This merges in my 'always use ADS' patch. Tested on a mix of NT and ADS

domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.

The routines used for this behaviour have been upgraded to modern Samba
codeing standards.

This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.

This is in line with existing behaviour for native mode domains, and for
our primary domain.

As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values.  These changes move more routines to ADS_STATUS to return
kerberos errors.

Also found when valgrinding the setup, fix a few memory leaks.

While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.

Andrew Bartlett
(This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)

3 files changed, 40 insertions, 32 deletions

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 1dc46ab0e6..707a33881d 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -500,19 +500,22 @@ static void use_in_memory_ccache(void) {
  Do a spnego/kerberos encrypted session setup.
 ****************************************************************************/
 
-static NTSTATUS cli_session_setup_kerberos(struct cli_state *cli, const char *principal, const char *workgroup)
+static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char *principal, const char *workgroup)
 {
 	DATA_BLOB blob2, negTokenTarg;
 	DATA_BLOB session_key_krb5;
 	DATA_BLOB null_blob = data_blob(NULL, 0);
-	
+	int rc;
+
 	DEBUG(2,("Doing kerberos session setup\n"));
 
 	/* generate the encapsulated kerberos5 ticket */
-	negTokenTarg = spnego_gen_negTokenTarg(principal, 0, &session_key_krb5);
+	rc = spnego_gen_negTokenTarg(principal, 0, &negTokenTarg, &session_key_krb5);
 
-	if (!negTokenTarg.data)
-		return NT_STATUS_UNSUCCESSFUL;
+	if (rc) {
+		DEBUG(1, ("spnego_gen_negTokenTarg failed: %s\n", error_message(rc)));
+		return ADS_ERROR_KRB5(rc);
+	}
 
 #if 0
 	file_save("negTokenTarg.dat", negTokenTarg.data, negTokenTarg.length);
@@ -531,10 +534,10 @@ static NTSTATUS cli_session_setup_kerberos(struct cli_state *cli, const char *pr
 
 	if (cli_is_error(cli)) {
 		if (NT_STATUS_IS_OK(cli_nt_error(cli))) {
-			return NT_STATUS_UNSUCCESSFUL;
+			return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
 		}
 	} 
-	return NT_STATUS_OK;
+	return ADS_ERROR_NT(cli_nt_error(cli));
 }
 #endif	/* HAVE_KRB5 */
 
@@ -661,7 +664,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use
  Do a spnego encrypted session setup.
 ****************************************************************************/
 
-NTSTATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, 
+ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, 
 			      const char *pass, const char *domain)
 {
 	char *principal;
@@ -689,7 +692,7 @@ NTSTATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 	   reply */
 	if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) {
 		data_blob_free(&blob);
-		return NT_STATUS_INVALID_PARAMETER;
+		return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
 	}
 	data_blob_free(&blob);
 
@@ -719,7 +722,7 @@ NTSTATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 			
 			if (ret){
 				DEBUG(0, ("Kinit failed: %s\n", error_message(ret)));
-				return NT_STATUS_LOGON_FAILURE;
+				return ADS_ERROR_KRB5(ret);
 			}
 		}
 		
@@ -731,7 +734,7 @@ NTSTATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 
 ntlmssp:
 
-	return cli_session_setup_ntlmssp(cli, user, pass, domain);
+	return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, domain));
 }
 
 /****************************************************************************
@@ -812,9 +815,9 @@ BOOL cli_session_setup(struct cli_state *cli,
 	/* if the server supports extended security then use SPNEGO */
 
