summaryrefslogtreecommitdiff
path: root/source4/auth/kerberos
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-03-29 08:24:03 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:11:20 -0500
commit7cabdeb7ec84c7c0b3e9b907e19f4e240b7fc4ca (patch)
tree39fb9a70a787facf6bc48e58dbc821c7e5b2de84 /source4/auth/kerberos
parentd15845eb813a2667dfc857d68dc3bf6b262ff496 (diff)
downloadsamba-7cabdeb7ec84c7c0b3e9b907e19f4e240b7fc4ca.tar.gz
samba-7cabdeb7ec84c7c0b3e9b907e19f4e240b7fc4ca.tar.bz2
samba-7cabdeb7ec84c7c0b3e9b907e19f4e240b7fc4ca.zip
r6113: Move GENSEC and the kerberos code out of libcli/auth, and into
auth/gensec and auth/kerberos. This also pulls the kerberos configure code out of libads (which is otherwise dead), and into auth/kerberos/kerberos.m4 Andrew Bartlett (This used to be commit e074d63f3dcf4f84239a10879112ebaf1cfa6c4f)
Diffstat (limited to 'source4/auth/kerberos')
-rw-r--r--source4/auth/kerberos/clikrb5.c478
-rw-r--r--source4/auth/kerberos/gssapi_parse.c95
-rw-r--r--source4/auth/kerberos/kerberos.c788
-rw-r--r--source4/auth/kerberos/kerberos.h99
-rw-r--r--source4/auth/kerberos/kerberos.m4491
-rw-r--r--source4/auth/kerberos/kerberos.mk10
-rw-r--r--source4/auth/kerberos/kerberos_verify.c486
7 files changed, 2447 insertions, 0 deletions
diff --git a/source4/auth/kerberos/clikrb5.c b/source4/auth/kerberos/clikrb5.c
new file mode 100644
index 0000000000..ec8f60fbb3
--- /dev/null
+++ b/source4/auth/kerberos/clikrb5.c
@@ -0,0 +1,478 @@
+/*
+ Unix SMB/CIFS implementation.
+ simple kerberos5 routines for active directory
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Luke Howard 2002-2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include "system/network.h"
+#include "system/kerberos.h"
+#include "system/time.h"
+#include "auth/kerberos/kerberos.h"
+
+#ifdef HAVE_KRB5
+
+#ifndef HAVE_KRB5_SET_REAL_TIME
+/*
+ * This function is not in the Heimdal mainline.
+ */
+ krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds)
+{
+ krb5_error_code ret;
+ int32_t sec, usec;
+
+ ret = krb5_us_timeofday(context, &sec, &usec);
+ if (ret)
+ return ret;
+
+ context->kdc_sec_offset = seconds - sec;
+ context->kdc_usec_offset = microseconds - usec;
+
+ return 0;
+}
+#endif
+
+#if defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES) && !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES)
+ krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc)
+{
+ return krb5_set_default_in_tkt_etypes(ctx, enc);
+}
+#endif
+
+#if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS)
+/* HEIMDAL */
+ void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr)
+{
+ pkaddr->addr_type = KRB5_ADDRESS_INET;
+ pkaddr->address.length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
+ pkaddr->address.data = (char *)&(((struct sockaddr_in *)paddr)->sin_addr);
+}
+#elif defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS)
+/* MIT */
+ void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr)
+{
+ pkaddr->addrtype = ADDRTYPE_INET;
+ pkaddr->length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
+ pkaddr->contents = (krb5_octet *)&(((struct sockaddr_in *)paddr)->sin_addr);
+}
+#else
+#error UNKNOWN_ADDRTYPE
+#endif
+
+#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
+ int create_kerberos_key_from_string_direct(krb5_context context,
+ krb5_principal host_princ,
+ krb5_data *password,
+ krb5_keyblock *key,
+ krb5_enctype enctype)
+{
+ int ret;
+ krb5_data salt;
+ krb5_encrypt_block eblock;
+
+ ret = krb5_principal2salt(context, host_princ, &salt);
+ if (ret) {
+ DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
+ return ret;
+ }
+ krb5_use_enctype(context, &eblock, enctype);
+ ret = krb5_string_to_key(context, &eblock, key, password, &salt);
+ SAFE_FREE(salt.data);
+ return ret;
+}
+#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
+ int create_kerberos_key_from_string_direct(krb5_context context,
+ krb5_principal host_princ,
+ krb5_data *password,
+ krb5_keyblock *key,
+ krb5_enctype enctype)
+{
+ int ret;
+ krb5_salt salt;
+
+ ret = krb5_get_pw_salt(context, host_princ, &salt);
+ if (ret) {
+ DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
+ return ret;
+ }
+ return krb5_string_to_key_salt(context, enctype, password->data,
+ salt, key);
+}
+#else
+#error UNKNOWN_CREATE_KEY_FUNCTIONS
+#endif
+
+ int create_kerberos_key_from_string(krb5_context context,
+ krb5_principal host_princ,
+ krb5_data *password,
+ krb5_keyblock *key,
+ krb5_enctype enctype)
+{
+ krb5_principal salt_princ = NULL;
+ int ret;
+ /*
+ * Check if we've determined that the KDC is salting keys for this
+ * principal/enctype in a non-obvious way. If it is, try to match
+ * its behavior.
+ */
+ salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype);
+ ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype);
+ if (salt_princ) {
+ krb5_free_principal(context, salt_princ);
+ }
+ return ret;
+}
+
+#if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
+ krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
+ krb5_enctype **enctypes)
+{
+ return krb5_get_permitted_enctypes(context, enctypes);
+}
+#elif defined(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES)
+ krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
+ krb5_enctype **enctypes)
+{
+ return krb5_get_default_in_tkt_etypes(context, enctypes);
+}
+#else
+#error UNKNOWN_GET_ENCTYPES_FUNCTIONS
+#endif
+
+ void free_kerberos_etypes(krb5_context context,
+ krb5_enctype *enctypes)
+{
+#if defined(HAVE_KRB5_FREE_KTYPES)
+ krb5_free_ktypes(context, enctypes);
+ return;
+#else
+ SAFE_FREE(enctypes);
+ return;
+#endif
+}
+
+#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
+ krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_keyblock *keyblock)
+{
+ return krb5_auth_con_setkey(context, auth_context, keyblock);
+}
+#endif
+
+ DATA_BLOB get_auth_data_from_tkt(TALLOC_CTX *mem_ctx,
+ krb5_ticket *tkt)
+{
+ DATA_BLOB auth_data = data_blob(NULL, 0);
+#if defined(HAVE_KRB5_TKT_ENC_PART2)
+ if (tkt && tkt->enc_part2
+ && tkt->enc_part2->authorization_data
+ && tkt->enc_part2->authorization_data[0]
+ && tkt->enc_part2->authorization_data[0]->length)
+ auth_data = data_blob(tkt->enc_part2->authorization_data[0]->contents,
+ tkt->enc_part2->authorization_data[0]->length);
+#else
+ if (tkt && tkt->ticket.authorization_data && tkt->ticket.authorization_data->len)
+ auth_data = data_blob(tkt->ticket.authorization_data->val->ad_data.data,
+ tkt->ticket.authorization_data->val->ad_data.length);
+#endif
+ return auth_data;
+}
+
+ krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt)
+{
+#if defined(HAVE_KRB5_TKT_ENC_PART2)
+ return tkt->enc_part2->client;
+#else
+ return tkt->client;
+#endif
+}
+
+#if !defined(HAVE_KRB5_LOCATE_KDC)
+ krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters)
+{
+ krb5_krbhst_handle hnd;
+ krb5_krbhst_info *hinfo;
+ krb5_error_code rc;
+ int num_kdcs, i;
+ struct sockaddr *sa;
+ struct addrinfo *ai;
+
+ *addr_pp = NULL;
+ *naddrs = 0;
+
+ rc = krb5_krbhst_init(ctx, realm->data, KRB5_KRBHST_KDC, &hnd);
+ if (rc) {
+ DEBUG(0, ("krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc)));
+ return rc;
+ }
+
+ for ( num_kdcs = 0; (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); num_kdcs++)
+ ;
+
+ krb5_krbhst_reset(ctx, hnd);
+
+ if (!num_kdcs) {
+ DEBUG(0, ("krb5_locate_kdc: zero kdcs found !\n"));
+ krb5_krbhst_free(ctx, hnd);
+ return -1;
+ }
+
+ sa = malloc_array_p(struct sockaddr, num_kdcs);
+ if (!sa) {
+ DEBUG(0, ("krb5_locate_kdc: malloc failed\n"));
+ krb5_krbhst_free(ctx, hnd);
+ naddrs = 0;
+ return -1;
+ }
+
+ memset(sa, '\0', sizeof(struct sockaddr) * num_kdcs );
+
+ for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) {
+
+#if defined(HAVE_KRB5_KRBHST_GET_ADDRINFO)
+ rc = krb5_krbhst_get_addrinfo(ctx, hinfo, &ai);
+ if (rc) {
+ DEBUG(0,("krb5_krbhst_get_addrinfo failed: %s\n", error_message(rc)));
+ continue;
+ }
+#endif
+ if (hinfo->ai && hinfo->ai->ai_family == AF_INET)
+ memcpy(&sa[i], hinfo->ai->ai_addr, sizeof(struct sockaddr));
+ }
+
+ krb5_krbhst_free(ctx, hnd);
+
+ *naddrs = num_kdcs;
+ *addr_pp = sa;
+ return 0;
+}
+#endif
+
+#if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
+ void krb5_free_unparsed_name(krb5_context context, char *val)
+{
+ SAFE_FREE(val);
+}
+#endif
+
+ void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
+{
+#if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
+ if (pdata->data) {
+ krb5_free_data_contents(context, pdata);
+ }
+#else
+ SAFE_FREE(pdata->data);
+#endif
+}
+
+ void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype)
+{
+#if defined(HAVE_KRB5_KEYBLOCK_IN_CREDS)
+ KRB5_KEY_TYPE((&pcreds->keyblock)) = enctype;
+#elif defined(HAVE_KRB5_SESSION_IN_CREDS)
+ KRB5_KEY_TYPE((&pcreds->session)) = enctype;
+#else
+#error UNKNOWN_KEYBLOCK_MEMBER_IN_KRB5_CREDS_STRUCT
+#endif
+}
+
+ BOOL kerberos_compatible_enctypes(krb5_context context,
+ krb5_enctype enctype1,
+ krb5_enctype enctype2)
+{
+#if defined(HAVE_KRB5_C_ENCTYPE_COMPARE)
+ krb5_boolean similar = 0;
+
+ krb5_c_enctype_compare(context, enctype1, enctype2, &similar);
+ return similar ? True : False;
+#elif defined(HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS)
+ return krb5_enctypes_compatible_keys(context, enctype1, enctype2) ? True : False;
+#endif
+}
+
+static BOOL ads_cleanup_expired_creds(krb5_context context,
+ krb5_ccache ccache,
+ krb5_creds *credsp)
+{
+ krb5_error_code retval;
+ TALLOC_CTX *mem_ctx = talloc_init("ticket expied time");
+ if (!mem_ctx) {
+ return False;
+ }
+
+ DEBUG(3, ("Ticket in ccache[%s] expiration %s\n",
+ krb5_cc_default_name(context),
+ http_timestring(mem_ctx, credsp->times.endtime)));
+
+ talloc_free(mem_ctx);
+
+ /* we will probably need new tickets if the current ones
+ will expire within 10 seconds.
