diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2005-10-20 10:15:31 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:45:04 -0500 |
| commit | 532b16f3d5b55c91f10ef747b13861be1a969dce (patch) | |
| tree | 3c86ba7517896584f821a623f6ad478570d554f7 /source4/auth/gensec | |
| parent | 10989431e533bd60de242dbd78c4b62c4ace7812 (diff) | |
| download | samba-532b16f3d5b55c91f10ef747b13861be1a969dce.tar.gz samba-532b16f3d5b55c91f10ef747b13861be1a969dce.tar.bz2 samba-532b16f3d5b55c91f10ef747b13861be1a969dce.zip | |
r11216: Upgrade to gd's PAC extraction code from Samba3. While I still want
to make some this the kerberos library's problem, we may as well use
the best code that is around.
Andrew Bartlett
(This used to be commit a7fe3078a65f958499779f381731b408f3e6fb1f)
Diffstat (limited to 'source4/auth/gensec')
| -rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 17 | ||||
| -rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 53 |
2 files changed, 39 insertions, 31 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 97543de445..42141e4df2 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -822,6 +822,8 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi time_t authtime; krb5_principal principal; char *principal_string; + DATA_BLOB pac_blob; + DATA_BLOB unwrapped_pac; if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length) || (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, @@ -866,12 +868,19 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi KRB5_AUTHDATA_IF_RELEVANT, &pac); } + + if (maj_stat == 0) { + pac_blob = data_blob_talloc(mem_ctx, pac.value, pac.length); + gss_release_buffer(&min_stat, &pac); + + if (!unwrap_pac(mem_ctx, &pac_blob, &unwrapped_pac)) { + /* No pac actually present */ + maj_stat = 1; + } + } if (maj_stat == 0) { krb5_error_code ret; - DATA_BLOB pac_blob = data_blob_talloc(mem_ctx, pac.value, pac.length); - pac_blob = unwrap_pac(mem_ctx, &pac_blob); - gss_release_buffer(&min_stat, &pac); ret = krb5_parse_name(gensec_gssapi_state->smb_krb5_context->krb5_context, principal_string, &principal); @@ -881,7 +890,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi } /* decode and verify the pac */ - nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info, pac_blob, + nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info, unwrapped_pac, gensec_gssapi_state->smb_krb5_context->krb5_context, NULL, keyblock, principal, authtime); krb5_free_principal(gensec_gssapi_state->smb_krb5_context->krb5_context, principal); diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index eff30bbfd1..5297a1d964 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -471,7 +471,7 @@ static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security, static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security, struct auth_session_info **_session_info) { - NTSTATUS nt_status; + NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data; struct auth_serversupplied_info *server_info = NULL; struct auth_session_info *session_info = NULL; @@ -479,45 +479,44 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security krb5_const_principal client_principal; - DATA_BLOB pac_wrapped; DATA_BLOB pac; + BOOL got_auth_data; + TALLOC_CTX *mem_ctx = talloc_new(gensec_security); if (!mem_ctx) { return NT_STATUS_NO_MEMORY; } - - pac_wrapped = get_auth_data_from_tkt(mem_ctx, gensec_krb5_state->ticket); - - pac = unwrap_pac(mem_ctx, &pac_wrapped); - - client_principal = get_principal_from_tkt(gensec_krb5_state->ticket); - - /* decode and verify the pac */ - nt_status = kerberos_pac_logon_info(gensec_krb5_state, &logon_info, pac, - gensec_krb5_state->smb_krb5_context->krb5_context, - NULL, gensec_krb5_state->keyblock, - client_principal, - gensec_krb5_state->ticket->ticket.authtime); + + got_auth_data = get_auth_data_from_tkt(mem_ctx, &pac, gensec_krb5_state->ticket); /* IF we have the PAC - otherwise we need to get this * data from elsewere - local ldb, or (TODO) lookup of some * kind... - * - * when heimdal can generate the PAC, we should fail if there's - * no PAC present */ + if (got_auth_data) { - if (NT_STATUS_IS_OK(nt_status)) { - union netr_Validation validation; - validation.sam3 = &logon_info->info3; - nt_status = make_server_info_netlogon_validation(gensec_krb5_state, - NULL, - 3, &validation, - &server_info); + client_principal = get_principal_from_tkt(gensec_krb5_state->ticket); + + /* decode and verify the pac */ + nt_status = kerberos_pac_logon_info(gensec_krb5_state, &logon_info, pac, + gensec_krb5_state->smb_krb5_context->krb5_context, + NULL, gensec_krb5_state->keyblock, + client_principal, + gensec_krb5_state->ticket->ticket.authtime); + if (NT_STATUS_IS_OK(nt_status)) { + union netr_Validation validation; + validation.sam3 = &logon_info->info3; + nt_status = make_server_info_netlogon_validation(gensec_krb5_state, + NULL, + 3, &validation, + &server_info); + } talloc_free(mem_ctx); - NT_STATUS_NOT_OK_RETURN(nt_status); - } else { + } + + if (!NT_STATUS_IS_OK(nt_status)) { + /* NO pac, or can't parse or verify it */ krb5_error_code ret; DATA_BLOB user_sess_key = data_blob(NULL, 0); DATA_BLOB lm_sess_key = data_blob(NULL, 0); |