diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2005-06-29 13:55:09 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:18:57 -0500 |
| commit | 9a7481bcfeff29495334eff8803878c2c238878f (patch) | |
| tree | 040ffa0f4b35ebe93b749a7b32166a9be1e525ad /source4/auth/kerberos/kerberos_verify.c | |
| parent | f4e75294be1f4c9d110d4ca48c5143078ade2bce (diff) | |
| download | samba-9a7481bcfeff29495334eff8803878c2c238878f.tar.gz samba-9a7481bcfeff29495334eff8803878c2c238878f.tar.bz2 samba-9a7481bcfeff29495334eff8803878c2c238878f.zip | |
r7993: Further work on the Krb5 PAC.
We now generate the PAC, and can verifiy both our own PAC and the PAC
from Win2k3.
This commit adds the PAC generation code, spits out the code to get
the information we need from the NETLOGON server back into a auth/
helper function, and adds a number of glue functions.
In the process of building the PAC generation code, some hints in the
Microsoft PAC specification shed light on other parts of the code, and
the updates to samr.idl and netlogon.idl come from those hints.
Also in this commit:
The Heimdal build package has been split up, so as to only link the
KDC with smbd, not the client utils.
To enable the PAC to be veified with gensec_krb5 (which isn't quite
dead yet), the keyblock has been passed back to the calling layer.
Andrew Bartlett
(This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)
Diffstat (limited to 'source4/auth/kerberos/kerberos_verify.c')
| -rw-r--r-- | source4/auth/kerberos/kerberos_verify.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/source4/auth/kerberos/kerberos_verify.c b/source4/auth/kerberos/kerberos_verify.c index 01b8a75c95..b140eb6ae9 100644 --- a/source4/auth/kerberos/kerberos_verify.c +++ b/source4/auth/kerberos/kerberos_verify.c @@ -75,7 +75,7 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex const char *service, const DATA_BLOB *ticket, krb5_data *p_packet, krb5_ticket **pp_tkt, - krb5_keyblock *keyblock) + krb5_keyblock **keyblock) { krb5_error_code ret = 0; krb5_keytab keytab = NULL; @@ -149,7 +149,9 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex p_packet->length = ticket->length; p_packet->data = (krb5_pointer)ticket->data; *pp_tkt = NULL; - ret = krb5_rd_req(context, &auth_context, p_packet, kt_entry.principal, keytab, NULL, pp_tkt); + ret = krb5_rd_req_return_keyblock(context, &auth_context, p_packet, + kt_entry.principal, keytab, + NULL, pp_tkt, keyblock); if (ret) { last_error_message = smb_get_krb5_error_message(context, ret, mem_ctx); DEBUG(10, ("ads_keytab_verify_ticket: krb5_rd_req(%s) failed: %s\n", @@ -224,7 +226,7 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_principal salt_princ, const DATA_BLOB *ticket, krb5_data *p_packet, krb5_ticket **pp_tkt, - krb5_keyblock *keyblock) + krb5_keyblock **keyblock) { krb5_error_code ret = 0; krb5_error_code our_ret; @@ -274,9 +276,10 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_free_keyblock(context, key); - our_ret = krb5_rd_req(context, &auth_context, p_packet, - NULL, - NULL, NULL, pp_tkt); + our_ret = krb5_rd_req_return_keyblock(context, &auth_context, p_packet, + NULL, + NULL, NULL, pp_tkt, + keyblock); if (!our_ret) { DEBUG(10,("ads_secrets_verify_ticket: enc type [%u] decrypted message !\n", @@ -311,7 +314,7 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, const DATA_BLOB *ticket, char **principal, DATA_BLOB *auth_data, DATA_BLOB *ap_rep, - krb5_keyblock *keyblock) + krb5_keyblock **keyblock) { NTSTATUS sret = NT_STATUS_LOGON_FAILURE; krb5_data packet; |