+ */
+ if (credsp->times.endtime >= (time(NULL) + 10))
+ return False;
+
+ /* heimdal won't remove creds from a file ccache, and
+ perhaps we shouldn't anyway, since internally we
+ use memory ccaches, and a FILE one probably means that
+ we're using creds obtained outside of our exectuable
+ */
+ if (StrCaseCmp(krb5_cc_get_type(context, ccache), "FILE") == 0) {
+ DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a FILE ccache\n"));
+ return False;
+ }
+
+ retval = krb5_cc_remove_cred(context, ccache, 0, credsp);
+ if (retval) {
+ DEBUG(1, ("ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err %s\n",
+ error_message(retval)));
+ /* If we have an error in this, we want to display it,
+ but continue as though we deleted it */
+ }
+ return True;
+}
+
+/*
+ we can't use krb5_mk_req because w2k wants the service to be in a particular format
+*/
+krb5_error_code ads_krb5_mk_req(krb5_context context,
+ krb5_auth_context *auth_context,
+ const krb5_flags ap_req_options,
+ const char *principal,
+ krb5_ccache ccache,
+ krb5_data *outbuf)
+{
+ krb5_error_code retval;
+ krb5_principal server;
+ krb5_creds * credsp;
+ krb5_creds creds;
+ krb5_data in_data;
+ BOOL creds_ready = False;
+
+ TALLOC_CTX *mem_ctx = NULL;
+
+ retval = krb5_parse_name(context, principal, &server);
+ if (retval) {
+ DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal));
+ return retval;
+ }
+
+ /* obtain ticket & session key */
+ ZERO_STRUCT(creds);
+ if ((retval = krb5_copy_principal(context, server, &creds.server))) {
+ DEBUG(1,("krb5_copy_principal failed (%s)\n",
+ error_message(retval)));
+ goto cleanup_princ;
+ }
+
+ if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) {
+ /* This can commonly fail on smbd startup with no ticket in the cache.
+ * Report at higher level than 1. */
+ DEBUG(3,("ads_krb5_mk_req: krb5_cc_get_principal failed (%s)\n",
+ error_message(retval)));
+ goto cleanup_creds;
+ }
+
+ while(!creds_ready) {
+ if ((retval = krb5_get_credentials(context, 0, ccache,
+ &creds, &credsp))) {
+ DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n",
+ principal, error_message(retval)));
+ goto cleanup_creds;
+ }
+
+ /* cope with ticket being in the future due to clock skew */
+ if ((unsigned)credsp->times.starttime > time(NULL)) {
+ time_t t = time(NULL);
+ int time_offset =(unsigned)credsp->times.starttime-t;
+ DEBUG(4,("ads_krb5_mk_req: Advancing clock by %d seconds to cope with clock skew\n", time_offset));
+ krb5_set_real_time(context, t + time_offset + 1, 0);
+ }
+
+ if (!ads_cleanup_expired_creds(context, ccache, credsp))
+ creds_ready = True;
+ }
+
+ mem_ctx = talloc_init("ticket expied time");
+ if (!mem_ctx) {
+ retval = ENOMEM;
+ goto cleanup_creds;
+ }
+ DEBUG(10,("Ticket (%s) in ccache (%s) is valid until: (%s - %d)\n",
+ principal, krb5_cc_default_name(context),
+ http_timestring(mem_ctx, (unsigned)credsp->times.endtime),
+ (unsigned)credsp->times.endtime));
+
+ in_data.length = 0;
+ retval = krb5_mk_req_extended(context, auth_context, ap_req_options,
+ &in_data, credsp, outbuf);
+ if (retval) {
+ DEBUG(1,("ads_krb5_mk_req: krb5_mk_req_extended failed (%s)\n",
+ error_message(retval)));
+ }
+
+ krb5_free_creds(context, credsp);
+
+cleanup_creds:
+ krb5_free_cred_contents(context, &creds);
+
+cleanup_princ:
+ krb5_free_principal(context, server);
+
+ return retval;
+}
+
+#if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) && !defined(HAVE_KRB5_PRINC_COMPONENT)
+ const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i )
+{
+ static krb5_data kdata;
+
+ kdata.data = discard_const(krb5_principal_get_comp_string(context, principal, i));
+ kdata.length = strlen(kdata.data);
+ return &kdata;
+}
+#endif
+
+ krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry)
+{
+#if defined(HAVE_KRB5_KT_FREE_ENTRY)
+ return krb5_kt_free_entry(context, kt_entry);
+#elif defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
+ return krb5_free_keytab_entry_contents(context, kt_entry);
+#else
+#error UNKNOWN_KT_FREE_FUNCTION
+#endif
+}
+
+ char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx)
+{
+ char *ret;
+
+#if defined(HAVE_KRB5_GET_ERROR_STRING) && defined(HAVE_KRB5_FREE_ERROR_STRING)
+ char *context_error = krb5_get_error_string(context);
+ ret = talloc_asprintf(mem_ctx, "%s: %s", error_message(code), context_error);
+ krb5_free_error_string(context, context_error);
+#else
+ ret = talloc_strdup(mem_ctx, error_message(code));
+#endif
+ return ret;
+}
+
+#endif
diff --git a/source4/auth/kerberos/gssapi_parse.c b/source4/auth/kerberos/gssapi_parse.c
new file mode 100644
index 0000000000..2c2c4e17e5
--- /dev/null
+++ b/source4/auth/kerberos/gssapi_parse.c
@@ -0,0 +1,95 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ simple GSSAPI wrappers
+
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
+ Copyright (C) Luke Howard 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include "asn_1.h"
+#include "system/kerberos.h"
+#include "auth/gensec/gensec.h"
+
+/*
+ generate a krb5 GSS-API wrapper packet given a ticket
+*/
+DATA_BLOB gensec_gssapi_gen_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *ticket, const uint8_t tok_id[2])
+{
+ struct asn1_data data;
+ DATA_BLOB ret = data_blob(NULL,0);
+
+ if (!ticket->data) {
+ return ret;
+ }
+
+ ZERO_STRUCT(data);
+
+ asn1_push_tag(&data, ASN1_APPLICATION(0));
+ asn1_write_OID(&data, GENSEC_OID_KERBEROS5);
+
+ asn1_write(&data, tok_id, 2);
+ asn1_write(&data, ticket->data, ticket->length);
+ asn1_pop_tag(&data);
+
+ if (data.has_error) {
+ DEBUG(1,("Failed to build krb5 wrapper at offset %d\n", (int)data.ofs));
+ asn1_free(&data);
+ }
+
+ ret = data_blob_talloc(mem_ctx, data.data, data.length);
+ asn1_free(&data);
+
+ return ret;
+}
+
+/*
+ parse a krb5 GSS-API wrapper packet giving a ticket
+*/
+BOOL gensec_gssapi_parse_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, DATA_BLOB *ticket, uint8_t tok_id[2])
+{
+ BOOL ret;
+ struct asn1_data data;
+ int data_remaining;
+
+ asn1_load(&data, *blob);
+ asn1_start_tag(&data, ASN1_APPLICATION(0));
+ asn1_check_OID(&data, GENSEC_OID_KERBEROS5);
+
+ data_remaining = asn1_tag_remaining(&data);
+
+ if (data_remaining < 3) {
+ data.has_error = True;
+ } else {
+ asn1_read(&data, tok_id, 2);
+ data_remaining -= 2;
+ *ticket = data_blob_talloc(mem_ctx, NULL, data_remaining);
+ asn1_read(&data, ticket->data, ticket->length);
+ }
+
+ asn1_end_tag(&data);
+
+ ret = !data.has_error;
+
+ asn1_free(&data);
+
+ return ret;
+}
+
+
diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c
new file mode 100644
index 0000000000..98b530e7cf
--- /dev/null
+++ b/source4/auth/kerberos/kerberos.c
@@ -0,0 +1,788 @@
+/*
+ Unix SMB/CIFS implementation.
+ kerberos utility library
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Remus Koos 2001
+ Copyright (C) Nalin Dahyabhai 2004.
+ Copyright (C) Jeremy Allison 2004.
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include "system/kerberos.h"
+#include "system/time.h"
+#include "auth/kerberos/kerberos.h"
+#include "secrets.h"
+#include "pstring.h"
+#include "ads.h"
+
+#ifdef HAVE_KRB5
+
+#define LIBADS_CCACHE_NAME "MEMORY:libads"
+
+/*
+ we use a prompter to avoid a crash bug in the kerberos libs when
+ dealing with empty passwords
+ this prompter is just a string copy ...
+*/
+static krb5_error_code
+kerb_prompter(krb5_context ctx, void *data,
+ const char *name,
+ const char *banner,
+ int num_prompts,
+ krb5_prompt prompts[])
+{
+ if (num_prompts == 0) return 0;
+
+ memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
+ if (prompts[0].reply->length > 0) {
+ if (data) {
+ strncpy(prompts[0].reply->data, data, prompts[0].reply->length-1);
+ prompts[0].reply->length = strlen(prompts[0].reply->data);
+ } else {
+ prompts[0].reply->length = 0;
+ }
+ }
+ return 0;
+}
+
+/*
+ simulate a kinit, putting the tgt in the given credentials cache.
