diff options
| author | Günther Deschner <gd@samba.org> | 2006-04-25 12:24:25 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:16:29 -0500 |
| commit | 351e749246a278b60a7e18c1eeafdc8ec70efea2 (patch) | |
| tree | 7080fbf71b0f4cedfd4eeae1eb42478b2b327b49 /source3/libads | |
| parent | 66fd215dc754963c866c3c3402f65d6bd14b8dcd (diff) | |
| download | samba-351e749246a278b60a7e18c1eeafdc8ec70efea2.tar.gz samba-351e749246a278b60a7e18c1eeafdc8ec70efea2.tar.bz2 samba-351e749246a278b60a7e18c1eeafdc8ec70efea2.zip | |
r15240: Correctly disallow unauthorized access when logging on with the
kerberized pam_winbind and workstation restrictions are in effect.
The krb5 AS-REQ needs to add the host netbios-name in the address-list.
We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from
the edata of the KRB_ERROR but the login at least fails when the local
machine is not in the workstation list on the DC.
Guenther
(This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176)
Diffstat (limited to 'source3/libads')
| -rw-r--r-- | source3/libads/kerberos.c | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 960709a5f0..2dfdc31dd5 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -65,6 +65,7 @@ int kerberos_kinit_password_ext(const char *principal, time_t *renew_till_time, const char *cache_name, BOOL request_pac, + BOOL add_netbios_addr, time_t renewable_time) { krb5_context ctx = NULL; @@ -73,6 +74,7 @@ int kerberos_kinit_password_ext(const char *principal, krb5_principal me; krb5_creds my_creds; krb5_get_init_creds_opt opt; + smb_krb5_addresses *addr = NULL; initialize_krb5_error_table(); if ((code = krb5_init_context(&ctx))) @@ -101,19 +103,36 @@ int kerberos_kinit_password_ext(const char *principal, if (request_pac) { #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST - krb5_get_init_creds_opt_set_pac_request(ctx, &opt, True); + code = krb5_get_init_creds_opt_set_pac_request(ctx, &opt, True); + if (code) { + krb5_free_principal(ctx, me); + krb5_free_context(ctx); + return code; + } #endif } + if (add_netbios_addr) { + code = smb_krb5_gen_netbios_krb5_address(&addr); + if (code) { + krb5_free_principal(ctx, me); + krb5_free_context(ctx); + return code; + } + krb5_get_init_creds_opt_set_address_list(&opt, addr->addrs); + } + if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password), kerb_prompter, NULL, 0, NULL, &opt))) { + smb_krb5_free_addresses(ctx, addr); krb5_free_principal(ctx, me); krb5_free_context(ctx); return code; } if ((code = krb5_cc_initialize(ctx, cc, me))) { + smb_krb5_free_addresses(ctx, addr); krb5_free_cred_contents(ctx, &my_creds); krb5_free_principal(ctx, me); krb5_free_context(ctx); @@ -122,6 +141,7 @@ int kerberos_kinit_password_ext(const char *principal, if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) { krb5_cc_close(ctx, cc); + smb_krb5_free_addresses(ctx, addr); krb5_free_cred_contents(ctx, &my_creds); krb5_free_principal(ctx, me); krb5_free_context(ctx); @@ -137,6 +157,7 @@ int kerberos_kinit_password_ext(const char *principal, } krb5_cc_close(ctx, cc); + smb_krb5_free_addresses(ctx, addr); krb5_free_cred_contents(ctx, &my_creds); krb5_free_principal(ctx, me); krb5_free_context(ctx); @@ -178,7 +199,7 @@ int ads_kinit_password(ADS_STRUCT *ads) } ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset, - &ads->auth.expire, NULL, NULL, False, ads->auth.renewable); + &ads->auth.expire, NULL, NULL, False, False, ads->auth.renewable); if (ret) { DEBUG(0,("kerberos_kinit_password %s failed: %s\n", @@ -812,6 +833,7 @@ int kerberos_kinit_password(const char *principal, 0, cache_name, False, + False, 0); } |