diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-10-26 23:41:01 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:45:18 -0500 |
commit | 14a3abd5591a7c310bdd2638e5c06833dc2c8f92 (patch) | |
tree | 5c1036f7ece29289ec9d1ede93ceb5a254dbd978 /source4/auth/gensec | |
parent | 22c912329601d141fdba7359eb6dcec7a84dae69 (diff) | |
download | samba-14a3abd5591a7c310bdd2638e5c06833dc2c8f92.tar.gz samba-14a3abd5591a7c310bdd2638e5c06833dc2c8f92.tar.bz2 samba-14a3abd5591a7c310bdd2638e5c06833dc2c8f92.zip |
r11314: Use a patch from lha to have the kerberos libs extract the PAC, rather
than doing ASN.1 parsing in Samba.
Also use the API function for getting a client from a ticket, rather
than just digging in the structure.
Andrew Bartlett
(This used to be commit 25d5ea6d724bd2b64a6086ae6e2e1c5148b8ca4a)
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 9 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 54 |
2 files changed, 44 insertions, 19 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 86ecb604ae..37c8333da3 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -873,18 +873,13 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi if (maj_stat == 0) { maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat, gensec_gssapi_state->gssapi_context, - KRB5_AUTHDATA_IF_RELEVANT, + KRB5_AUTHDATA_WIN2K_PAC, &pac); } if (maj_stat == 0) { pac_blob = data_blob_talloc(mem_ctx, pac.value, pac.length); gss_release_buffer(&min_stat, &pac); - - if (!unwrap_pac(mem_ctx, &pac_blob, &unwrapped_pac)) { - /* No pac actually present */ - maj_stat = 1; - } } /* IF we have the PAC - otherwise we need to get this @@ -902,7 +897,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi } /* decode and verify the pac */ - nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info, unwrapped_pac, + nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info, pac_blob, gensec_gssapi_state->smb_krb5_context->krb5_context, NULL, keyblock, principal, authtime); krb5_free_principal(gensec_gssapi_state->smb_krb5_context->krb5_context, principal); diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 3ed38a435c..36cfc49196 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -473,30 +473,44 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security { NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data; + krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context; struct auth_serversupplied_info *server_info = NULL; struct auth_session_info *session_info = NULL; struct PAC_LOGON_INFO *logon_info; - krb5_const_principal client_principal; + krb5_principal client_principal; DATA_BLOB pac; + krb5_data pac_data; - BOOL got_auth_data; + krb5_error_code ret; TALLOC_CTX *mem_ctx = talloc_new(gensec_security); if (!mem_ctx) { return NT_STATUS_NO_MEMORY; } - got_auth_data = get_auth_data_from_tkt(mem_ctx, &pac, gensec_krb5_state->ticket); - - /* IF we have the PAC - otherwise we need to get this - * data from elsewere - local ldb, or (TODO) lookup of some - * kind... - */ - if (got_auth_data) { + ret = krb5_ticket_get_authorization_data_type(context, gensec_krb5_state->ticket, + KRB5_AUTHDATA_WIN2K_PAC, + &pac_data); + + if (ret) { + DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n", + smb_get_krb5_error_message(context, + ret, mem_ctx))); + } else { + pac = data_blob_talloc(mem_ctx, pac_data.data, pac_data.length); + if (!pac.data) { + return NT_STATUS_NO_MEMORY; + } - client_principal = get_principal_from_tkt(gensec_krb5_state->ticket); + ret = krb5_ticket_get_client(context, gensec_krb5_state->ticket, &client_principal); + if (ret) { + DEBUG(5, ("krb5_ticket_get_client failed to get cleint principal: %s\n", + smb_get_krb5_error_message(context, + ret, mem_ctx))); + return NT_STATUS_NO_MEMORY; + } /* decode and verify the pac */ nt_status = kerberos_pac_logon_info(gensec_krb5_state, &logon_info, pac, @@ -504,6 +518,8 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security NULL, gensec_krb5_state->keyblock, client_principal, gensec_krb5_state->ticket->ticket.authtime); + krb5_free_principal(context, client_principal); + if (NT_STATUS_IS_OK(nt_status)) { union netr_Validation validation; validation.sam3 = &logon_info->info3; @@ -515,12 +531,26 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security talloc_free(mem_ctx); } + + + /* IF we have the PAC - otherwise we need to get this + * data from elsewere - local ldb, or (TODO) lookup of some + * kind... + */ if (!NT_STATUS_IS_OK(nt_status)) { /* NO pac, or can't parse or verify it */ - krb5_error_code ret; char *principal_string; + ret = krb5_ticket_get_client(context, gensec_krb5_state->ticket, &client_principal); + if (ret) { + DEBUG(5, ("krb5_ticket_get_client failed to get cleint principal: %s\n", + smb_get_krb5_error_message(context, + ret, mem_ctx))); + return NT_STATUS_NO_MEMORY; + } + ret = krb5_unparse_name(gensec_krb5_state->smb_krb5_context->krb5_context, - get_principal_from_tkt(gensec_krb5_state->ticket), &principal_string); + client_principal, &principal_string); + krb5_free_principal(context, client_principal); if (ret) { return NT_STATUS_NO_MEMORY; } |