+ Orignally by remus@snapserver.com
+*/
+ int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc,
+ const char *principal, const char *password,
+ time_t *expire_time, time_t *kdc_time)
+{
+ krb5_error_code code = 0;
+ krb5_principal me;
+ krb5_creds my_creds;
+ krb5_get_init_creds_opt options;
+
+ if ((code = krb5_parse_name(ctx, principal, &me))) {
+ return code;
+ }
+
+ krb5_get_init_creds_opt_init(&options);
+
+ if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, password,
+ kerb_prompter,
+ NULL, 0, NULL, &options))) {
+ krb5_free_principal(ctx, me);
+ return code;
+ }
+
+ if ((code = krb5_cc_initialize(ctx, cc, me))) {
+ krb5_free_cred_contents(ctx, &my_creds);
+ krb5_free_principal(ctx, me);
+ return code;
+ }
+
+ if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
+ krb5_free_cred_contents(ctx, &my_creds);
+ krb5_free_principal(ctx, me);
+ return code;
+ }
+
+ if (expire_time) {
+ *expire_time = (time_t) my_creds.times.endtime;
+ }
+
+ if (kdc_time) {
+ *kdc_time = (time_t) my_creds.times.starttime;
+ }
+
+ krb5_free_cred_contents(ctx, &my_creds);
+ krb5_free_principal(ctx, me);
+
+ return 0;
+}
+
+/*
+ simulate a kinit, putting the tgt in the given credentials cache.
+ If cache_name == NULL place in default cache location.
+
+ Orignally by remus@snapserver.com
+*/
+int kerberos_kinit_password(const char *principal,
+ const char *password,
+ int time_offset,
+ time_t *expire_time,
+ const char *cache_name,
+ time_t *kdc_time)
+{
+ int code;
+ krb5_context ctx = NULL;
+ krb5_ccache cc = NULL;
+
+ if ((code = krb5_init_context(&ctx)))
+ return code;
+
+ if (time_offset != 0) {
+ krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
+ }
+
+ if ((code = krb5_cc_resolve(ctx, cache_name ?
+ cache_name : krb5_cc_default_name(ctx), &cc))) {
+ krb5_free_context(ctx);
+ return code;
+ }
+
+ code = kerberos_kinit_password_cc(ctx, cc, principal, password, expire_time, kdc_time);
+
+ krb5_cc_close(ctx, cc);
+ krb5_free_context(ctx);
+
+ return code;
+}
+
+/* run kinit to setup our ccache */
+int ads_kinit_password(struct ads_struct *ads)
+{
+ char *s;
+ int ret;
+
+ if (asprintf(&s, "%s@%s", ads->auth.user_name, ads->auth.realm) == -1) {
+ return KRB5_CC_NOMEM;
+ }
+
+ if (!ads->auth.password) {
+ return KRB5_LIBOS_CANTREADPWD;
+ }
+
+ ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset,
+ &ads->auth.expire, NULL, NULL);
+
+ if (ret) {
+ DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
+ s, error_message(ret)));
+ }
+ free(s);
+ return ret;
+}
+
+int ads_kdestroy(const char *cc_name)
+{
+ krb5_error_code code;
+ krb5_context ctx = NULL;
+ krb5_ccache cc = NULL;
+
+ if ((code = krb5_init_context (&ctx))) {
+ DEBUG(3, ("ads_kdestroy: kdb5_init_context failed: %s\n",
+ error_message(code)));
+ return code;
+ }
+
+ if (!cc_name) {
+ if ((code = krb5_cc_default(ctx, &cc))) {
+ krb5_free_context(ctx);
+ return code;
+ }
+ } else {
+ if ((code = krb5_cc_resolve(ctx, cc_name, &cc))) {
+ DEBUG(3, ("ads_kdestroy: krb5_cc_resolve failed: %s\n",
+ error_message(code)));
+ krb5_free_context(ctx);
+ return code;
+ }
+ }
+
+ if ((code = krb5_cc_destroy (ctx, cc))) {
+ DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
+ error_message(code)));
+ }
+
+ krb5_free_context (ctx);
+ return code;
+}
+
+/************************************************************************
+ Routine to fetch the salting principal for a service. Active
+ Directory may use a non-obvious principal name to generate the salt
+ when it determines the key to use for encrypting tickets for a service,
+ and hopefully we detected that when we joined the domain.
+ ************************************************************************/
+
+static char *kerberos_secrets_fetch_salting_principal(const char *service, int enctype)
+{
+ char *ret = NULL;
+
+#if 0
+ asprintf(&key, "%s/%s/enctype=%d", SECRETS_SALTING_PRINCIPAL, service, enctype);
+ if (!key) {
+ return NULL;
+ }
+ ret = (char *)secrets_fetch(key, NULL);
+ SAFE_FREE(key);
+#endif
+ return ret;
+}
+
+/************************************************************************
+ Routine to get the salting principal for this service. Active
+ Directory may use a non-obvious principal name to generate the salt
+ when it determines the key to use for encrypting tickets for a service,
+ and hopefully we detected that when we joined the domain.
+ Caller must free if return is not null.
+ ************************************************************************/
+
+krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context,
+ krb5_principal host_princ,
+ int enctype)
+{
+ char *unparsed_name = NULL, *salt_princ_s = NULL;
+ krb5_principal ret_princ = NULL;
+
+ if (krb5_unparse_name(context, host_princ, &unparsed_name) != 0) {
+ return (krb5_principal)NULL;
+ }
+
+ if ((salt_princ_s = kerberos_secrets_fetch_salting_principal(unparsed_name, enctype)) == NULL) {
+ krb5_free_unparsed_name(context, unparsed_name);
+ return (krb5_principal)NULL;
+ }
+
+ if (krb5_parse_name(context, salt_princ_s, &ret_princ) != 0) {
+ krb5_free_unparsed_name(context, unparsed_name);
+ SAFE_FREE(salt_princ_s);
+ return (krb5_principal)NULL;
+ }
+ krb5_free_unparsed_name(context, unparsed_name);
+ SAFE_FREE(salt_princ_s);
+ return ret_princ;
+}
+
+/************************************************************************
+ Routine to set the salting principal for this service. Active
+ Directory may use a non-obvious principal name to generate the salt
+ when it determines the key to use for encrypting tickets for a service,
+ and hopefully we detected that when we joined the domain.
+ Setting principal to NULL deletes this entry.
+ ************************************************************************/
+
+ BOOL kerberos_secrets_store_salting_principal(const char *service,
+ int enctype,
+ const char *principal)
+{
+ char *key = NULL;
+ BOOL ret = False;
+ krb5_context context = NULL;
+ krb5_principal princ = NULL;
+ char *princ_s = NULL;
+ char *unparsed_name = NULL;
+
+ krb5_init_context(&context);
+ if (!context) {
+ return False;
+ }
+ if (strchr_m(service, '@')) {
+ asprintf(&princ_s, "%s", service);
+ } else {
+ asprintf(&princ_s, "%s@%s", service, lp_realm());
+ }
+
+ if (krb5_parse_name(context, princ_s, &princ) != 0) {
+ goto out;
+
+ }
+ if (krb5_unparse_name(context, princ, &unparsed_name) != 0) {
+ goto out;
+ }
+
+ asprintf(&key, "%s/%s/enctype=%d", SECRETS_SALTING_PRINCIPAL, unparsed_name, enctype);
+ if (!key) {
+ goto out;
+ }
+
+#if 0
+ if ((principal != NULL) && (strlen(principal) > 0)) {
+ ret = secrets_store(key, principal, strlen(principal) + 1);
+ } else {
+ ret = secrets_delete(key);
+ }
+#endif
+
+ out:
+
+ SAFE_FREE(key);
+ SAFE_FREE(princ_s);
+
+ if (unparsed_name) {
+ krb5_free_unparsed_name(context, unparsed_name);
+ }
+ if (context) {
+ krb5_free_context(context);
+ }
+
+ return ret;
+}
+
+/************************************************************************
+ Routine to get initial credentials as a service ticket for the local machine.
+ Returns a buffer initialized with krb5_mk_req_extended.
+ ************************************************************************/
+
+static krb5_error_code get_service_ticket(krb5_context ctx,
+ krb5_ccache ccache,
+ const char *service_principal,
+ int enctype,
+ krb5_data *p_outbuf)
+{
+ krb5_creds creds, *new_creds = NULL;
+ char *service_s = NULL;
+ char *machine_account = NULL, *password = NULL;
+ krb5_data in_data;
+ krb5_auth_context auth_context = NULL;
+ krb5_error_code err = 0;
+
+ ZERO_STRUCT(creds);
+
+ asprintf(&machine_account, "%s$@%s", lp_netbios_name(), lp_realm());
+ if (machine_account == NULL) {
+ goto out;
+ }
+ password = secrets_fetch_machine_password(lp_workgroup());
+ if (password == NULL) {
+ goto out;
+ }
+ if ((err = kerberos_kinit_password(machine_account, password, 0, NULL, LIBADS_CCACHE_NAME, NULL)) != 0) {
+ DEBUG(0,("get_service_ticket: kerberos_kinit_password %s@%s failed: %s\n",
+ machine_account,
+ lp_realm(),
+ error_message(err)));
+ goto out;
+ }
+
+ /* Ok - the above call has gotten a TGT. Now we need to get a service
+ ticket to ourselves. */
+
+ /* Set up the enctype and client and server principal fields for krb5_get_credentials. */
+ kerberos_set_creds_enctype(&creds, enctype);
+
+ if ((err = krb5_cc_get_principal(ctx, ccache, &creds.client))) {
+ DEBUG(3, ("get_service_ticket: krb5_cc_get_principal failed: %s\n",
+ error_message(err)));
+ goto out;
+ }
+
+ if (strchr_m(service_principal, '@')) {
+ asprintf(&service_s, "%s", service_principal);
+ } else {
+ asprintf(&service_s, "%s@%s", service_principal, lp_realm());
+ }
+
+ if ((err = krb5_parse_name(ctx, service_s, &creds.server))) {
+ DEBUG(0,("get_service_ticket: krb5_parse_name %s failed: %s\n",
+ service_s, error_message(err)));
+ goto out;
+ }
+
+ if ((err = krb5_get_credentials(ctx, 0, ccache, &creds, &new_creds))) {
+ DEBUG(5,("get_service_ticket: krb5_get_credentials for %s enctype %d failed: %s\n",
+ service_s, enctype, error_message(err)));
+ goto out;
+ }
+
+ memset(&in_data, '\0', sizeof(in_data));
+ if ((err = krb5_mk_req_extended(ctx, &auth_context, 0, &in_data,
+ new_creds, p_outbuf)) != 0) {
+ DEBUG(0,("get_service_ticket: krb5_mk_req_extended failed: %s\n",
+ error_message(err)));
+ goto out;
+ }
+
+ out:
+
+ if (auth_context) {
+ krb5_auth_con_free(ctx, auth_context);
+ }
+ if (new_creds) {
+ krb5_free_creds(ctx, new_creds);
+ }
+ if (creds.server) {
+ krb5_free_principal(ctx, creds.server);
+ }
+ if (creds.client) {
+ krb5_free_principal(ctx, creds.client);
+ }
+
+ SAFE_FREE(service_s);
+ SAFE_FREE(password);
+ SAFE_FREE(machine_account);
+ return err;
+}
+
+/************************************************************************
+ Check if the machine password can be used in conjunction with the salting_principal
+ to generate a key which will successfully decrypt the AP_REQ already
+ gotten as a message to the local machine.
+ ************************************************************************/
+
+static BOOL verify_service_password(krb5_context ctx,
+ int enctype,
+ const char *salting_principal,
+ krb5_data *in_data)
+{
+ BOOL ret = False;
+ krb5_principal salting_kprinc = NULL;
+ krb5_ticket *ticket = NULL;
+ krb5_keyblock key;
+ krb5_data passdata;
+ char *salting_s = NULL;
+ char *password = NULL;
+ krb5_auth_context auth_context = NULL;
+ krb5_error_code err;
+
+ memset(&passdata, '\0', sizeof(passdata));
+ memset(&key, '\0', sizeof(key));
+
+ password = secrets_fetch_machine_password(lp_workgroup());
+ if (password == NULL) {
+ goto out;
+ }
+
+ if (strchr_m(salting_principal, '@')) {
+ asprintf(&salting_s, "%s", salting_principal);
+ } else {
+ asprintf(&salting_s, "%s@%s", salting_principal, lp_realm());
+ }
+
+ if ((err = krb5_parse_name(ctx, salting_s, &salting_kprinc))) {
+ DEBUG(0,("verify_service_password: krb5_parse_name %s failed: %s\n",
+ salting_s, error_message(err)));
+ goto out;
+ }
+
+ passdata.length = strlen(password);
+ passdata.data = (char*)password;
+ if ((err = create_kerberos_key_from_string_direct(ctx, salting_kprinc, &passdata, &key, enctype))) {
+ DEBUG(0,("verify_service_password: create_kerberos_key_from_string %d failed: %s\n",
+ enctype, error_message(err)));
+ goto out;
+ }
+
+ if ((err = krb5_auth_con_init(ctx, &auth_context)) != 0) {
+ DEBUG(0,("verify_service_password: krb5_auth_con_init failed %s\n", error_message(err)));
+ goto out;
+ }
+
+ if ((err = krb5_auth_con_setuseruserkey(ctx, auth_context, &key)) != 0) {
+ DEBUG(0,("verify_service_password: krb5_auth_con_setuseruserkey failed %s\n", error_message(err)));
+ goto out;
+ }
+
+ if (!(err = krb5_rd_req(ctx, &auth_context, in_data, NULL, NULL, NULL, &ticket))) {
+ DEBUG(10,("verify_service_password: decrypted message with enctype %u salt %s!\n",
+ (unsigned int)enctype, salting_s));
+ ret = True;
+ }
+
+ out:
+
+ memset(&passdata, 0, sizeof(passdata));
+ krb5_free_keyblock_contents(ctx, &key);
+ if (ticket != NULL) {
+ krb5_free_ticket(ctx, ticket);
+ }
+ if (salting_kprinc) {
+ krb5_free_principal(ctx, salting_kprinc);
+ }
+ SAFE_FREE(salting_s);
+ SAFE_FREE(password);
+ return ret;
+}
+
+/************************************************************************
+ *
+ * From the current draft of kerberos-clarifications:
+ *
+ * It is not possible to reliably generate a user's key given a pass
+ * phrase without contacting the KDC, since it will not be known
+ * whether alternate salt or parameter values are required.
+ *
+ * And because our server has a password, we have this exact problem. We
+ * make multiple guesses as to which principal name provides the salt which
+ * the KDC is using.
+ *
+ ************************************************************************/
+
+static void kerberos_derive_salting_principal_for_enctype(const char *service_principal,
+ krb5_context ctx,
+ krb5_ccache ccache,
+ krb5_enctype enctype,
+ krb5_enctype *enctypes)
+{
+ char *salting_principals[3] = {NULL, NULL, NULL}, *second_principal = NULL;
+ krb5_error_code err = 0;
+ krb5_data outbuf;
+ int i, j;
+
+ memset(&outbuf, '\0', sizeof(outbuf));
+
+ /* Check that the service_principal is useful. */
+ if ((service_principal == NULL) || (strlen(service_principal) == 0)) {
+ return;
+ }
+
+ /* Generate our first guess -- the principal as-given. */
+ asprintf(&salting_principals[0], "%s", service_principal);
+ if ((salting_principals[0] == NULL) || (strlen(salting_principals[0]) == 0)) {
+ return;
+ }
+
+ /* Generate our second guess -- the computer's principal, as Win2k3. */
+ asprintf(&second_principal, "host/%s.%s", lp_netbios_name(), lp_realm());
+ if (second_principal != NULL) {
+ strlower_m(second_principal);
+ asprintf(&salting_principals[1], "%s@%s", second_principal, lp_realm());
+ SAFE_FREE(second_principal);
+ }
+ if ((salting_principals[1] == NULL) || (strlen(salting_principals[1]) == 0)) {
+ goto out;
+ }
+
+ /* Generate our third guess -- the computer's principal, as Win2k. */
+ asprintf(&second_principal, "HOST/%s", lp_netbios_name());
+ if (second_principal != NULL) {
+ strlower_m(second_principal + 5);
+ asprintf(&salting_principals[2], "%s@%s",
+ second_principal, lp_realm());
+ SAFE_FREE(second_principal);
+ }
+ if ((salting_principals[2] == NULL) || (strlen(salting_principals[2]) == 0)) {
+ goto out;
+ }
+
+ /* Get a service ticket for ourselves into our memory ccache. */
+ /* This will commonly fail if there is no principal by that name (and we're trying
+ many names). So don't print a debug 0 error. */
+
+ if ((err = get_service_ticket(ctx, ccache, service_principal, enctype, &outbuf)) != 0) {
+ DEBUG(3, ("verify_service_password: get_service_ticket failed: %s\n",
+ error_message(err)));
+ goto out;
+ }
+
+ /* At this point we have a message to ourselves, salted only the KDC knows how. We
+ have to work out what that salting is. */
+
+ /* Try and find the correct salting principal. */
+ for (i = 0; i < sizeof(salting_principals) / sizeof(salting_principals[i]); i++) {
+ if (verify_service_password(ctx, enctype, salting_principals[i], &outbuf)) {
+ break;
+ }
+ }
+
+ /* If we failed to get a match, return. */
+ if (i >= sizeof(salting_principals) / sizeof(salting_principals[i])) {
+ goto out;
+ }
+
+ /* If we succeeded, store the principal for use for all enctypes which
+ * share the same cipher and string-to-key function. Doing this here
+ * allows servers which just pass a keytab to krb5_rd_req() to work
+ * correctly. */
+ for (j = 0; enctypes[j] != 0; j++) {
+ if (enctype != enctypes[j]) {
+ /* If this enctype isn't compatible with the one which
+ * we used, skip it. */
+
+ if (!kerberos_compatible_enctypes(ctx, enctypes[j], enctype))
+ continue;
+ }
+ /* If the principal which gives us the proper salt is the one
+ * which we would normally guess, don't bother noting anything
+ * in the secrets tdb. */
+ if (strcmp(service_principal, salting_principals[i]) != 0) {
+ kerberos_secrets_store_salting_principal(service_principal,
+ enctypes[j],
+ salting_principals[i]);
+ }
+ }
+
+ out :
+
+ kerberos_free_data_contents(ctx, &outbuf);
+ SAFE_FREE(salting_principals[0]);
+ SAFE_FREE(salting_principals[1]);
+ SAFE_FREE(salting_principals[2]);
+ SAFE_FREE(second_principal);
+}
+
+/************************************************************************
+ Go through all the possible enctypes for this principal.
+ ************************************************************************/
+
+static void kerberos_derive_salting_principal_direct(krb5_context context,
+ krb5_ccache ccache,
+ krb5_enctype *enctypes,
+ char *service_principal)
+{
+ int i;
+
+ /* Try for each enctype separately, because the rules are
+ * different for different enctypes. */
+ for (i = 0; enctypes[i] != 0; i++) {
+ /* Delete secrets entry first. */
+ kerberos_secrets_store_salting_principal(service_principal, 0, NULL);
+#ifdef ENCTYPE_ARCFOUR_HMAC
+ if (enctypes[i] == ENCTYPE_ARCFOUR_HMAC) {
+ /* Of course this'll always work, so just save
+ * ourselves the effort. */
+ continue;
+ }
+#endif
+ /* Try to figure out what's going on with this
+ * principal. */
+ kerberos_derive_salting_principal_for_enctype(service_principal,
+ context,
+ ccache,
+ enctypes[i],
+ enctypes);
+ }
+}
+
+/************************************************************************
+ Wrapper function for the above.
+ ************************************************************************/
+
+BOOL kerberos_derive_salting_principal(char *service_principal)
+{
+ krb5_context context = NULL;
+ krb5_enctype *enctypes = NULL;
+ krb5_ccache ccache = NULL;
+ krb5_error_code ret = 0;
+
+ initialize_krb5_error_table();
+ if ((ret = krb5_init_context(&context)) != 0) {
+ DEBUG(1,("kerberos_derive_cifs_salting_principals: krb5_init_context failed. %s\n",
+ error_message(ret)));
+ return False;
+ }
+ if ((ret = get_kerberos_allowed_etypes(context, &enctypes)) != 0) {
+ DEBUG(1,("kerberos_derive_cifs_salting_principals: get_kerberos_allowed_etypes failed. %s\n",
+ error_message(ret)));
+ goto out;
+ }
+
+ if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) {
+ DEBUG(3, ("get_service_ticket: krb5_cc_resolve for %s failed: %s\n",
+ LIBADS_CCACHE_NAME, error_message(ret)));
+ goto out;
+ }
+
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service_principal);
+
+ out:
+ if (enctypes) {
+ free_kerberos_etypes(context, enctypes);
+ }
+ if (ccache) {
+ krb5_cc_destroy(context, ccache);
+ }
+ if (context) {
+ krb5_free_context(context);
+ }
+
+ return ret ? False : True;
+}
+
+/************************************************************************
+ Core function to try and determine what salt is being used for any keytab
+ keys.
