diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2003-02-24 11:09:21 +0000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2003-02-24 11:09:21 +0000 |
| commit | eb64538dba772a9846c05e2712839dbaa12c39a1 (patch) | |
| tree | e97f5ef951eb81f13afac9d3900ba16a2b2d9d62 /source3/libads | |
| parent | 2f0c70efb2c4b5b01eb073f5d5217108b4ca438f (diff) | |
| download | samba-eb64538dba772a9846c05e2712839dbaa12c39a1.tar.gz samba-eb64538dba772a9846c05e2712839dbaa12c39a1.tar.bz2 samba-eb64538dba772a9846c05e2712839dbaa12c39a1.zip | |
Patch from Luke Howard to add mutual kerberos authentication, and SMB session
keys for kerberos authentication.
Andrew Bartlett
(This used to be commit 8b798f03dbbdd670ff9af4eb46f7b0845c611e0f)
Diffstat (limited to 'source3/libads')
| -rw-r--r-- | source3/libads/kerberos_verify.c | 32 |
1 files changed, 26 insertions, 6 deletions
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index 17fecf60c8..4d9a1bf765 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -3,7 +3,7 @@ kerberos utility library Copyright (C) Andrew Tridgell 2001 Copyright (C) Remus Koos 2001 - + Copyright (C) Luke Howard 2003 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -29,7 +29,9 @@ authorization_data if available */ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, - char **principal, DATA_BLOB *auth_data) + char **principal, DATA_BLOB *auth_data, + DATA_BLOB *ap_rep, + uint8 session_key[16]) { krb5_context context; krb5_auth_context auth_context = NULL; @@ -122,10 +124,24 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, if (!auth_ok) { DEBUG(3,("krb5_rd_req with auth failed (%s)\n", error_message(ret))); - SAFE_FREE(key); return NT_STATUS_LOGON_FAILURE; } + ret = krb5_mk_rep(context, auth_context, &packet); + if (ret) { + DEBUG(3,("Failed to generate mutual authentication reply (%s)\n", + error_message(ret))); + krb5_auth_con_free(context, auth_context); + return NT_STATUS_LOGON_FAILURE; + } + + *ap_rep = data_blob(packet.data, packet.length); + free(packet.data); + + krb5_get_smb_session_key(context, auth_context, session_key); + DEBUG(0,("SMB session key (from ticket) follows:\n")); + dump_data(0, session_key, 16); + #if 0 file_save("/tmp/ticket.dat", ticket->data, ticket->length); #endif @@ -134,20 +150,24 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, #if 0 if (tkt->enc_part2) { - file_save("/tmp/authdata.dat", + file_save("/tmp/authdata.dat", tkt->enc_part2->authorization_data[0]->contents, tkt->enc_part2->authorization_data[0]->length); - } #endif if ((ret = krb5_unparse_name(context, get_principal_from_tkt(tkt), principal))) { DEBUG(3,("krb5_unparse_name failed (%s)\n", error_message(ret))); + data_blob_free(auth_data); + data_blob_free(ap_rep); + krb5_auth_con_free(context, auth_context); return NT_STATUS_LOGON_FAILURE; } + krb5_auth_con_free(context, auth_context); + return NT_STATUS_OK; } -#endif +#endif /* HAVE_KRB5 */ |