diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2005-10-20 03:47:55 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:45:00 -0500 |
| commit | 372ca26b2052e267711a45c8bf341f55505f3f8f (patch) | |
| tree | 8c13e34fdac62ca762972d25cfe95b053bff93fa /source4/auth/kerberos/kerberos.h | |
| parent | 9e25f33a1a06e1374bb643cb087af0e0bedb99c7 (diff) | |
| download | samba-372ca26b2052e267711a45c8bf341f55505f3f8f.tar.gz samba-372ca26b2052e267711a45c8bf341f55505f3f8f.tar.bz2 samba-372ca26b2052e267711a45c8bf341f55505f3f8f.zip | |
r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5
authentication. This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.
This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC. This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.
The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.
We also now allow for the old secret to be stored into the
credentials, allowing service password changes.
Andrew Bartlett
(This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
Diffstat (limited to 'source4/auth/kerberos/kerberos.h')
| -rw-r--r-- | source4/auth/kerberos/kerberos.h | 31 |
1 files changed, 19 insertions, 12 deletions
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h index bc2a1babe9..13a82b0575 100644 --- a/source4/auth/kerberos/kerberos.h +++ b/source4/auth/kerberos/kerberos.h @@ -28,6 +28,12 @@ struct ccache_container { krb5_ccache ccache; }; + +struct keytab_container { + struct smb_krb5_context *smb_krb5_context; + krb5_keytab keytab; +}; + /* not really ASN.1, but RFC 1964 */ #define TOK_ID_KRB_AP_REQ "\x01\x00" #define TOK_ID_KRB_AP_REP "\x02\x00" @@ -81,14 +87,15 @@ krb5_error_code ads_krb5_mk_req(krb5_context context, krb5_data *outbuf); DATA_BLOB get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, krb5_ticket *tkt); -NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, - struct smb_krb5_context *smb_krb5_context, - krb5_auth_context *auth_context, - const char *realm, const char *service, - const DATA_BLOB *enc_ticket, - krb5_ticket **tkt, - DATA_BLOB *ap_rep, - krb5_keyblock **keyblock); + NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, + struct smb_krb5_context *smb_krb5_context, + krb5_auth_context *auth_context, + struct cli_credentials *machine_account, + const char *service, + const DATA_BLOB *enc_ticket, + krb5_ticket **tkt, + DATA_BLOB *ap_rep, + krb5_keyblock **keyblock); int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, krb5_principal principal, const char *password, time_t *expire_time, time_t *kdc_time); @@ -115,10 +122,10 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx, struct cli_credentials *credentials, struct smb_krb5_context *smb_krb5_context, krb5_principal *princ); -NTSTATUS create_memory_keytab(TALLOC_CTX *parent_ctx, - struct cli_credentials *machine_account, - struct smb_krb5_context *smb_krb5_context, - krb5_keytab *keytab); +int create_memory_keytab(TALLOC_CTX *parent_ctx, + struct cli_credentials *machine_account, + struct smb_krb5_context *smb_krb5_context, + struct keytab_container **keytab_container); NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, struct PAC_DATA **pac_data_out, DATA_BLOB blob, |