+ ************************************************************************/
+
+BOOL kerberos_derive_cifs_salting_principals(void)
+{
+ fstring my_fqdn;
+ char *service = NULL;
+ krb5_context context = NULL;
+ krb5_enctype *enctypes = NULL;
+ krb5_ccache ccache = NULL;
+ krb5_error_code ret = 0;
+ BOOL retval = False;
+
+ initialize_krb5_error_table();
+ if ((ret = krb5_init_context(&context)) != 0) {
+ DEBUG(1,("kerberos_derive_cifs_salting_principals: krb5_init_context failed. %s\n",
+ error_message(ret)));
+ return False;
+ }
+ if ((ret = get_kerberos_allowed_etypes(context, &enctypes)) != 0) {
+ DEBUG(1,("kerberos_derive_cifs_salting_principals: get_kerberos_allowed_etypes failed. %s\n",
+ error_message(ret)));
+ goto out;
+ }
+
+ if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) {
+ DEBUG(3, ("get_service_ticket: krb5_cc_resolve for %s failed: %s\n",
+ LIBADS_CCACHE_NAME, error_message(ret)));
+ goto out;
+ }
+
+ if (asprintf(&service, "%s$", lp_netbios_name()) != -1) {
+ strlower_m(service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
+ SAFE_FREE(service);
+ }
+ if (asprintf(&service, "cifs/%s", lp_netbios_name()) != -1) {
+ strlower_m(service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
+ SAFE_FREE(service);
+ }
+ if (asprintf(&service, "host/%s", lp_netbios_name()) != -1) {
+ strlower_m(service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
+ SAFE_FREE(service);
+ }
+ if (asprintf(&service, "cifs/%s.%s", lp_netbios_name(), lp_realm()) != -1) {
+ strlower_m(service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
+ SAFE_FREE(service);
+ }
+ if (asprintf(&service, "host/%s.%s", lp_netbios_name(), lp_realm()) != -1) {
+ strlower_m(service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
+ SAFE_FREE(service);
+ }
+ name_to_fqdn(my_fqdn, lp_netbios_name());
+ if (asprintf(&service, "cifs/%s", my_fqdn) != -1) {
+ strlower_m(service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
+ SAFE_FREE(service);
+ }
+ if (asprintf(&service, "host/%s", my_fqdn) != -1) {
+ strlower_m(service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
+ SAFE_FREE(service);
+ }
+
+ retval = True;
+
+ out:
+ if (enctypes) {
+ free_kerberos_etypes(context, enctypes);
+ }
+ if (ccache) {
+ krb5_cc_destroy(context, ccache);
+ }
+ if (context) {
+ krb5_free_context(context);
+ }
+ return retval;
+}
+#endif
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
new file mode 100644
index 0000000000..4daf0ea07a
--- /dev/null
+++ b/source4/auth/kerberos/kerberos.h
@@ -0,0 +1,99 @@
+/*
+ Unix SMB/CIFS implementation.
+ simple kerberos5 routines for active directory
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Luke Howard 2002-2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#if defined(HAVE_KRB5)
+
+/* not really ASN.1, but RFC 1964 */
+#define TOK_ID_KRB_AP_REQ "\x01\x00"
+#define TOK_ID_KRB_AP_REP "\x02\x00"
+#define TOK_ID_KRB_ERROR "\x03\x00"
+#define TOK_ID_GSS_GETMIC "\x01\x01"
+#define TOK_ID_GSS_WRAP "\x02\x01"
+
+#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE
+#define KRB5_KEY_TYPE(k) ((k)->keytype)
+#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length)
+#define KRB5_KEY_DATA(k) ((k)->keyvalue.data)
+#else
+#define KRB5_KEY_TYPE(k) ((k)->enctype)
+#define KRB5_KEY_LENGTH(k) ((k)->length)
+#define KRB5_KEY_DATA(k) ((k)->contents)
+#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
+
+#ifndef HAVE_KRB5_SET_REAL_TIME
+krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds);
+#endif
+
+#ifndef HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
+krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc);
+#endif
+
+#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
+krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock);
+#endif
+
+#ifndef HAVE_KRB5_FREE_UNPARSED_NAME
+void krb5_free_unparsed_name(krb5_context ctx, char *val);
+#endif
+
+#if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) && !defined(HAVE_KRB5_PRINC_COMPONENT)
+const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i );
+#endif
+
+/* Samba wrapper function for krb5 functionality. */
+void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr);
+int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype);
+int create_kerberos_key_from_string_direct(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype);
+krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt);
+krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
+krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes);
+void free_kerberos_etypes(krb5_context context, krb5_enctype *enctypes);
+BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote);
+krb5_error_code ads_krb5_mk_req(krb5_context context,
+ krb5_auth_context *auth_context,
+ const krb5_flags ap_req_options,
+ const char *principal,
+ krb5_ccache ccache,
+ krb5_data *outbuf);
+DATA_BLOB get_auth_data_from_tkt(TALLOC_CTX *mem_ctx,
+ krb5_ticket *tkt);
+
+NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
+ krb5_context context,
+ krb5_auth_context auth_context,
+ const char *realm, const char *service,
+ const DATA_BLOB *ticket,
+ char **principal, DATA_BLOB *auth_data,
+ DATA_BLOB *ap_rep,
+ krb5_keyblock *keyblock);
+int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc,
+ const char *principal, const char *password,
+ time_t *expire_time, time_t *kdc_time);
+krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context,
+ krb5_principal host_princ,
+ int enctype);
+void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype);
+BOOL kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2);
+void kerberos_free_data_contents(krb5_context context, krb5_data *pdata);
+krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
+char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx);
+#endif /* HAVE_KRB5 */
+
diff --git a/source4/auth/kerberos/kerberos.m4 b/source4/auth/kerberos/kerberos.m4
new file mode 100644
index 0000000000..f18386a91a
--- /dev/null
+++ b/source4/auth/kerberos/kerberos.m4
@@ -0,0 +1,491 @@
+#################################################
+# KRB5 support
+KRB5_CFLAGS=""
+KRB5_CPPFLAGS=""
+KRB5_LDFLAGS=""
+KRB5_LIBS=""
+with_krb5_support=auto
+krb5_withval=auto
+AC_MSG_CHECKING([for KRB5 support])
+
+# Do no harm to the values of CFLAGS and LIBS while testing for
+# Kerberos support.
+AC_ARG_WITH(krb5,
+[ --with-krb5=base-dir Locate Kerberos 5 support (default=auto)],
+ [ case "$withval" in
+ no)
+ with_krb5_support=no
+ AC_MSG_RESULT(no)
+ krb5_withval=no
+ ;;
+ yes)
+ with_krb5_support=yes
+ AC_MSG_RESULT(yes)
+ krb5_withval=yes
+ ;;
+ auto)
+ with_krb5_support=auto
+ AC_MSG_RESULT(auto)
+ krb5_withval=auto
+ ;;
+ *)
+ with_krb5_support=yes
+ AC_MSG_RESULT(yes)
+ krb5_withval=$withval
+ KRB5CONFIG="$krb5_withval/bin/krb5-config"
+ ;;
+ esac ],
+ AC_MSG_RESULT($with_krb5_support)
+)
+
+if test x$with_krb5_support != x"no"; then
+ FOUND_KRB5=no
+ FOUND_KRB5_VIA_CONFIG=no
+
+ #################################################
+ # check for krb5-config from recent MIT and Heimdal kerberos 5
+ AC_MSG_CHECKING(for working specified location for krb5-config)
+ if test x$KRB5CONFIG != "x"; then
+ if test -x "$KRB5CONFIG"; then
+ ac_save_CFLAGS=$CFLAGS
+ CFLAGS="";export CFLAGS
+ ac_save_LDFLAGS=$LDFLAGS
+ LDFLAGS="";export LDFLAGS
+ KRB5_LIBS="`$KRB5CONFIG --libs gssapi`"
+ KRB5_CFLAGS="`$KRB5CONFIG --cflags | sed s/@INCLUDE_des@//`"
+ KRB5_CPPFLAGS="`$KRB5CONFIG --cflags | sed s/@INCLUDE_des@//`"
+ CFLAGS=$ac_save_CFLAGS;export CFLAGS
+ LDFLAGS=$ac_save_LDFLAGS;export LDFLAGS
+ FOUND_KRB5=yes
+ FOUND_KRB5_VIA_CONFIG=yes
+ AC_MSG_RESULT(yes. Found $KRB5CONFIG)
+ else
+ AC_MSG_RESULT(no. Fallback to specified directory)
+ fi
+ else
+ AC_MSG_RESULT(no. Fallback to finding krb5-config in path)
+ #################################################
+ # check for krb5-config from recent MIT and Heimdal kerberos 5
+ AC_PATH_PROG(KRB5CONFIG, krb5-config)
+ AC_MSG_CHECKING(for working krb5-config in path)
+ if test -x "$KRB5CONFIG"; then
+ ac_save_CFLAGS=$CFLAGS
+ CFLAGS="";export CFLAGS
+ ac_save_LDFLAGS=$LDFLAGS
+ LDFLAGS="";export LDFLAGS
+ KRB5_LIBS="`$KRB5CONFIG --libs gssapi`"
+ KRB5_CFLAGS="`$KRB5CONFIG --cflags | sed s/@INCLUDE_des@//`"
+ KRB5_CPPFLAGS="`$KRB5CONFIG --cflags | sed s/@INCLUDE_des@//`"
+ CFLAGS=$ac_save_CFLAGS;export CFLAGS
+ LDFLAGS=$ac_save_LDFLAGS;export LDFLAGS
