summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-06-29 03:01:35 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:18:56 -0500
commitf4607c6e55f6aaa8fe774c7e739fab0556e7bfc0 (patch)
tree19f6d8ef036c58c6544f7ee1e06fcce0c45c1377
parentf62a70fe54c1b1f6172d1d3fbc8b34c03dd96b86 (diff)
downloadsamba-f4607c6e55f6aaa8fe774c7e739fab0556e7bfc0.tar.gz
samba-f4607c6e55f6aaa8fe774c7e739fab0556e7bfc0.tar.bz2
samba-f4607c6e55f6aaa8fe774c7e739fab0556e7bfc0.zip
r7989: Allow the use of hashed passwords in the kerberos client and server,
and create the in-memory keytab with the correct kvno, if available. Andrew Bartlett (This used to be commit 7b7b2b038e25f3d767b5db7d6e41dd947fdde091)
-rw-r--r--source4/auth/kerberos/kerberos.c54
-rw-r--r--source4/auth/kerberos/kerberos_util.c100
2 files changed, 137 insertions, 17 deletions
diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c
index 4b3750658f..8c82ae780e 100644
--- a/source4/auth/kerberos/kerberos.c
+++ b/source4/auth/kerberos/kerberos.c
@@ -64,6 +64,60 @@ kerb_prompter(krb5_context ctx, void *data,
/*
simulate a kinit, putting the tgt in the given credentials cache.
Orignally by remus@snapserver.com
+
+ This version is built to use a keyblock, rather than needing the
+ original password.
+*/
+ int kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc,
+ const char *principal, krb5_keyblock *keyblock,
+ time_t *expire_time, time_t *kdc_time)
+{
+ krb5_error_code code = 0;
+ krb5_principal me;
+ krb5_creds my_creds;
+ krb5_get_init_creds_opt options;
+
+ if ((code = krb5_parse_name(ctx, principal, &me))) {
+ return code;
+ }
+
+ krb5_get_init_creds_opt_init(&options);
+
+ if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, me, keyblock,
+ 0, NULL, &options))) {
+ krb5_free_principal(ctx, me);
+ return code;
+ }
+
+ if ((code = krb5_cc_initialize(ctx, cc, me))) {
+ krb5_free_cred_contents(ctx, &my_creds);
+ krb5_free_principal(ctx, me);
+ return code;
+ }
+
+ if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
+ krb5_free_cred_contents(ctx, &my_creds);
+ krb5_free_principal(ctx, me);
+ return code;
+ }
+
+ if (expire_time) {
+ *expire_time = (time_t) my_creds.times.endtime;
+ }
+
+ if (kdc_time) {
+ *kdc_time = (time_t) my_creds.times.starttime;
+ }
+
+ krb5_free_cred_contents(ctx, &my_creds);
+ krb5_free_principal(ctx, me);
+
+ return 0;
+}
+
+/*
+ simulate a kinit, putting the tgt in the given credentials cache.
