/source3/libads/ads_status.c +++ b/source3/libads/ads_status.c @@ -21,6 +21,7 @@ */ #include "includes.h" +#include "smb_krb5.h" /* build a ADS_STATUS structure diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index ef5400654e..35d5ef9f31 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -24,6 +24,7 @@ #include "includes.h" #include "librpc/gen_ndr/ndr_krb5pac.h" +#include "smb_krb5.h" #ifdef HAVE_KRB5 diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 89357b01fb..af8ea39370 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -22,6 +22,7 @@ */ #include "includes.h" +#include "smb_krb5.h" #ifdef HAVE_KRB5 diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c index 4fede259ab..fa2a1261a2 100644 --- a/source3/libads/kerberos_keytab.c +++ b/source3/libads/kerberos_keytab.c @@ -26,6 +26,7 @@ */ #include "includes.h" +#include "smb_krb5.h" #ifdef HAVE_KRB5 diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index 8502902963..bf9bca6311 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -24,6 +24,7 @@ */ #include "includes.h" +#include "smb_krb5.h" #ifdef HAVE_KRB5 diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c index 0e03ebb90d..d4ff09a510 100644 --- a/source3/libads/krb5_errs.c +++ b/source3/libads/krb5_errs.c @@ -18,6 +18,7 @@ */ #include "includes.h" +#include "smb_krb5.h" #ifdef HAVE_KRB5 diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c index 7cdfbc58a4..ec5cafc49d 100644 --- a/source3/libads/krb5_setpw.c +++ b/source3/libads/krb5_setpw.c @@ -19,6 +19,7 @@ */ #include "includes.h" +#include "smb_krb5.h" #ifdef HAVE_KRB5 diff --git a/source3/libnet/libnet.h b/source3/libnet/libnet.h index 570009c6f6..86eb9d050c 100644 --- a/source3/libnet/libnet.h +++ b/source3/libnet/libnet.h @@ -20,6 +20,7 @@ #ifndef __LIBNET_H__ #define __LIBNET_H__ +#include "smb_krb5.h" #include "libnet/libnet_keytab.h" #include "libnet/libnet_samsync.h" #include "libnet/libnet_dssync.h" diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 2535de2847..112143ca96 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -21,6 +21,7 @@ #include "includes.h" #include "../libcli/auth/libcli_auth.h" #include "../libcli/auth/spnego.h" +#include "smb_krb5.h" static const struct { int prot; diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 3dc8c64ba9..0839b434c1 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -20,10 +20,8 @@ along with this program. If not, see <http://www.gnu.org/licenses/>. */ -#define KRB5_PRIVATE 1 /* this file uses PRIVATE interfaces! */ -/* this file uses DEPRECATED interfaces! */ - #include "includes.h" +#include "smb_krb5.h" #ifdef HAVE_KRB5 diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c index 3789fbf6b8..264743b2a6 100644 --- a/source3/libsmb/clispnego.c +++ b/source3/libsmb/clispnego.c @@ -21,6 +21,7 @@ #include "includes.h" #include "../libcli/auth/spnego.h" +#include "smb_krb5.h" /* generate a negTokenInit packet given a GUID, a list of supported diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 5bfcba3443..23f002ceeb 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -22,6 +22,7 @@ #include "../librpc/gen_ndr/ndr_schannel.h" #include "../libcli/auth/schannel.h" #include "../libcli/auth/spnego.h" +#include "smb_krb5.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_RPC_CLI diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 6e813f458c..87df3c6160 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -27,6 +27,7 @@ #include "utils/ntlm_auth.h" #include "../libcli/auth/libcli_auth.h" #include "../libcli/auth/spnego.h" +#include "smb_krb5.h" #include <iniparser.h> #ifndef PAM_WINBIND_CONFIG_FILE diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c index f11f75762d..e63e73221e 100644 --- a/source3/winbindd/winbindd_cred_cache.c +++ b/source3/winbindd/winbindd_cred_cache.c @@ -24,6 +24,8 @@ #include "includes.h" #include "winbindd.h" #include "../libcli/auth/libcli_auth.h" +#include "smb_krb5.h" + #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 3117533f31..357b6463d5 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -26,6 +26,7 @@ #include "winbindd.h" #include "../libcli/auth/libcli_auth.h" #include "../librpc/gen_ndr/cli_samr.h" +#include "smb_krb5.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND |