diff options
author | Simo Sorce <idra@samba.org> | 2012-04-25 17:29:09 -0400 |
---|---|---|
committer | Simo Sorce <idra@samba.org> | 2012-05-04 16:51:28 +0200 |
commit | 38a5a2c5c59029889d6c7c6dc80ab087956ca651 (patch) | |
tree | 91cef3faaa076439ea4497dc2b84be4577780bdb | |
parent | aa1a0d80de8b8c9116f5d5b576e2422d104e6b75 (diff) | |
download | samba-38a5a2c5c59029889d6c7c6dc80ab087956ca651.tar.gz samba-38a5a2c5c59029889d6c7c6dc80ab087956ca651.tar.bz2 samba-38a5a2c5c59029889d6c7c6dc80ab087956ca651.zip |
Move kerberos_kinit_keyblock_cc to krb5samba lib
Make it also work with MIT where krb5_get_in_tkt_with_keyblock is not
available.
-rw-r--r-- | lib/krb5_wrap/krb5_samba.c | 91 | ||||
-rw-r--r-- | lib/krb5_wrap/krb5_samba.h | 7 | ||||
-rw-r--r-- | source3/configure.in | 1 | ||||
-rw-r--r-- | source4/auth/kerberos/kerberos.c | 48 | ||||
-rw-r--r-- | source4/auth/kerberos/kerberos.h | 7 | ||||
-rwxr-xr-x[-rw-r--r--] | source4/heimdal_build/wscript_configure | 1 | ||||
-rw-r--r-- | wscript_configure_krb5 | 3 |
7 files changed, 102 insertions, 56 deletions
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index ffbd8d42ad..c853b7558d 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -1556,6 +1556,97 @@ krb5_error_code smb_krb5_get_creds(const char *server_s, } /* + simulate a kinit, putting the tgt in the given credentials cache. + Orignally by remus@snapserver.com + + This version is built to use a keyblock, rather than needing the + original password. + + The impersonate_principal is the principal if NULL, or the principal + to impersonate + + The target_service defaults to the krbtgt if NULL, but could be + kpasswd/realm or the local service (if we are doing s4u2self) +*/ +krb5_error_code kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc, + krb5_principal principal, + krb5_keyblock *keyblock, + const char *target_service, + krb5_get_init_creds_opt *krb_options, + time_t *expire_time, + time_t *kdc_time) +{ + krb5_error_code code = 0; + krb5_creds my_creds; + +#if defined(HAVE_KRB5_GET_INIT_CREDS_KEYBLOCK) + code = krb5_get_init_creds_keyblock(ctx, &my_creds, principal, + keyblock, 0, target_service, + krb_options); +#elif defined(HAVE_KRB5_GET_INIT_CREDS_KEYTAB) +{ +#define SMB_CREDS_KEYTAB "MEMORY:tmp_smb_creds_XXXXXX" + char tmp_name[sizeof(SMB_CREDS_KEYTAB)]; + krb5_keytab_entry entry; + krb5_keytab keytab; + + memset(&entry, 0, sizeof(entry)); + entry.principal = principal; + *(KRB5_KT_KEY(&entry)) = *keyblock; + + memcpy(tmp_name, SMB_CREDS_KEYTAB, sizeof(SMB_CREDS_KEYTAB)); + mktemp(tmp_name); + if (tmp_name[0] == 0) { + return KRB5_KT_BADNAME; + } + code = krb5_kt_resolve(ctx, tmp_name, &keytab); + if (code) { + return code; + } + + code = krb5_kt_add_entry(ctx, keytab, &entry); + if (code) { + (void)krb5_kt_close(ctx, keytab); + goto done; + } + + code = krb5_get_init_creds_keytab(ctx, &my_creds, principal, + keytab, 0, target_service, + krb_options); + (void)krb5_kt_close(ctx, keytab); +} +#else +#error krb5_get_init_creds_keyblock not available! +#endif + if (code) { + return code; + } + + code = krb5_cc_initialize(ctx, cc, principal); + if (code) { + goto done; + } + + code = krb5_cc_store_cred(ctx, cc, &my_creds); + if (code) { + goto done; + } + + if (expire_time) { + *expire_time = (time_t) my_creds.times.endtime; + } + + if (kdc_time) { + *kdc_time = (time_t) my_creds.times.starttime; + } + + code = 0; +done: + krb5_free_cred_contents(ctx, &my_creds); + return code; +} + +/* * smb_krb5_principal_get_realm * * @brief Get realm of a principal diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h index 6a0f9dc2fd..771c43de44 100644 --- a/lib/krb5_wrap/krb5_samba.h +++ b/lib/krb5_wrap/krb5_samba.h @@ -198,6 +198,13 @@ krb5_error_code smb_krb5_get_creds(const char *server_s, const char *cc, const char *impersonate_princ_s, krb5_creds **creds_p); +krb5_error_code kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc, + krb5_principal principal, + krb5_keyblock *keyblock, + const char *target_service, + krb5_get_init_creds_opt *krb_options, + time_t *expire_time, + time_t *kdc_time); char *smb_krb5_principal_get_realm(krb5_context context, krb5_principal principal); diff --git a/source3/configure.in b/source3/configure.in index 0253e076dc..8790ea713b 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -3614,6 +3614,7 @@ if test