diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-06-29 03:01:35 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:18:56 -0500 |
commit | f4607c6e55f6aaa8fe774c7e739fab0556e7bfc0 (patch) | |
tree | 19f6d8ef036c58c6544f7ee1e06fcce0c45c1377 | |
parent | f62a70fe54c1b1f6172d1d3fbc8b34c03dd96b86 (diff) | |
download | samba-f4607c6e55f6aaa8fe774c7e739fab0556e7bfc0.tar.gz samba-f4607c6e55f6aaa8fe774c7e739fab0556e7bfc0.tar.bz2 samba-f4607c6e55f6aaa8fe774c7e739fab0556e7bfc0.zip |
r7989: Allow the use of hashed passwords in the kerberos client and server,
and create the in-memory keytab with the correct kvno, if available.
Andrew Bartlett
(This used to be commit 7b7b2b038e25f3d767b5db7d6e41dd947fdde091)
-rw-r--r-- | source4/auth/kerberos/kerberos.c | 54 | ||||
-rw-r--r-- | source4/auth/kerberos/kerberos_util.c | 100 |
2 files changed, 137 insertions, 17 deletions
diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c index 4b3750658f..8c82ae780e 100644 --- a/source4/auth/kerberos/kerberos.c +++ b/source4/auth/kerberos/kerberos.c @@ -64,6 +64,60 @@ kerb_prompter(krb5_context ctx, void *data, /* simulate a kinit, putting the tgt in the given credentials cache. Orignally by remus@snapserver.com + + This version is built to use a keyblock, rather than needing the + original password. +*/ + int kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc, + const char *principal, krb5_keyblock *keyblock, + time_t *expire_time, time_t *kdc_time) +{ + krb5_error_code code = 0; + krb5_principal me; + krb5_creds my_creds; + krb5_get_init_creds_opt options; + + if ((code = krb5_parse_name(ctx, principal, &me))) { + return code; + } + + krb5_get_init_creds_opt_init(&options); + + if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, me, keyblock, + 0, NULL, &options))) { + krb5_free_principal(ctx, me); + return code; + } + + if ((code = krb5_cc_initialize(ctx, cc, me))) { + krb5_free_cred_contents(ctx, &my_creds); + krb5_free_principal(ctx, me); + return code; + } + + if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) { + krb5_free_cred_contents(ctx, &my_creds); + krb5_free_principal(ctx, me); + return code; + } + + if (expire_time) { + *expire_time = (time_t) my_creds.times.endtime; + } + + if (kdc_time) { + *kdc_time = (time_t) my_creds.times.starttime; + } + + krb5_free_cred_contents(ctx, &my_creds); + krb5_free_principal(ctx, me); + + return 0; +} + +/* + simulate a kinit, putting the tgt in the given credentials cache. + Orignally by remus@snapserver.com */ int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, const char *principal, const char *password, diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c index 9f93ffe7b0..b2d9234aeb 100644 --- a/source4/auth/kerberos/kerberos_util.c +++ b/source4/auth/kerberos/kerberos_util.c @@ -3,7 +3,7 @@ Kerberos utility functions for GENSEC - Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -149,10 +149,34 @@ static int free_ccache(void *ptr) { mem_ctx->ccache = *ccache; talloc_set_destructor(mem_ctx, free_ccache); - ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, *ccache, - cli_credentials_get_principal(credentials, mem_ctx), - password, NULL, &kdc_time); - + + if (password) { + ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, *ccache, + cli_credentials_get_principal(credentials, mem_ctx), + password, NULL, &kdc_time); + } else { + /* No password available, try to use a keyblock instead */ + + krb5_keyblock keyblock; + const struct samr_Password *mach_pwd; + mach_pwd = cli_credentials_get_nt_hash(credentials, mem_ctx); + if (!mach_pwd) { + talloc_free(mem_ctx); + DEBUG(1, ("kinit_to_ccache: No password available for kinit\n")); + return NT_STATUS_WRONG_PASSWORD; + } + ret = krb5_keyblock_init(smb_krb5_context->krb5_context, + ENCTYPE_ARCFOUR_HMAC, + mach_pwd->hash, sizeof(mach_pwd->hash), + &keyblock); + + if (ret == 0) { + ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, *ccache, + cli_credentials_get_principal(credentials, mem_ctx), + &keyblock, NULL, &kdc_time); + } + } + /* cope with ticket being in the future due to clock skew */ if ((unsigned)kdc_time > time(NULL)) { time_t t = time(NULL); @@ -206,17 +230,6 @@ static int free_keytab(void *ptr) { return NT_STATUS_NO_MEMORY; } - password_s = talloc_strdup(mem_ctx, cli_credentials_get_password(machine_account)); - if (!password_s) { - DEBUG(1, ("create_memory_keytab: Could not obtain password for our local machine account!\n")); - talloc_free(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - password.data = password_s; - password.length = strlen(password_s); - - /* this string should be unique */ - ret = krb5_kt_resolve(smb_krb5_context->krb5_context, "MEMORY_WILDCARD:", keytab); if (ret) { DEBUG(1,("failed to generate a new krb5 keytab: %s\n", @@ -239,30 +252,81 @@ static int free_keytab(void *ptr) { return NT_STATUS_INTERNAL_ERROR; } + password_s = talloc_strdup(mem_ctx, cli_credentials_get_password(machine_account)); + if (!password_s) { + /* If we don't have the plaintext password, try for + * the MD4 password hash */ + + krb5_keytab_entry entry; + const struct samr_Password *mach_pwd; + mach_pwd = cli_credentials_get_nt_hash(machine_account, mem_ctx); + if (!mach_pwd) { + talloc_free(mem_ctx); + DEBUG(1, ("create_memory_keytab: Domain trust informaton for account %s not available\n", + cli_credentials_get_principal(machine_account, mem_ctx))); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + ret = krb5_keyblock_init(smb_krb5_context->krb5_context, + ENCTYPE_ARCFOUR_HMAC, + mach_pwd->hash, sizeof(mach_pwd->hash), + &entry.keyblock); + if (ret) { + DEBUG(1, ("create_memory_keytab: krb5_keyblock_init failed: %s\n", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, mem_ctx))); + return NT_STATUS_INTERNAL_ERROR; + } + + entry.principal = salt_princ; + entry.vno = cli_credentials_get_kvno(machine_account); + ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry); + if (ret) { + DEBUG(1, ("Failed to add ARCFOUR_HMAC (only) entry for %s to keytab: %s", + cli_credentials_get_principal(machine_account, mem_ctx), + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, mem_ctx))); + talloc_free(mem_ctx); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock); + return NT_STATUS_INTERNAL_ERROR; + } + + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock); + return NT_STATUS_OK; + } + + /* good, we actually have the real plaintext */ + ret = get_kerberos_allowed_etypes(smb_krb5_context->krb5_context, &enctypes); if (ret) { DEBUG(1,("create_memory_keytab: getting encrption types failed (%s)\n", error_message(ret))); + talloc_free(mem_ctx); return NT_STATUS_INTERNAL_ERROR; } + password.data = discard_const_p(char *, password_s); + password.length = strlen(password_s); + for (i=0; enctypes[i]; i++) { krb5_keytab_entry entry; ret = create_kerberos_key_from_string(smb_krb5_context->krb5_context, salt_princ, &password, &entry.keyblock, enctypes[i]); if (ret) { + talloc_free(mem_ctx); return NT_STATUS_INTERNAL_ERROR; } entry.principal = salt_princ; - entry.vno = 0 /* replace with real kvno */; + entry.vno = cli_credentials_get_kvno(machine_account); ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry); if (ret) { DEBUG(1, ("Failed to add entry for %s to keytab: %s", cli_credentials_get_principal(machine_account, mem_ctx), smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); + talloc_free(mem_ctx); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock); return NT_STATUS_INTERNAL_ERROR; } @@ -273,3 +337,5 @@ static int free_keytab(void *ptr) { return NT_STATUS_OK; } + + |