summaryrefslogtreecommitdiff
path: root/source4/auth/credentials
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2007-04-28 16:38:06 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:51:43 -0500
commit729674054aa461b17a43a371f6891263d700ac7a (patch)
treee23ab3d59d95a505720791e27b2bfcf37c69ccc9 /source4/auth/credentials
parentf34c57f4fc1a1817735ddb653011e6deb0edf912 (diff)
downloadsamba-729674054aa461b17a43a371f6891263d700ac7a.tar.gz
samba-729674054aa461b17a43a371f6891263d700ac7a.tar.bz2
samba-729674054aa461b17a43a371f6891263d700ac7a.zip
r22558: Move to a static list of enctypes to put into our keytab. In future,
I'll allow this to be configured from the secrets.ldb, but it should fix some user issues. Andrew Bartlett (This used to be commit 0fd74ada220fb07d4ebe8c2d9b8ae50a387c2695)
Diffstat (limited to 'source4/auth/credentials')
-rw-r--r--source4/auth/credentials/credentials_krb5.c38
1 files changed, 34 insertions, 4 deletions
diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c
index 7ba23ad9b6..69fb9e7b33 100644
--- a/source4/auth/credentials/credentials_krb5.c
+++ b/source4/auth/credentials/credentials_krb5.c
@@ -141,7 +141,10 @@ int cli_credentials_set_ccache(struct cli_credentials *cred,
talloc_free(ccc);
return ret;
}
- talloc_reference(ccc, ccc->smb_krb5_context);
+ if (!talloc_reference(ccc, ccc->smb_krb5_context)) {
+ talloc_free(ccc);
+ return ENOMEM;
+ }
if (name) {
ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, name, &ccc->ccache);
@@ -218,7 +221,10 @@ int cli_credentials_new_ccache(struct cli_credentials *cred, struct ccache_conta
talloc_free(ccc);
return ret;
}
- talloc_reference(ccc, ccc->smb_krb5_context);
+ if (!talloc_reference(ccc, ccc->smb_krb5_context)) {
+ talloc_free(ccc);
+ return ENOMEM;
+ }
ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, ccache_name, &ccc->ccache);
if (ret) {
@@ -394,6 +400,7 @@ int cli_credentials_get_keytab(struct cli_credentials *cred,
krb5_error_code ret;
struct keytab_container *ktc;
struct smb_krb5_context *smb_krb5_context;
+ const char **enctype_strings;
TALLOC_CTX *mem_ctx;
if (cred->keytab_obtained >= (MAX(cred->principal_obtained,
@@ -416,7 +423,11 @@ int cli_credentials_get_keytab(struct cli_credentials *cred,
return ENOMEM;
}
- ret = smb_krb5_create_memory_keytab(mem_ctx, cred, smb_krb5_context, &ktc);
+ enctype_strings = cli_credentials_get_enctype_strings(cred);
+
+ ret = smb_krb5_create_memory_keytab(mem_ctx, cred,
+ smb_krb5_context,
+ enctype_strings, &ktc);
if (ret) {
talloc_free(mem_ctx);
return ret;
@@ -478,6 +489,7 @@ int cli_credentials_update_keytab(struct cli_credentials *cred)
krb5_error_code ret;
struct keytab_container *ktc;
struct smb_krb5_context *smb_krb5_context;
+ const char **enctype_strings;
TALLOC_CTX *mem_ctx;
mem_ctx = talloc_new(cred);
@@ -491,13 +503,15 @@ int cli_credentials_update_keytab(struct cli_credentials *cred)
return ret;
}
+ enctype_strings = cli_credentials_get_enctype_strings(cred);
+
ret = cli_credentials_get_keytab(cred, &ktc);
if (ret != 0) {
talloc_free(mem_ctx);
return ret;
}
- ret = smb_krb5_update_keytab(mem_ctx, cred, smb_krb5_context, ktc);
+ ret = smb_krb5_update_keytab(mem_ctx, cred, smb_krb5_context, enctype_strings, ktc);
talloc_free(mem_ctx);
return ret;
@@ -594,6 +608,22 @@ int cli_credentials_get_kvno(struct cli_credentials *cred)
return cred->kvno;
}
+
+const char **cli_credentials_get_enctype_strings(struct cli_credentials *cred)
+{
+ /* If this is ever made user-configurable, we need to add code
+ * to remove/hide the other entries from the generated
+ * keytab */
+ static const char *default_enctypes[] = {
+ "des-cbc-md5",
+ "aes256-cts-hmac-sha1-96",
+ "des3-cbc-sha1",
+ "arcfour-hmac-md5",
+ NULL
+ };
+ return default_enctypes;
+}
+
const char *cli_credentials_get_salt_principal(struct cli_credentials *cred)
{
return cred->salt_principal;