 	if (cli->capabilities & CAP_EXTENDED_SECURITY) {
-		NTSTATUS nt_status;
-		if (!NT_STATUS_IS_OK(nt_status = cli_session_setup_spnego(cli, user, pass, workgroup))) {
-			DEBUG(3, ("SPENGO login failed: %s\n", get_friendly_nt_error_msg(nt_status)));
+		ADS_STATUS status = cli_session_setup_spnego(cli, user, pass, workgroup);
+		if (!ADS_ERR_OK(status)) {
+			DEBUG(3, ("SPENGO login failed: %s\n", ads_errstr(status)));
 			return False;
 		}
 		return True;
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 5568b5e033..15b244a83d 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -307,14 +307,14 @@ cleanup_princ:
 /*
   get a kerberos5 ticket for the given service 
 */
-DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BLOB *session_key_krb5)
+int cli_krb5_get_ticket(const char *principal, time_t time_offset, 
+			DATA_BLOB *ticket, DATA_BLOB *session_key_krb5)
 {
 	krb5_error_code retval;
 	krb5_data packet;
 	krb5_ccache ccdef;
 	krb5_context context;
 	krb5_auth_context auth_context = NULL;
-	DATA_BLOB ret;
 	krb5_enctype enc_types[] = {
 #ifdef ENCTYPE_ARCFOUR_HMAC
 		ENCTYPE_ARCFOUR_HMAC,
@@ -356,17 +356,18 @@ DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BL
 
 	get_krb5_smb_session_key(context, auth_context, session_key_krb5, False);
 
-	ret = data_blob(packet.data, packet.length);
+	*ticket = data_blob(packet.data, packet.length);
+
 /* Hmm, heimdal dooesn't have this - what's the correct call? */
-/* 	krb5_free_data_contents(context, &packet); */
-	krb5_free_context(context);
-	return ret;
+#ifdef HAVE_KRB5_FREE_DATA_CONTENTS
+ 	krb5_free_data_contents(context, &packet); 
+#endif
 
 failed:
 	if ( context )
 		krb5_free_context(context);
 		
-	return data_blob(NULL, 0);
+	return retval;
 }
 
  BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote)
@@ -410,10 +411,11 @@ failed:
 
 #else /* HAVE_KRB5 */
  /* this saves a few linking headaches */
-DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BLOB *session_key_krb5)
- {
+int cli_krb5_get_ticket(const char *principal, time_t time_offset, 
+			DATA_BLOB *ticket, DATA_BLOB *session_key_krb5) 
+{
 	 DEBUG(0,("NO KERBEROS SUPPORT\n"));
-	 return data_blob(NULL, 0);
- }
+	 return 1;
+}
 
 #endif
diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index 92543736ff..e6cadc466c 100644
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -323,27 +323,30 @@ BOOL spnego_parse_krb5_wrap(DATA_BLOB blob, DATA_BLOB *ticket, uint8 tok_id[2])
    generate a SPNEGO negTokenTarg packet, ready for a EXTENDED_SECURITY
    kerberos session setup 
 */
-DATA_BLOB spnego_gen_negTokenTarg(const char *principal, int time_offset, DATA_BLOB *session_key_krb5)
+int spnego_gen_negTokenTarg(const char *principal, int time_offset, 
+			    DATA_BLOB *targ, 
+			    DATA_BLOB *session_key_krb5)
 {
-	DATA_BLOB tkt, tkt_wrapped, targ;
+	int retval;
+	DATA_BLOB tkt, tkt_wrapped;
 	const char *krb_mechs[] = {OID_KERBEROS5_OLD, OID_NTLMSSP, NULL};
 
 	/* get a kerberos ticket for the service and extract the session key */
-	tkt = cli_krb5_get_ticket(principal, time_offset, session_key_krb5);
+	retval = cli_krb5_get_ticket(principal, time_offset, &tkt, session_key_krb5);
 
-	if (tkt.data == NULL)
-		return tkt;
+	if (retval)
+		return retval;
 
 	/* wrap that up in a nice GSS-API wrapping */
 	tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
 
 	/* and wrap that in a shiny SPNEGO wrapper */
-	targ = gen_negTokenTarg(krb_mechs, tkt_wrapped);
+	*targ = gen_negTokenTarg(krb_mechs, tkt_wrapped);
 
 	data_blob_free(&tkt_wrapped);
 	data_blob_free(&tkt);
 
-	return targ;
+	return retval;
 }