x"$with_ads_support" != x"no"; then AC_CHECK_FUNC_EXT(krb5_get_credentials_for_user, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_get_host_realm, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_free_host_realm, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(krb5_get_init_creds_keytab, $KRB5_LIBS) AC_CHECK_FUNC_EXT(gss_krb5_import_cred, $KRB5_LIBS) AC_CHECK_FUNC_EXT(gss_get_name_attribute, $KRB5_LIBS) AC_CHECK_FUNC_EXT(gsskrb5_extract_authz_data_from_sec_context, $KRB5_LIBS) diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c index 0fc9d143ab..b4e989d2ae 100644 --- a/source4/auth/kerberos/kerberos.c +++ b/source4/auth/kerberos/kerberos.c @@ -30,54 +30,6 @@ /* simulate a kinit, putting the tgt in the given credentials cache. Orignally by remus@snapserver.com - - This version is built to use a keyblock, rather than needing the - original password. - - The impersonate_principal is the principal if NULL, or the principal to impersonate - - The target_service defaults to the krbtgt if NULL, but could be kpasswd/realm or the local service (if we are doing s4u2self) -*/ - krb5_error_code kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc, - krb5_principal principal, krb5_keyblock *keyblock, - const char *target_service, - krb5_get_init_creds_opt *krb_options, - time_t *expire_time, time_t *kdc_time) -{ - krb5_error_code code = 0; - krb5_creds my_creds; - - if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, principal, keyblock, - 0, target_service, krb_options))) { - return code; - } - - if ((code = krb5_cc_initialize(ctx, cc, principal))) { - krb5_free_cred_contents(ctx, &my_creds); - return code; - } - - if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) { - krb5_free_cred_contents(ctx, &my_creds); - return code; - } - - if (expire_time) { - *expire_time = (time_t) my_creds.times.endtime; - } - - if (kdc_time) { - *kdc_time = (time_t) my_creds.times.starttime; - } - - krb5_free_cred_contents(ctx, &my_creds); - - return 0; -} - -/* - simulate a kinit, putting the tgt in the given credentials cache. - Orignally by remus@snapserver.com The impersonate_principal is the principal if NULL, or the principal to impersonate diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h index cc02aee27f..018f6b80b1 100644 --- a/source4/auth/kerberos/kerberos.h +++ b/source4/auth/kerberos/kerberos.h @@ -74,13 +74,6 @@ const krb5_data *krb5_princ_component(krb5_context context, krb5_principal princ #endif /* Samba wrapper function for krb5 functionality. */ -krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, - krb5_principal principal, const char *password, - krb5_principal impersonate_principal, - const char *self_service, - const char *target_service, - krb5_get_init_creds_opt *krb_options, - time_t *expire_time, time_t *kdc_time); krb5_error_code kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc, krb5_principal principal, krb5_keyblock *keyblock, const char *target_service, diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure index 1c03b34106..6383880229 100644..100755 --- a/source4/heimdal_build/wscript_configure +++ b/source4/heimdal_build/wscript_configure @@ -114,6 +114,7 @@ conf.define('HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC', 1) conf.define('HAVE_KRB5_GET_INIT_CREDS_OPT_FREE', 1) conf.define('HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR', 1) conf.define('HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST', 1) +conf.define('HAVE_KRB5_GET_INIT_CREDS_KEYBLOCK', 1) conf.define('HAVE_KRB5_GET_PW_SALT', 1) conf.define('HAVE_KRB5_GET_RENEWED_CREDS', 1) conf.define('HAVE_KRB5_KEYBLOCK_KEYVALUE', 1) diff --git a/wscript_configure_krb5 b/wscript_configure_krb5 index 2fb1c586fd..1faa212e5f 100644 --- a/wscript_configure_krb5 +++ b/wscript_configure_krb5 @@ -57,7 +57,8 @@ conf.CHECK_FUNCS(''' krb5_get_init_creds_opt_free krb5_get_init_creds_opt_get_error krb5_enctype_to_string krb5_fwd_tgt_creds krb5_auth_con_set_req_cksumtype krb5_get_creds_opt_alloc krb5_get_creds_opt_set_impersonate krb5_get_creds - krb5_get_credentials_for_user krb5_get_host_realm krb5_free_host_realm''', + krb5_get_credentials_for_user krb5_get_host_realm krb5_free_host_realm + krb5_get_init_creds_keyblock krb5_get_init_creds_keytab''', lib='krb5 k5crypto') conf.CHECK_DECLS('''krb5_get_credentials_for_user krb5_auth_con_set_req_cksumtype''', |