diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-07-09 01:58:38 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:19:25 -0500 |
commit | c0a78453a77fb0aa42d676635778a75204b6869c (patch) | |
tree | b8e6aee36941ffafe9858dbfbcebd93ab33e0f56 /source4/auth/gensec | |
parent | 37cf22a39eec62a62d5ad30d9419ce4e159dff31 (diff) | |
download | samba-c0a78453a77fb0aa42d676635778a75204b6869c.tar.gz samba-c0a78453a77fb0aa42d676635778a75204b6869c.tar.bz2 samba-c0a78453a77fb0aa42d676635778a75204b6869c.zip |
r8250: More PAC work. We now sucessfully verify the KDC signature from my DC
(I have included the krbtgt key from my test network).
It turns out the krbtgt signature is over the 16 (or whatever,
enc-type dependent) bytes of the signature, not the entire structure.
Also do not even try to use Kerberos or GSSAPI on an IP address, it
will only fail.
Andrew Bartlett
(This used to be commit 3b9558e82fdebb58f240d43f6a594d676eb04daf)
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 14 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 10 |
2 files changed, 20 insertions, 4 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 2b7c4ca2cc..e6049edc58 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -228,6 +228,16 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi NTSTATUS nt_status; gss_buffer_desc name_token; OM_uint32 maj_stat, min_stat; + const char *hostname = gensec_get_target_hostname(gensec_security); + + if (!hostname) { + DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n")); + return NT_STATUS_INVALID_PARAMETER; + } + if (is_ipaddress(hostname)) { + DEBUG(2, ("Cannot do GSSAPI to a IP address")); + return NT_STATUS_INVALID_PARAMETER; + } nt_status = gensec_gssapi_start(gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { @@ -238,7 +248,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi name_token.value = talloc_asprintf(gensec_gssapi_state, "%s@%s", gensec_get_target_service(gensec_security), - gensec_get_target_hostname(gensec_security)); + hostname); name_token.length = strlen(name_token.value); maj_stat = gss_import_name (&min_stat, @@ -786,7 +796,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi /* decode and verify the pac */ nt_status = kerberos_decode_pac(mem_ctx, &logon_info, pac_blob, gensec_gssapi_state->smb_krb5_context, - keyblock); + NULL, keyblock); if (NT_STATUS_IS_OK(nt_status)) { union netr_Validation validation; diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 69dae1c8d9..168b6df364 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -138,8 +138,13 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security const char *hostname = gensec_get_target_hostname(gensec_security); if (!hostname) { DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n")); - return NT_STATUS_ACCESS_DENIED; + return NT_STATUS_INVALID_PARAMETER; + } + if (is_ipaddress(hostname)) { + DEBUG(2, ("Cannot do GSSAPI to a IP address")); + return NT_STATUS_INVALID_PARAMETER; } + nt_status = gensec_krb5_start(gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { @@ -444,7 +449,8 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security /* decode and verify the pac */ nt_status = kerberos_decode_pac(gensec_krb5_state, &logon_info, gensec_krb5_state->pac, - gensec_krb5_state->smb_krb5_context, (gensec_krb5_state->keyblock)); + gensec_krb5_state->smb_krb5_context, + NULL, gensec_krb5_state->keyblock); /* IF we have the PAC - otherwise we need to get this * data from elsewere - local ldb, or (TODO) lookup of some |