summaryrefslogtreecommitdiff
path: root/source4/auth/kerberos
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-08-29 04:30:22 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:34:54 -0500
commit24186a80eb4887b5fb3e72e4b877b456cbe8e35f (patch)
tree4f5b7d9147ec0b450ca0da5023113c8c5aad2182 /source4/auth/kerberos
parent1a316fd8c50e501b5d69bb47ff5d1d483b02b04e (diff)
downloadsamba-24186a80eb4887b5fb3e72e4b877b456cbe8e35f.tar.gz
samba-24186a80eb4887b5fb3e72e4b877b456cbe8e35f.tar.bz2
samba-24186a80eb4887b5fb3e72e4b877b456cbe8e35f.zip
r9728: A *major* update to the credentials system, to incorporate the
Kerberos CCACHE into the system. This again allows the use of the system ccache when no username is specified, and brings more code in common between gensec_krb5 and gensec_gssapi. It also has a side-effect that may (or may not) be expected: If there is a ccache, even if it is not used (perhaps the remote server didn't want kerberos), it will change the default username. Andrew Bartlett (This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315)
Diffstat (limited to 'source4/auth/kerberos')
-rw-r--r--source4/auth/kerberos/kerberos.h9
-rw-r--r--source4/auth/kerberos/kerberos_util.c59
2 files changed, 18 insertions, 50 deletions
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index 954ac7dc57..8cc8e561ac 100644
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -34,6 +34,10 @@ struct smb_krb5_context {
#endif
};
+struct ccache_container {
+ struct smb_krb5_context *smb_krb5_context;
+ krb5_ccache ccache;
+};
/* not really ASN.1, but RFC 1964 */
#define TOK_ID_KRB_AP_REQ "\x01\x00"
@@ -111,11 +115,10 @@ BOOL kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, k
void kerberos_free_data_contents(krb5_context context, krb5_data *pdata);
krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx);
-NTSTATUS kinit_to_ccache(TALLOC_CTX *parent_ctx,
+ krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx,
struct cli_credentials *credentials,
struct smb_krb5_context *smb_krb5_context,
- krb5_ccache *ccache,
- const char **ccache_name);
+ krb5_ccache ccache);
krb5_error_code smb_krb5_init_context(TALLOC_CTX *parent_ctx,
struct smb_krb5_context **smb_krb5_context);
krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index d455dac572..9dc8621b0e 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -33,11 +33,6 @@ struct principal_container {
krb5_principal principal;
};
-struct ccache_container {
- struct smb_krb5_context *smb_krb5_context;
- krb5_ccache ccache;
-};
-
struct keytab_container {
struct smb_krb5_context *smb_krb5_context;
krb5_keytab keytab;
@@ -65,7 +60,7 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
return ENOMEM;
}
- machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account));
+ machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account, mem_ctx));
if (!machine_username) {
talloc_free(mem_ctx);
@@ -100,58 +95,30 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
return ret;
}
-static int free_ccache(void *ptr) {
- struct ccache_container *ccc = ptr;
- /* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */
- krb5_cc_close(ccc->smb_krb5_context->krb5_context, ccc->ccache);
-
- return 0;
-}
-
/**
* Return a freshly allocated ccache (destroyed by destructor on child
* of parent_ctx), for a given set of client credentials
*/
- NTSTATUS kinit_to_ccache(TALLOC_CTX *parent_ctx,
+ krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx,
struct cli_credentials *credentials,
struct smb_krb5_context *smb_krb5_context,
- krb5_ccache *ccache,
- const char **ccache_name)
+ krb5_ccache ccache)
{
krb5_error_code ret;
const char *password;
- char *ccache_string;
time_t kdc_time = 0;
- struct ccache_container *mem_ctx = talloc(parent_ctx, struct ccache_container);
+
+ TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
if (!mem_ctx) {
- return NT_STATUS_NO_MEMORY;
+ return ENOMEM;
}
password = cli_credentials_get_password(credentials);
- /* this string should be unique */
- ccache_string = talloc_asprintf(mem_ctx, "MEMORY:%s_%s",
- cli_credentials_get_principal(credentials, mem_ctx),
- generate_random_str(mem_ctx, 16));
-
- ret = krb5_cc_resolve(smb_krb5_context->krb5_context, ccache_string, ccache);
- if (ret) {
- DEBUG(1,("failed to generate a new krb5 ccache (%s): %s\n",
- ccache_string,
- error_message(ret)));
- talloc_free(mem_ctx);
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
- mem_ctx->ccache = *ccache;
-
- talloc_set_destructor(mem_ctx, free_ccache);
-
if (password) {
- ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, *ccache,
+ ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache,
cli_credentials_get_principal(credentials, mem_ctx),
password, NULL, &kdc_time);
} else {
@@ -163,7 +130,7 @@ static int free_ccache(void *ptr) {
if (!mach_pwd) {
talloc_free(mem_ctx);
DEBUG(1, ("kinit_to_ccache: No password available for kinit\n"));
- return NT_STATUS_WRONG_PASSWORD;
+ return EINVAL;
}
ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
ENCTYPE_ARCFOUR_HMAC,
@@ -171,7 +138,7 @@ static int free_ccache(void *ptr) {
&keyblock);
if (ret == 0) {
- ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, *ccache,
+ ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, ccache,
cli_credentials_get_principal(credentials, mem_ctx),
&keyblock, NULL, &kdc_time);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &keyblock);
@@ -192,7 +159,7 @@ static int free_ccache(void *ptr) {
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
talloc_free(mem_ctx);
- return NT_STATUS_TIME_DIFFERENCE_AT_DC;
+ return ret;
}
if (ret) {
DEBUG(1,("kinit for %s failed (%s)\n",
@@ -200,11 +167,9 @@ static int free_ccache(void *ptr) {
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
talloc_free(mem_ctx);
- return NT_STATUS_WRONG_PASSWORD;
+ return ret;
}
- *ccache_name = ccache_string;
-
- return NT_STATUS_OK;
+ return 0;
}
static int free_keytab(void *ptr) {