summaryrefslogtreecommitdiff
path: root/source3/libads
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2006-04-25 12:24:25 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:16:29 -0500
commit351e749246a278b60a7e18c1eeafdc8ec70efea2 (patch)
tree7080fbf71b0f4cedfd4eeae1eb42478b2b327b49 /source3/libads
parent66fd215dc754963c866c3c3402f65d6bd14b8dcd (diff)
downloadsamba-351e749246a278b60a7e18c1eeafdc8ec70efea2.tar.gz
samba-351e749246a278b60a7e18c1eeafdc8ec70efea2.tar.bz2
samba-351e749246a278b60a7e18c1eeafdc8ec70efea2.zip
r15240: Correctly disallow unauthorized access when logging on with the
kerberized pam_winbind and workstation restrictions are in effect. The krb5 AS-REQ needs to add the host netbios-name in the address-list. We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from the edata of the KRB_ERROR but the login at least fails when the local machine is not in the workstation list on the DC. Guenther (This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176)
Diffstat (limited to 'source3/libads')
-rw-r--r--source3/libads/kerberos.c26
1 files changed, 24 insertions, 2 deletions
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 960709a5f0..2dfdc31dd5 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -65,6 +65,7 @@ int kerberos_kinit_password_ext(const char *principal,
time_t *renew_till_time,
const char *cache_name,
BOOL request_pac,
+ BOOL add_netbios_addr,
time_t renewable_time)
{
krb5_context ctx = NULL;
@@ -73,6 +74,7 @@ int kerberos_kinit_password_ext(const char *principal,
krb5_principal me;
krb5_creds my_creds;
krb5_get_init_creds_opt opt;
+ smb_krb5_addresses *addr = NULL;
initialize_krb5_error_table();
if ((code = krb5_init_context(&ctx)))
@@ -101,19 +103,36 @@ int kerberos_kinit_password_ext(const char *principal,
if (request_pac) {
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
- krb5_get_init_creds_opt_set_pac_request(ctx, &opt, True);
+ code = krb5_get_init_creds_opt_set_pac_request(ctx, &opt, True);
+ if (code) {
+ krb5_free_principal(ctx, me);
+ krb5_free_context(ctx);
+ return code;
+ }
#endif
}
+ if (add_netbios_addr) {
+ code = smb_krb5_gen_netbios_krb5_address(&addr);
+ if (code) {
+ krb5_free_principal(ctx, me);
+ krb5_free_context(ctx);
+ return code;
+ }
+ krb5_get_init_creds_opt_set_address_list(&opt, addr->addrs);
+ }
+
if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password),
kerb_prompter, NULL, 0, NULL, &opt)))
{
+ smb_krb5_free_addresses(ctx, addr);
krb5_free_principal(ctx, me);
krb5_free_context(ctx);
return code;
}
if ((code = krb5_cc_initialize(ctx, cc, me))) {
+ smb_krb5_free_addresses(ctx, addr);
krb5_free_cred_contents(ctx, &my_creds);
krb5_free_principal(ctx, me);
krb5_free_context(ctx);
@@ -122,6 +141,7 @@ int kerberos_kinit_password_ext(const char *principal,
if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
krb5_cc_close(ctx, cc);
+ smb_krb5_free_addresses(ctx, addr);
krb5_free_cred_contents(ctx, &my_creds);
krb5_free_principal(ctx, me);
krb5_free_context(ctx);
@@ -137,6 +157,7 @@ int kerberos_kinit_password_ext(const char *principal,
}
krb5_cc_close(ctx, cc);
+ smb_krb5_free_addresses(ctx, addr);
krb5_free_cred_contents(ctx, &my_creds);
krb5_free_principal(ctx, me);
krb5_free_context(ctx);
@@ -178,7 +199,7 @@ int ads_kinit_password(ADS_STRUCT *ads)
}
ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset,
- &ads->auth.expire, NULL, NULL, False, ads->auth.renewable);
+ &ads->auth.expire, NULL, NULL, False, False, ads->auth.renewable);
if (ret) {
DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
@@ -812,6 +833,7 @@ int kerberos_kinit_password(const char *principal,
0,
cache_name,
False,
+ False,
0);
}