+ FOUND_KRB5=yes
+ FOUND_KRB5_VIA_CONFIG=yes
+ AC_MSG_RESULT(yes. Found $KRB5CONFIG)
+ else
+ AC_MSG_RESULT(no. Fallback to previous krb5 detection strategy)
+ fi
+ fi
+
+ if test x$FOUND_KRB5 != x"yes"; then
+ #################################################
+ # check for location of Kerberos 5 install
+ AC_MSG_CHECKING(for kerberos 5 install path)
+ case "$krb5_withval" in
+ no)
+ AC_MSG_RESULT(no krb5-path given)
+ ;;
+ yes)
+ AC_MSG_RESULT(/usr)
+ FOUND_KRB5=yes
+ ;;
+ *)
+ AC_MSG_RESULT($krb5_withval)
+ KRB5_CFLAGS="-I$krb5_withval/include"
+ KRB5_CPPFLAGS="-I$krb5_withval/include"
+ KRB5_LDFLAGS="-L$krb5_withval/lib"
+ FOUND_KRB5=yes
+ ;;
+ esac
+ fi
+
+ if test x$FOUND_KRB5 != x"yes"; then
+ #################################################
+ # see if this box has the SuSE location for the heimdal krb implementation
+ AC_MSG_CHECKING(for /usr/include/heimdal)
+ if test -d /usr/include/heimdal; then
+ if test -f /usr/lib/heimdal/lib/libkrb5.a; then
+ KRB5_CFLAGS="-I/usr/include/heimdal"
+ KRB5_CPPFLAGS="-I/usr/include/heimdal"
+ KRB5_LDFLAGS="-L/usr/lib/heimdal/lib"
+ AC_MSG_RESULT(yes)
+ else
+ KRB5_CFLAGS="-I/usr/include/heimdal"
+ KRB5_CPPFLAGS="-I/usr/include/heimdal"
+ AC_MSG_RESULT(yes)
+ fi
+ else
+ AC_MSG_RESULT(no)
+ fi
+ fi
+
+ if test x$FOUND_KRB5 != x"yes"; then
+ #################################################
+ # see if this box has the RedHat location for kerberos
+ AC_MSG_CHECKING(for /usr/kerberos)
+ if test -d /usr/kerberos -a -f /usr/kerberos/lib/libkrb5.a; then
+ KRB5_LDFLAGS="-L/usr/kerberos/lib"
+ KRB5_CFLAGS="-I/usr/kerberos/include"
+ KRB5_CPPFLAGS="-I/usr/kerberos/include"
+ AC_MSG_RESULT(yes)
+ else
+ AC_MSG_RESULT(no)
+ fi
+ fi
+
+ ac_save_CFLAGS=$CFLAGS
+ ac_save_CPPFLAGS=$CPPFLAGS
+ ac_save_LDFLAGS=$LDFLAGS
+
+ #MIT needs this, to let us see 'internal' parts of the headers we use
+ KRB5_CFLAGS="${KRB5_CFLAGS} -DKRB5_PRIVATE -DKRB5_DEPRECATED"
+
+ #Heimdal needs this
+ #TODO: we need to parse KRB5_LIBS for -L path
+ # and set -Wl,-rpath -Wl,path
+
+ CFLAGS="$CFLAGS $KRB5_CFLAGS"
+ CPPFLAGS="$CPPFLAGS $KRB5_CPPFLAGS"
+ LDFLAGS="$LDFLAGS $KRB5_LDFLAGS"
+
+ KRB5_LIBS="$KRB5_LDFLAGS $KRB5_LIBS"
+
+ # now check for krb5.h. Some systems have the libraries without the headers!
+ # note that this check is done here to allow for different kerberos
+ # include paths
+ AC_CHECK_HEADERS(krb5.h)
+
+ if test x"$ac_cv_header_krb5_h" = x"no"; then
+ # Give a warning if KRB5 support was not explicitly requested,
+ # i.e with_krb5_support = auto, otherwise die with an error.
+ if test x"$with_krb5_support" = x"yes"; then
+ AC_MSG_ERROR([KRB5 cannot be supported without krb5.h])
+ else
+ AC_MSG_WARN([KRB5 cannot be supported without krb5.h])
+ fi
+ # Turn off AD support and restore CFLAGS and LIBS variables
+ with_krb5_support="no"
+ fi
+
+ CFLAGS=$ac_save_CFLAGS
+ CPPFLAGS=$ac_save_CPPFLAGS
+ LDFLAGS=$ac_save_LDFLAGS
+fi
+
+# Now we have determined whether we really want KRB5 support
+
+if test x"$with_krb5_support" != x"no"; then
+ ac_save_CFLAGS=$CFLAGS
+ ac_save_CPPFLAGS=$CPPFLAGS
+ ac_save_LDFLAGS=$LDFLAGS
+ ac_save_LIBS=$LIBS
+
+ CFLAGS="$CFLAGS $KRB5_CFLAGS"
+ CPPFLAGS="$CPPFLAGS $KRB5_CPPFLAGS"
+ LDFLAGS="$LDFLAGS $KRB5_LDFLAGS"
+
+ # now check for gssapi headers. This is also done here to allow for
+ # different kerberos include paths
+ AC_CHECK_HEADERS(gssapi.h gssapi/gssapi_generic.h gssapi/gssapi.h com_err.h)
+
+ ##################################################################
+ # we might need the k5crypto and com_err libraries on some systems
+ AC_CHECK_LIB_EXT(com_err, KRB5_LIBS, _et_list)
+ AC_CHECK_LIB_EXT(k5crypto, KRB5_LIBS, krb5_encrypt_data)
+
+ # Heimdal checks.
+ # But only if we didn't have a krb5-config to tell us this already
+ if test x"$FOUND_KRB5_VIA_CONFIG" != x"yes"; then
+ AC_CHECK_LIB_EXT(crypto, KRB5_LIBS, des_set_key)
+ AC_CHECK_LIB_EXT(asn1, KRB5_LIBS, copy_Authenticator)
+ AC_CHECK_LIB_EXT(roken, KRB5_LIBS, roken_getaddrinfo_hostspec)
+ fi
+
+ # Heimdal checks. On static Heimdal gssapi must be linked before krb5.
+ AC_CHECK_LIB_EXT(gssapi, KRB5_LIBS, gss_display_status,[],[],
+ AC_DEFINE(HAVE_GSSAPI,1,[Whether GSSAPI is available]))
+
+ ########################################################
+ # now see if we can find the krb5 libs in standard paths
+ # or as specified above
+ AC_CHECK_LIB_EXT(krb5, KRB5_LIBS, krb5_mk_req_extended)
+ AC_CHECK_LIB_EXT(krb5, KRB5_LIBS, krb5_kt_compare)
+
+ ########################################################
+ # now see if we can find the gssapi libs in standard paths
+ if test x"$ac_cv_lib_ext_gssapi_gss_display_status" != x"yes"; then
+ AC_CHECK_LIB_EXT(gssapi_krb5, KRB5_LIBS,gss_display_status,[],[],
+ AC_DEFINE(HAVE_GSSAPI,1,[Whether GSSAPI is available]))
+ fi
+
+ AC_CHECK_FUNC_EXT(krb5_set_real_time, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_set_default_in_tkt_etypes, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_set_default_tgs_ktypes, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_principal2salt, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_use_enctype, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_string_to_key, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_get_pw_salt, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_string_to_key_salt, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_auth_con_setkey, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_auth_con_setuseruserkey, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_locate_kdc, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_get_permitted_enctypes, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_get_default_in_tkt_etypes, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_free_ktypes, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_free_data_contents, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_principal_get_comp_string, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_free_unparsed_name, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_free_keytab_entry_contents, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_kt_free_entry, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_krbhst_get_addrinfo, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_verify_checksum, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_c_verify_checksum, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_ticket_get_authorization_data_type, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_krbhst_get_addrinfo, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_c_enctype_compare, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_enctypes_compatible_keys, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_get_error_string, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_free_error_string, $KRB5_LIBS)
+
+ LIBS="$LIBS $KRB5_LIBS"
+
+ AC_CACHE_CHECK([for krb5_encrypt_block type],
+ samba_cv_HAVE_KRB5_ENCRYPT_BLOCK,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+ [krb5_encrypt_block block;],
+ samba_cv_HAVE_KRB5_ENCRYPT_BLOCK=yes,
+ samba_cv_HAVE_KRB5_ENCRYPT_BLOCK=no)])
+
+ if test x"$samba_cv_HAVE_KRB5_ENCRYPT_BLOCK" = x"yes"; then
+ AC_DEFINE(HAVE_KRB5_ENCRYPT_BLOCK,1,
+ [Whether the type krb5_encrypt_block exists])
+ fi
+
+ AC_CACHE_CHECK([for addrtype in krb5_address],
+ samba_cv_HAVE_ADDRTYPE_IN_KRB5_ADDRESS,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+ [krb5_address kaddr; kaddr.addrtype = ADDRTYPE_INET;],
+ samba_cv_HAVE_ADDRTYPE_IN_KRB5_ADDRESS=yes,
+ samba_cv_HAVE_ADDRTYPE_IN_KRB5_ADDRESS=no)])
+ if test x"$samba_cv_HAVE_ADDRTYPE_IN_KRB5_ADDRESS" = x"yes"; then
+ AC_DEFINE(HAVE_ADDRTYPE_IN_KRB5_ADDRESS,1,
+ [Whether the krb5_address struct has a addrtype property])
+ fi
+
+ AC_CACHE_CHECK([for addr_type in krb5_address],
+ samba_cv_HAVE_ADDR_TYPE_IN_KRB5_ADDRESS,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+ [krb5_address kaddr; kaddr.addr_type = KRB5_ADDRESS_INET;],
+ samba_cv_HAVE_ADDR_TYPE_IN_KRB5_ADDRESS=yes,
+ samba_cv_HAVE_ADDR_TYPE_IN_KRB5_ADDRESS=no)])
+ if test x"$samba_cv_HAVE_ADDR_TYPE_IN_KRB5_ADDRESS" = x"yes"; then
+ AC_DEFINE(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS,1,
+ [Whether the krb5_address struct has a addr_type property])
+ fi
+
+ AC_CACHE_CHECK([for enc_part2 in krb5_ticket],
