diff options
| author | Gerald Carter <jerry@samba.org> | 2006-07-11 18:45:22 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:19:15 -0500 |
| commit | 060b155cd2f77e37086f97461f93e9ef1ff8dce2 (patch) | |
| tree | 3725302c80ac157ed9ee35c73b76caa1504a2141 /source3/libads/kerberos_verify.c | |
| parent | 6d291669972fc1344183dea29dced5e575ea7af8 (diff) | |
| download | samba-060b155cd2f77e37086f97461f93e9ef1ff8dce2.tar.gz samba-060b155cd2f77e37086f97461f93e9ef1ff8dce2.tar.bz2 samba-060b155cd2f77e37086f97461f93e9ef1ff8dce2.zip | |
r16952: New derive DES salt code and Krb5 keytab generation
Major points of interest:
* Figure the DES salt based on the domain functional level
and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
keys
* Remove all the case permutations in the keytab entry
generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
in AD
The resulting keytab looks like:
ktutil: list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value. The UPN will be added as well if the machine has
one. This fixes 'kinit -k'.
Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket()
continues to work with RC4-HMAC and DES keys.
(This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)
Diffstat (limited to 'source3/libads/kerberos_verify.c')
| -rw-r--r-- | source3/libads/kerberos_verify.c | 14 |
1 files changed, 5 insertions, 9 deletions
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index 525a9cfa27..3aa0860809 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -202,9 +202,13 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au BOOL auth_ok = False; char *password_s = NULL; krb5_data password; - krb5_enctype *enctypes = NULL; + krb5_enctype enctypes[4] = { ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, 0, 0 }; int i; +#if defined(ENCTYPE_ARCFOUR_HMAC) + enctypes[2] = ENCTYPE_ARCFOUR_HMAC; +#endif + ZERO_STRUCTP(keyblock); if (!secrets_init()) { @@ -223,12 +227,6 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au /* CIFS doesn't use addresses in tickets. This would break NAT. JRA */ - if ((ret = get_kerberos_allowed_etypes(context, &enctypes))) { - DEBUG(1,("ads_secrets_verify_ticket: krb5_get_permitted_enctypes failed (%s)\n", - error_message(ret))); - goto out; - } - p_packet->length = ticket->length; p_packet->data = (krb5_pointer)ticket->data; @@ -273,8 +271,6 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au } out: - - free_kerberos_etypes(context, enctypes); SAFE_FREE(password_s); return auth_ok; |