diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2010-09-23 17:01:44 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2010-09-24 09:25:44 +1000 |
| commit | f03913e2ccfcd75a9d569a5b6e9152b091e0014f (patch) | |
| tree | 4d4fa8e8c7013c1507ed791f4a76d37e7262965b /source4/auth/credentials | |
| parent | 062b0ebc04406a24c804ffe1d3a95eb0b4500199 (diff) | |
| download | samba-f03913e2ccfcd75a9d569a5b6e9152b091e0014f.tar.gz samba-f03913e2ccfcd75a9d569a5b6e9152b091e0014f.tar.bz2 samba-f03913e2ccfcd75a9d569a5b6e9152b091e0014f.zip | |
s4-kerberos Move 'set key into keytab' code out of credentials.
This code never really belonged in the credentials layer, and
is easier done with direct access to the ldb_message that is
in secrets.ldb.
Andrew Bartlett
Diffstat (limited to 'source4/auth/credentials')
| -rw-r--r-- | source4/auth/credentials/credentials.h | 4 | ||||
| -rw-r--r-- | source4/auth/credentials/credentials_files.c | 14 | ||||
| -rw-r--r-- | source4/auth/credentials/credentials_krb5.c | 56 |
3 files changed, 5 insertions, 69 deletions
diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index b7a9540d86..b7023cd17b 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -142,6 +142,7 @@ struct cli_credentials { }; struct ldb_context; +struct ldb_message; struct loadparm_context; struct ccache_container; @@ -268,9 +269,6 @@ int cli_credentials_set_keytab_name(struct cli_credentials *cred, struct loadparm_context *lp_ctx, const char *keytab_name, enum credentials_obtained obtained); -int cli_credentials_update_keytab(struct cli_credentials *cred, - struct tevent_context *event_ctx, - struct loadparm_context *lp_ctx); void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features); uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds); int cli_credentials_set_ccache(struct cli_credentials *cred, diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 8ad395ddc8..e1990a8713 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -35,7 +35,6 @@ #include "lib/events/events.h" #include "dsdb/samdb/samdb.h" - /** * Read a file descriptor, and parse it for a password (eg from a file or stdin) * @@ -193,7 +192,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, const char *realm; enum netr_SchannelType sct; const char *salt_principal; - const char *keytab; + char *keytab; const struct ldb_val *whenChanged; /* ok, we are going to get it now, don't recurse back here */ @@ -310,17 +309,10 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, /* If there was an external keytab specified by reference in * the LDB, then use this. Otherwise we will make one up * (chewing CPU time) from the password */ - keytab = ldb_msg_find_attr_as_string(msg, "krb5Keytab", NULL); + keytab = keytab_name_from_msg(cred, ldb, msg); if (keytab) { cli_credentials_set_keytab_name(cred, event_ctx, lp_ctx, keytab, CRED_SPECIFIED); - } else { - keytab = ldb_msg_find_attr_as_string(msg, "privateKeytab", NULL); - if (keytab) { - keytab = talloc_asprintf(mem_ctx, "FILE:%s", samdb_relative_path(ldb, mem_ctx, keytab)); - if (keytab) { - cli_credentials_set_keytab_name(cred, event_ctx, lp_ctx, keytab, CRED_SPECIFIED); - } - } + talloc_free(keytab); } talloc_free(mem_ctx); diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c index 4021146821..6e11a5fb02 100644 --- a/source4/auth/credentials/credentials_krb5.c +++ b/source4/auth/credentials/credentials_krb5.c @@ -595,7 +595,6 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, krb5_error_code ret; struct keytab_container *ktc; struct smb_krb5_context *smb_krb5_context; - const char **enctype_strings; TALLOC_CTX *mem_ctx; if (cred->keytab_obtained >= (MAX(cred->principal_obtained, @@ -619,11 +618,8 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, return ENOMEM; } - enctype_strings = cli_credentials_get_enctype_strings(cred); - ret = smb_krb5_create_memory_keytab(mem_ctx, cred, - smb_krb5_context, - enctype_strings, &ktc); + smb_krb5_context, &ktc); if (ret) { talloc_free(mem_ctx); return ret; @@ -682,41 +678,6 @@ _PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred, return ret; } -_PUBLIC_ int cli_credentials_update_keytab(struct cli_credentials *cred, - struct tevent_context *event_ctx, - struct loadparm_context *lp_ctx) -{ - krb5_error_code ret; - struct keytab_container *ktc; - struct smb_krb5_context *smb_krb5_context; - const char **enctype_strings; - TALLOC_CTX *mem_ctx; - - mem_ctx = talloc_new(cred); - if (!mem_ctx) { - return ENOMEM; - } - - ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, &smb_krb5_context); - if (ret) { - talloc_free(mem_ctx); - return ret; - } - - enctype_strings = cli_credentials_get_enctype_strings(cred); - - ret = cli_credentials_get_keytab(cred, event_ctx, lp_ctx, &ktc); - if (ret != 0) { - talloc_free(mem_ctx); - return ret; - } - - ret = smb_krb5_update_keytab(mem_ctx, cred, smb_krb5_context, enctype_strings, ktc); - - talloc_free(mem_ctx); - return ret; -} - /* Get server gss credentials (in gsskrb5, this means the keytab) */ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, @@ -810,21 +771,6 @@ _PUBLIC_ int cli_credentials_get_kvno(struct cli_credentials *cred) } -const char **cli_credentials_get_enctype_strings(struct cli_credentials *cred) -{ - /* If this is ever made user-configurable, we need to add code - * to remove/hide the other entries from the generated - * keytab */ - static const char *default_enctypes[] = { - "des-cbc-md5", - "aes256-cts-hmac-sha1-96", - "des3-cbc-sha1", - "arcfour-hmac-md5", - NULL - }; - return default_enctypes; -} - const char *cli_credentials_get_salt_principal(struct cli_credentials *cred) { return cred->salt_principal; |