+ samba_cv_HAVE_KRB5_TKT_ENC_PART2,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+ [krb5_ticket tkt; tkt.enc_part2->authorization_data[0]->contents = NULL;],
+ samba_cv_HAVE_KRB5_TKT_ENC_PART2=yes,
+ samba_cv_HAVE_KRB5_TKT_ENC_PART2=no)])
+ if test x"$samba_cv_HAVE_KRB5_TKT_ENC_PART2" = x"yes"; then
+ AC_DEFINE(HAVE_KRB5_TKT_ENC_PART2,1,
+ [Whether the krb5_ticket struct has a enc_part2 property])
+ fi
+
+ AC_CACHE_CHECK([for keyblock in krb5_creds],
+ samba_cv_HAVE_KRB5_KEYBLOCK_IN_CREDS,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+ [krb5_creds creds; krb5_keyblock kb; creds.keyblock = kb;],
+ samba_cv_HAVE_KRB5_KEYBLOCK_IN_CREDS=yes,
+ samba_cv_HAVE_KRB5_KEYBLOCK_IN_CREDS=no)])
+
+ if test x"$samba_cv_HAVE_KRB5_KEYBLOCK_IN_CREDS" = x"yes"; then
+ AC_DEFINE(HAVE_KRB5_KEYBLOCK_IN_CREDS,1,
+ [Whether the krb5_creds struct has a keyblock property])
+ fi
+
+ AC_CACHE_CHECK([for session in krb5_creds],
+ samba_cv_HAVE_KRB5_SESSION_IN_CREDS,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+ [krb5_creds creds; krb5_keyblock kb; creds.session = kb;],
+ samba_cv_HAVE_KRB5_SESSION_IN_CREDS=yes,
+ samba_cv_HAVE_KRB5_SESSION_IN_CREDS=no)])
+
+ if test x"$samba_cv_HAVE_KRB5_SESSION_IN_CREDS" = x"yes"; then
+ AC_DEFINE(HAVE_KRB5_SESSION_IN_CREDS,1,
+ [Whether the krb5_creds struct has a session property])
+ fi
+
+ AC_CACHE_CHECK([for keyvalue in krb5_keyblock],
+ samba_cv_HAVE_KRB5_KEYBLOCK_KEYVALUE,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+ [krb5_keyblock key; key.keyvalue.data = NULL;],
+ samba_cv_HAVE_KRB5_KEYBLOCK_KEYVALUE=yes,
+ samba_cv_HAVE_KRB5_KEYBLOCK_KEYVALUE=no)])
+ if test x"$samba_cv_HAVE_KRB5_KEYBLOCK_KEYVALUE" = x"yes"; then
+ AC_DEFINE(HAVE_KRB5_KEYBLOCK_KEYVALUE,1,
+ [Whether the krb5_keyblock struct has a keyvalue property])
+ fi
+
+ AC_CACHE_CHECK([for ENCTYPE_ARCFOUR_HMAC_MD5],
+ samba_cv_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+ [krb5_enctype enctype; enctype = ENCTYPE_ARCFOUR_HMAC_MD5;],
+ samba_cv_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5=yes,
+ samba_cv_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5=no)])
+ AC_CACHE_CHECK([for KEYTYPE_ARCFOUR_56],
+ samba_cv_HAVE_KEYTYPE_ARCFOUR_56,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+ [krb5_keytype keytype; keytype = KEYTYPE_ARCFOUR_56;],
+ samba_cv_HAVE_KEYTYPE_ARCFOUR_56=yes,
+ samba_cv_HAVE_KEYTYPE_ARCFOUR_56=no)])
+ # Heimdals with KEYTYPE_ARCFOUR but not KEYTYPE_ARCFOUR_56 are broken
+ # w.r.t. arcfour and windows, so we must not enable it here
+ if test x"$samba_cv_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5" = x"yes" -a\
+ x"$samba_cv_HAVE_KEYTYPE_ARCFOUR_56" = x"yes"; then
+ AC_DEFINE(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5,1,
+ [Whether the ENCTYPE_ARCFOUR_HMAC_MD5 key type is available])
+ fi
+
+ AC_CACHE_CHECK([for AP_OPTS_USE_SUBKEY],
+ samba_cv_HAVE_AP_OPTS_USE_SUBKEY,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+ [krb5_flags ap_options; ap_options = AP_OPTS_USE_SUBKEY;],
+ samba_cv_HAVE_AP_OPTS_USE_SUBKEY=yes,
+ samba_cv_HAVE_AP_OPTS_USE_SUBKEY=no)])
+ if test x"$samba_cv_HAVE_AP_OPTS_USE_SUBKEY" = x"yes"; then
+ AC_DEFINE(HAVE_AP_OPTS_USE_SUBKEY,1,
+ [Whether the AP_OPTS_USE_SUBKEY ap option is available])
+ fi
+
+ AC_CACHE_CHECK([for KV5M_KEYTAB],
+ samba_cv_HAVE_KV5M_KEYTAB,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+ [krb5_keytab_entry entry; entry.magic = KV5M_KEYTAB;],
+ samba_cv_HAVE_KV5M_KEYTAB=yes,
+ samba_cv_HAVE_KV5M_KEYTAB=no)])
+ if test x"$samba_cv_HAVE_KV5M_KEYTAB" = x"yes"; then
+ AC_DEFINE(HAVE_KV5M_KEYTAB,1,
+ [Whether the KV5M_KEYTAB option is available])
+ fi
+
+ AC_CACHE_CHECK([for the krb5_princ_component macro],
+ samba_cv_HAVE_KRB5_PRINC_COMPONENT,[
+ AC_TRY_LINK([#include <krb5.h>],
+ [const krb5_data *pkdata; krb5_context context; krb5_principal principal;
+ pkdata = krb5_princ_component(context, principal, 0);],
+ samba_cv_HAVE_KRB5_PRINC_COMPONENT=yes,
+ samba_cv_HAVE_KRB5_PRINC_COMPONENT=no)])
+ if test x"$samba_cv_HAVE_KRB5_PRINC_COMPONENT" = x"yes"; then
+ AC_DEFINE(HAVE_KRB5_PRINC_COMPONENT,1,
+ [Whether krb5_princ_component is available])
+ fi
+
+ AC_CACHE_CHECK([for key in krb5_keytab_entry],
+ samba_cv_HAVE_KRB5_KEYTAB_ENTRY_KEY,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+ [krb5_keytab_entry entry; krb5_keyblock e; entry.key = e;],
+ samba_cv_HAVE_KRB5_KEYTAB_ENTRY_KEY=yes,
+ samba_cv_HAVE_KRB5_KEYTAB_ENTRY_KEY=no)])
+ if test x"$samba_cv_HAVE_KRB5_KEYTAB_ENTRY_KEY" = x"yes"; then
+ AC_DEFINE(HAVE_KRB5_KEYTAB_ENTRY_KEY,1,
+ [Whether krb5_keytab_entry has key member])
+ fi
+
+ AC_CACHE_CHECK([for keyblock in krb5_keytab_entry],
+ samba_cv_HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+ [krb5_keytab_entry entry; entry.keyblock.keytype = 0;],
+ samba_cv_HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK=yes,
+ samba_cv_HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK=no)])
+ if test x"$samba_cv_HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK" = x"yes"; then
+ AC_DEFINE(HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK,1,
+ [Whether krb5_keytab_entry has keyblock member])
+ fi
+
+ AC_CACHE_CHECK([for WRFILE: keytab support],
+ samba_cv_HAVE_WRFILE_KEYTAB,[
+ AC_TRY_RUN([
+ #include<krb5.h>
+ main()
+ {
+ krb5_context context;
+ krb5_keytab keytab;
+ krb5_init_context(&context);
+ return krb5_kt_resolve(context, "WRFILE:api", &keytab);
+ }],
+ samba_cv_HAVE_WRFILE_KEYTAB=yes,
+ samba_cv_HAVE_WRFILE_KEYTAB=no)])
+ if test x"$samba_cv_HAVE_WRFILE_KEYTAB" = x"yes"; then
+ AC_DEFINE(HAVE_WRFILE_KEYTAB,1,
+ [Whether the WRFILE:-keytab is supported])
+ fi
+
+ AC_CACHE_CHECK([for krb5_princ_realm returns krb5_realm or krb5_data],
+ samba_cv_KRB5_PRINC_REALM_RETURNS_REALM,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+ [krb5_context context;krb5_principal principal;krb5_realm realm;
+ realm = *krb5_princ_realm(context, principal);],
+ samba_cv_KRB5_PRINC_REALM_RETURNS_REALM=yes,
+ samba_cv_KRB5_PRINC_REALM_RETURNS_REALM=no)])
+ if test x"$samba_cv_KRB5_PRINC_REALM_RETURNS_REALM" = x"yes"; then
+ AC_DEFINE(KRB5_PRINC_REALM_RETURNS_REALM,1,
+ [Whether krb5_princ_realm returns krb5_realm or krb5_data])
+ fi
+
+ # TODO: check all gssapi headers for this
+ AC_CACHE_CHECK([for GSS_C_DCE_STYLE in gssapi.h],
+ samba_cv_GSS_C_DCE_STYLE,[
+ AC_TRY_COMPILE([#include <gssapi.h>],
+ [int flags = GSS_C_DCE_STYLE;],
+ samba_cv_GSS_C_DCE_STYLE=yes,
+ samba_cv_GSS_C_DCE_STYLE=no)])
+
+ if test x"$ac_cv_lib_ext_krb5_krb5_mk_req_extended" = x"yes"; then
+ AC_DEFINE(HAVE_KRB5,1,[Whether to have KRB5 support])
+ AC_MSG_CHECKING(whether KRB5 support is used)
+ SMB_EXT_LIB_ENABLE(KRB5,YES)
+ AC_MSG_RESULT(yes)
+ echo "KRB5_CFLAGS: ${KRB5_CFLAGS}"
+ echo "KRB5_CPPFLAGS: ${KRB5_CPPFLAGS}"
+ echo "KRB5_LDFLAGS: ${KRB5_LDFLAGS}"
+ echo "KRB5_LIBS: ${KRB5_LIBS}"
+ else
+ if test x"$with_krb5_support" = x"yes"; then
+ AC_MSG_ERROR(a working krb5 library is needed for KRB5 support)
+ else
+ AC_MSG_WARN(a working krb5 library is needed for KRB5 support)
+ fi
+ KRB5_CFLAGS=""
+ KRB5_CPPFLAGS=""
+ KRB5_LDFLAGS=""
+ KRB5_LIBS=""
+ with_krb5_support=no
+ fi
+
+ CFLAGS=$ac_save_CFLAGS
+ CPPFLAGS=$ac_save_CPPFLAGS
+ LDFLAGS=$ac_save_LDFLAGS
+ LIBS="$ac_save_LIBS"
+
+ # as a nasty hack add the krb5 stuff to the global vars,
+ # at some point this should not be needed anymore when the build system
+ # can handle that alone
+ CFLAGS="$CFLAGS $KRB5_CFLAGS"
+ CPPFLAGS="$CPPFLAGS $KRB5_CPPFLAGS"
+ LDFLAGS="$LDFLAGS $KRB5_LDFLAGS"
+fi
+
+SMB_EXT_LIB(KRB5,[${KRB5_LIBS}],[${KRB5_CFLAGS}],[${KRB5_CPPFLAGS}],[${KRB5_LDFLAGS}])
+
diff --git a/source4/auth/kerberos/kerberos.mk b/source4/auth/kerberos/kerberos.mk
new file mode 100644
index 0000000000..a43e6bb517
--- /dev/null
+++ b/source4/auth/kerberos/kerberos.mk
@@ -0,0 +1,10 @@
+#################################
+# Start SUBSYSTEM KERBEROS
+[SUBSYSTEM::KERBEROS]
+INIT_OBJ_FILES = auth/kerberos/kerberos.o
+ADD_OBJ_FILES = \
+ auth/kerberos/clikrb5.o \
+ auth/kerberos/kerberos_verify.o \
+ auth/kerberos/gssapi_parse.o
+# End SUBSYSTEM KERBEROS
+#################################
diff --git a/source4/auth/kerberos/kerberos_verify.c b/source4/auth/kerberos/kerberos_verify.c
new file mode 100644
index 0000000000..3188e603cd
--- /dev/null
+++ b/source4/auth/kerberos/kerberos_verify.c
@@ -0,0 +1,486 @@
+/*
+ Unix SMB/CIFS implementation.