+ Orignally by remus@snapserver.com
*/
int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc,
const char *principal, const char *password,
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 9f93ffe7b0..b2d9234aeb 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -3,7 +3,7 @@
Kerberos utility functions for GENSEC
- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -149,10 +149,34 @@ static int free_ccache(void *ptr) {
mem_ctx->ccache = *ccache;
talloc_set_destructor(mem_ctx, free_ccache);
- ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, *ccache,
- cli_credentials_get_principal(credentials, mem_ctx),
- password, NULL, &kdc_time);
-
+
+ if (password) {
+ ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, *ccache,
+ cli_credentials_get_principal(credentials, mem_ctx),
+ password, NULL, &kdc_time);
+ } else {
+ /* No password available, try to use a keyblock instead */
+
+ krb5_keyblock keyblock;
+ const struct samr_Password *mach_pwd;
+ mach_pwd = cli_credentials_get_nt_hash(credentials, mem_ctx);
+ if (!mach_pwd) {
+ talloc_free(mem_ctx);
+ DEBUG(1, ("kinit_to_ccache: No password available for kinit\n"));
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+ ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
+ ENCTYPE_ARCFOUR_HMAC,
+ mach_pwd->hash, sizeof(mach_pwd->hash),
+ &keyblock);
+
+ if (ret == 0) {
+ ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, *ccache,
+ cli_credentials_get_principal(credentials, mem_ctx),
+ &keyblock, NULL, &kdc_time);
+ }
+ }
+
/* cope with ticket being in the future due to clock skew */
if ((unsigned)kdc_time > time(NULL)) {
time_t t = time(NULL);
@@ -206,17 +230,6 @@ static int free_keytab(void *ptr) {
return NT_STATUS_NO_MEMORY;
}
- password_s = talloc_strdup(mem_ctx, cli_credentials_get_password(machine_account));
- if (!password_s) {
- DEBUG(1, ("create_memory_keytab: Could not obtain password for our local machine account!\n"));
- talloc_free(mem_ctx);
- return NT_STATUS_NO_MEMORY;
- }
- password.data = password_s;
- password.length = strlen(password_s);
-
- /* this string should be unique */
-
ret = krb5_kt_resolve(smb_krb5_context->krb5_context, "MEMORY_WILDCARD:", keytab);
if (ret) {
DEBUG(1,("failed to generate a new krb5 keytab: %s\n",
@@ -239,30 +252,81 @@ static int free_keytab(void *ptr) {
return NT_STATUS_INTERNAL_ERROR;
}
+ password_s = talloc_strdup(mem_ctx, cli_credentials_get_password(machine_account));
+ if (!password_s) {
+ /* If we don't have the plaintext password, try for
+ * the MD4 password hash */
+
+ krb5_keytab_entry entry;
+ const struct samr_Password *mach_pwd;
+ mach_pwd = cli_credentials_get_nt_hash(machine_account, mem_ctx);
+ if (!mach_pwd) {
+ talloc_free(mem_ctx);
+ DEBUG(1, ("create_memory_keytab: Domain trust informaton for account %s not available\n",
+ cli_credentials_get_principal(machine_account, mem_ctx)));
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+ ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
+ ENCTYPE_ARCFOUR_HMAC,
+ mach_pwd->hash, sizeof(mach_pwd->hash),
+ &entry.keyblock);
+ if (ret) {
+ DEBUG(1, ("create_memory_keytab: krb5_keyblock_init failed: %s\n",
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+ ret, mem_ctx)));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ entry.principal = salt_princ;
+ entry.vno = cli_credentials_get_kvno(machine_account);
+ ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry);
+ if (ret) {
+ DEBUG(1, ("Failed to add ARCFOUR_HMAC (only) entry for %s to keytab: %s",
+ cli_credentials_get_principal(machine_account, mem_ctx),
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+ ret, mem_ctx)));
+ talloc_free(mem_ctx);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
+ return NT_STATUS_OK;
+ }
+
+ /* good, we actually have the real plaintext */
+
ret = get_kerberos_allowed_etypes(smb_krb5_context->krb5_context,
&enctypes);
if (ret) {
DEBUG(1,("create_memory_keytab: getting encrption types failed (%s)\n",
error_message(ret)));
+ talloc_free(mem_ctx);
return NT_STATUS_INTERNAL_ERROR;
}
+ password.data = discard_const_p(char *, password_s);
+ password.length = strlen(password_s);
+
for (i=0; enctypes[i]; i++) {
krb5_keytab_entry entry;
ret = create_kerberos_key_from_string(smb_krb5_context->krb5_context,
salt_princ, &password, &entry.keyblock, enctypes[i]);
if (ret) {
+ talloc_free(mem_ctx);
return NT_STATUS_INTERNAL_ERROR;
}
entry.principal = salt_princ;
- entry.vno = 0 /* replace with real kvno */;
+ entry.vno = cli_credentials_get_kvno(machine_account);
ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry);
if (ret) {
DEBUG(1, ("Failed to add entry for %s to keytab: %s",
cli_credentials_get_principal(machine_account, mem_ctx),
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
+ talloc_free(mem_ctx);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
return NT_STATUS_INTERNAL_ERROR;
}
@@ -273,3 +337,5 @@ static int free_keytab(void *ptr) {
return NT_STATUS_OK;
}
+
+