summaryrefslogtreecommitdiff
path: root/source3/libads
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2004-11-02 02:21:26 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:53:07 -0500
commit37117a10142e6ad320f994cab4442b12529685ee (patch)
treee834a5c6d53d4f210405b1939b35d90c17affcac /source3/libads
parent3688bb079e8d817dcfc3b9e5eb9d07e7b95a806f (diff)
downloadsamba-37117a10142e6ad320f994cab4442b12529685ee.tar.gz
samba-37117a10142e6ad320f994cab4442b12529685ee.tar.bz2
samba-37117a10142e6ad320f994cab4442b12529685ee.zip
r3451: Finish off kerberos salting patch. Needs testing !
Jeremy. (This used to be commit ff4cb6b5e80731856d6f3f7eebd8fc23902e3580)
Diffstat (limited to 'source3/libads')
-rw-r--r--source3/libads/kerberos_verify.c5
-rw-r--r--source3/libads/util.c58
2 files changed, 34 insertions, 29 deletions
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 140d7550ad..8524fc5d05 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -262,9 +262,8 @@ NTSTATUS ads_verify_ticket(const char *realm, const DATA_BLOB *ticket,
goto out;
}
- name_to_fqdn(myname, global_myname());
- strlower_m(myname);
- asprintf(&host_princ_s, "host/%s@%s", myname, lp_realm());
+ asprintf(&host_princ_s, "%s$", global_myname());
+ strlower_m(host_princ_s);
ret = krb5_parse_name(context, host_princ_s, &host_princ);
if (ret) {
DEBUG(1,("ads_verify_ticket: krb5_parse_name(%s) failed (%s)\n",
diff --git a/source3/libads/util.c b/source3/libads/util.c
index 9912a7ba83..f5b8873538 100644
--- a/source3/libads/util.c
+++ b/source3/libads/util.c
@@ -24,39 +24,45 @@
ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal)
{
- char *tmp_password;
- char *password;
- char *new_password;
- char *service_principal;
- ADS_STATUS ret;
- uint32 sec_channel_type;
+ char *password;
+ char *new_password;
+ char *service_principal;
+ ADS_STATUS ret;
+ uint32 sec_channel_type;
- if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) {
- DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal));
- return ADS_ERROR_SYSTEM(ENOENT);
- }
+ if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) {
+ DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal));
+ return ADS_ERROR_SYSTEM(ENOENT);
+ }
- tmp_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
- new_password = strdup(tmp_password);
+ new_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
- asprintf(&service_principal, "HOST/%s", host_principal);
+ asprintf(&service_principal, "HOST/%s", host_principal);
- ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset);
+ ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset);
- if (!ADS_ERR_OK(ret)) goto failed;
+ if (!ADS_ERR_OK(ret)) {
+ goto failed;
+ }
- if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) {
- DEBUG(1,("Failed to save machine password\n"));
- return ADS_ERROR_SYSTEM(EACCES);
- }
+ if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) {
+ DEBUG(1,("Failed to save machine password\n"));
+ ret = ADS_ERROR_SYSTEM(EACCES);
+ goto failed;
+ }
-failed:
- SAFE_FREE(service_principal);
- SAFE_FREE(new_password);
+ /* Determine if the KDC is salting keys for this principal in a
+ * non-obvious way. */
+ if (!kerberos_derive_salting_principal(service_principal)) {
+ DEBUG(1,("Failed to determine correct salting principal for %s\n", service_principal));
+ ret = ADS_ERROR_SYSTEM(EACCES);
+ goto failed;
+ }
- return ret;
+failed:
+ SAFE_FREE(service_principal);
+ SAFE_FREE(password);
+ SAFE_FREE(new_password);
+ return ret;
}
-
-
-
#endif