summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2007-08-14 19:47:57 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:29:46 -0500
commit201f0e1ce405273ffc19d280f91d8eee17bdaaec (patch)
tree3a4c38debf66131871da29652d4e1476887ff8e0
parent591669ba066cde377c0c14e3473f23b35530b4ba (diff)
downloadsamba-201f0e1ce405273ffc19d280f91d8eee17bdaaec.tar.gz
samba-201f0e1ce405273ffc19d280f91d8eee17bdaaec.tar.bz2
samba-201f0e1ce405273ffc19d280f91d8eee17bdaaec.zip
r24432: Expand kerberos_return_pac() so that it can be used in winbindd.
Guenther (This used to be commit e70bf0ecc3ec6d3ba8ba384024bbdf9a783072ea)
-rw-r--r--source3/libads/authdata.c78
-rw-r--r--source3/utils/net_ads.c9
2 files changed, 80 insertions, 7 deletions
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 793b9adb06..bbcd2db56a 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -962,6 +962,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
const char *name,
const char *pass,
time_t time_offset,
+ time_t *expire_time,
+ time_t *renew_till_time,
+ const char *cache_name,
+ BOOL request_pac,
+ BOOL add_netbios_addr,
+ time_t renewable_time,
PAC_DATA **pac_ret)
{
krb5_error_code ret;
@@ -982,6 +988,10 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_PARAMETER;
}
+ if (cache_name) {
+ cc = cache_name;
+ }
+
if (!strchr_m(name, '@')) {
auth_princ = talloc_asprintf(mem_ctx, "%s@%s", name,
lp_realm());
@@ -997,18 +1007,41 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
ret = kerberos_kinit_password_ext(auth_princ,
pass,
time_offset,
- NULL,
- NULL,
+ expire_time,
+ renew_till_time,
cc,
- True,
- True,
- 0,
+ request_pac,
+ add_netbios_addr,
+ renewable_time,
&status);
if (ret) {
+ DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
+ auth_princ, error_message(ret), ret));
/* status already set */
goto out;
}
+ DEBUG(10,("got TGT for %s in %s\n", auth_princ, cc));
+ if (expire_time) {
+ DEBUGADD(10,("\tvalid until: %s (%d)\n",
+ http_timestring(*expire_time),
+ (int)*expire_time));
+ }
+ if (renew_till_time) {
+ DEBUGADD(10,("\trenewable till: %s (%d)\n",
+ http_timestring(*renew_till_time),
+ (int)*renew_till_time));
+ }
+
+ /* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set,
+ * in that case fallback to NTLM - gd */
+
+ if (expire_time && renew_till_time &&
+ (*expire_time == 0) && (*renew_till_time == 0)) {
+ return NT_STATUS_INVALID_LOGON_TYPE;
+ }
+
+
ret = cli_krb5_get_ticket(local_service,
time_offset,
&tkt,
@@ -1017,6 +1050,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
cc,
NULL);
if (ret) {
+ DEBUG(1,("failed to get ticket for %s: %s\n",
+ local_service, error_message(ret)));
status = krb5_to_nt_status(ret);
goto out;
}
@@ -1031,10 +1066,13 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
&sesskey2,
False);
if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1,("ads_verify_ticket failed: %s\n",
+ nt_errstr(status)));
goto out;
}
if (!pac_data) {
+ DEBUG(1,("no PAC\n"));
status = NT_STATUS_INVALID_PARAMETER;
goto out;
}
@@ -1042,7 +1080,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
*pac_ret = pac_data;
out:
- ads_kdestroy(cc);
+ if (cc != cache_name) {
+ ads_kdestroy(cc);
+ }
data_blob_free(&tkt);
data_blob_free(&ap_rep);
@@ -1061,6 +1101,12 @@ static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx,
const char *name,
const char *pass,
time_t time_offset,
+ time_t *expire_time,
+ time_t *renew_till_time,
+ const char *cache_name,
+ BOOL request_pac,
+ BOOL add_netbios_addr,
+ time_t renewable_time,
PAC_LOGON_INFO **logon_info)
{
NTSTATUS status;
@@ -1071,17 +1117,25 @@ static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx,
name,
pass,
time_offset,
+ expire_time,
+ renew_till_time,
+ cache_name,
+ request_pac,
+ add_netbios_addr,
+ renewable_time,
&pac_data);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (!pac_data) {
+ DEBUG(3,("no pac\n"));
return NT_STATUS_INVALID_USER_BUFFER;
}
info = get_logon_info_from_pac(pac_data);
if (!info) {
+ DEBUG(1,("no logon_info\n"));
return NT_STATUS_INVALID_USER_BUFFER;
}
@@ -1097,6 +1151,12 @@ NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
const char *name,
const char *pass,
time_t time_offset,
+ time_t *expire_time,
+ time_t *renew_till_time,
+ const char *cache_name,
+ BOOL request_pac,
+ BOOL add_netbios_addr,
+ time_t renewable_time,
NET_USER_INFO_3 **info3)
{
NTSTATUS status;
@@ -1106,6 +1166,12 @@ NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
name,
pass,
time_offset,
+ expire_time,
+ renew_till_time,
+ cache_name,
+ request_pac,
+ add_netbios_addr,
+ renewable_time,
&logon_info);
if (!NT_STATUS_IS_OK(status)) {
return status;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index b4337d9f38..f4fc9470f6 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2547,7 +2547,14 @@ static int net_ads_kerberos_pac(int argc, const char **argv)
status = kerberos_return_pac(mem_ctx,
opt_user_name,
opt_password,
- 0, &pac);
+ 0,
+ NULL,
+ NULL,
+ NULL,
+ True,
+ True,
+ 2592000, /* one month */
+ &pac);
if (!NT_STATUS_IS_OK(status)) {
d_printf("failed to query kerberos PAC: %s\n",
nt_errstr(status));