+ kerberos utility library
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Remus Koos 2001
+ Copyright (C) Luke Howard 2003
+ Copyright (C) Guenther Deschner 2003
+ Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+#include "asn_1.h"
+#include "lib/ldb/include/ldb.h"
+#include "secrets.h"
+#include "pstring.h"
+
+#ifdef HAVE_KRB5
+
+#if !defined(HAVE_KRB5_PRINC_COMPONENT)
+const krb5_data *krb5_princ_component(krb5_context, krb5_principal, int );
+#endif
+static DATA_BLOB unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data)
+{
+ DATA_BLOB out;
+ DATA_BLOB pac_contents = data_blob(NULL, 0);
+ struct asn1_data data;
+ int data_type;
+ if (!auth_data->length) {
+ return data_blob(NULL, 0);
+ }
+
+ asn1_load(&data, *auth_data);
+ asn1_start_tag(&data, ASN1_SEQUENCE(0));
+ asn1_start_tag(&data, ASN1_SEQUENCE(0));
+ asn1_start_tag(&data, ASN1_CONTEXT(0));
+ asn1_read_Integer(&data, &data_type);
+ asn1_end_tag(&data);
+ asn1_start_tag(&data, ASN1_CONTEXT(1));
+ asn1_read_OctetString(&data, &pac_contents);
+ asn1_end_tag(&data);
+ asn1_end_tag(&data);
+ asn1_end_tag(&data);
+ asn1_free(&data);
+
+ out = data_blob_talloc(mem_ctx, pac_contents.data, pac_contents.length);
+
+ data_blob_free(&pac_contents);
+
+ return out;
+}
+
+/**********************************************************************************
+ Try to verify a ticket using the system keytab... the system keytab has kvno -1 entries, so
+ it's more like what microsoft does... see comment in utils/net_ads.c in the
+ ads_keytab_add_entry function for details.
+***********************************************************************************/
+
+static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_context context,
+ krb5_auth_context auth_context,
+ const char *service,
+ const DATA_BLOB *ticket, krb5_data *p_packet,
+ krb5_ticket **pp_tkt,
+ krb5_keyblock *keyblock)
+{
+ krb5_error_code ret = 0;
+ krb5_keytab keytab = NULL;
+ krb5_kt_cursor kt_cursor;
+ krb5_keytab_entry kt_entry;
+ char *valid_princ_formats[7] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL };
+ char *entry_princ_s = NULL;
+ const char *my_name, *my_fqdn;
+ int i;
+ int number_matched_principals = 0;
+ const char *last_error_message;
+
+ /* Generate the list of principal names which we expect
+ * clients might want to use for authenticating to the file
+ * service. We allow name$,{host,cifs}/{name,fqdn,name.REALM}. */
+
+ my_name = lp_netbios_name();
+
+ my_fqdn = name_to_fqdn(mem_ctx, my_name);
+
+ asprintf(&valid_princ_formats[0], "%s$@%s", my_name, lp_realm());
+ asprintf(&valid_princ_formats[1], "host/%s@%s", my_name, lp_realm());
+ asprintf(&valid_princ_formats[2], "host/%s@%s", my_fqdn, lp_realm());
+ asprintf(&valid_princ_formats[3], "host/%s.%s@%s", my_name, lp_realm(), lp_realm());
+ asprintf(&valid_princ_formats[4], "cifs/%s@%s", my_name, lp_realm());
+ asprintf(&valid_princ_formats[5], "cifs/%s@%s", my_fqdn, lp_realm());
+ asprintf(&valid_princ_formats[6], "cifs/%s.%s@%s", my_name, lp_realm(), lp_realm());
+
+ ZERO_STRUCT(kt_entry);
+ ZERO_STRUCT(kt_cursor);
+
+ ret = krb5_kt_default(context, &keytab);
+ if (ret) {
+ DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_default failed (%s)\n",
+ smb_get_krb5_error_message(context, ret, mem_ctx)));
+ goto out;
+ }
+
+ /* Iterate through the keytab. For each key, if the principal
+ * name case-insensitively matches one of the allowed formats,
+ * try verifying the ticket using that principal. */
+
+ ret = krb5_kt_start_seq_get(context, keytab, &kt_cursor);
+ if (ret) {
+ last_error_message = smb_get_krb5_error_message(context, ret, mem_ctx);
+ DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (%s)\n",
+ last_error_message));
+ goto out;
+ }
+
+ ret = krb5_kt_start_seq_get(context, keytab, &kt_cursor);
+ if (ret != KRB5_KT_END && ret != ENOENT ) {
+ ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; /* Pick an error... */
+ while (ret && (krb5_kt_next_entry(context, keytab, &kt_entry, &kt_cursor) == 0)) {
+ krb5_error_code upn_ret;
+ upn_ret = krb5_unparse_name(context, kt_entry.principal, &entry_princ_s);
+ if (upn_ret) {
+ last_error_message = smb_get_krb5_error_message(context, ret, mem_ctx);
+ DEBUG(1, ("ads_keytab_verify_ticket: krb5_unparse_name failed (%s)\n",
+ last_error_message));
+ ret = upn_ret;
+ break;
+ }
+ for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
+ if (!strequal(entry_princ_s, valid_princ_formats[i])) {
+ continue;
+ }
+
+ number_matched_principals++;
+ p_packet->length = ticket->length;
+ p_packet->data = (krb5_pointer)ticket->data;
+ *pp_tkt = NULL;
+ ret = krb5_rd_req(context, &auth_context, p_packet, kt_entry.principal, keytab, NULL, pp_tkt);
+ if (ret) {
+ last_error_message = smb_get_krb5_error_message(context, ret, mem_ctx);
+ DEBUG(10, ("ads_keytab_verify_ticket: krb5_rd_req(%s) failed: %s\n",
+ entry_princ_s, last_error_message));
+ } else {
+ DEBUG(3,("ads_keytab_verify_ticket: krb5_rd_req succeeded for principal %s\n",
+ entry_princ_s));
+ break;
+ }
+ }
+
+ /* Free the name we parsed. */
+ krb5_free_unparsed_name(context, entry_princ_s);
+ entry_princ_s = NULL;
+
+ /* Free the entry we just read. */
+ smb_krb5_kt_free_entry(context, &kt_entry);
+ ZERO_STRUCT(kt_entry);
+ }
+ krb5_kt_end_seq_get(context, keytab, &kt_cursor);
+ }
+
+ ZERO_STRUCT(kt_cursor);
+
+ out:
+
+ if (ret) {
+ if (!number_matched_principals) {
+ DEBUG(3, ("ads_keytab_verify_ticket: no keytab principals matched expected file service name.\n"));
+ } else {
+ DEBUG(3, ("ads_keytab_verify_ticket: krb5_rd_req failed for all %d matched keytab principals\n",
+ number_matched_principals));
+ }
+ DEBUG(3, ("ads_keytab_verify_ticket: last error: %s\n", last_error_message));
+ }
+
+ if (entry_princ_s) {
+ krb5_free_unparsed_name(context, entry_princ_s);
+ }
+
+ {
+ krb5_keytab_entry zero_kt_entry;
+ ZERO_STRUCT(zero_kt_entry);
+ if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
+ smb_krb5_kt_free_entry(context, &kt_entry);
+ }
+ }
+
+ {
+ krb5_kt_cursor zero_csr;
+ ZERO_STRUCT(zero_csr);
+ if ((memcmp(&kt_cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
+ krb5_kt_end_seq_get(context, keytab, &kt_cursor);
+ }
+ }
+
+ if (keytab) {
+ krb5_kt_close(context, keytab);
+ }
+
+ return ret;
+}
+
+/**********************************************************************************
+ Try to verify a ticket using the secrets.tdb.
+***********************************************************************************/
+
+static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_principal host_princ,
+ const DATA_BLOB *ticket, krb5_data *p_packet,
+ krb5_ticket **pp_tkt,
+ krb5_keyblock *keyblock)
+{
+ krb5_error_code ret = 0;
+ krb5_error_code our_ret;
+ krb5_data password;
+ krb5_enctype *enctypes = NULL;
+ int i;
+ const struct ldb_val *password_v;
+ struct ldb_context *ldb;
+ int ldb_ret;
+ struct ldb_message **msgs;
+ const char *base_dn = SECRETS_PRIMARY_DOMAIN_DN;
+ const char *attrs[] = {
+ "secret",
+ NULL
+ };
+
+ ZERO_STRUCTP(keyblock);
+
+ /* Local secrets are stored in secrets.ldb */
+ ldb = secrets_db_connect(mem_ctx);
+ if (!ldb) {
+ return ENOENT;
+ }
+
+ /* search for the secret record */
+ ldb_ret = gendb_search(ldb,
+ mem_ctx, base_dn, &msgs, attrs,
+ SECRETS_PRIMARY_REALM_FILTER,
+ lp_realm());
+ if (ldb_ret == 0) {
+ DEBUG(1, ("Could not find domain join record for %s\n",
+ lp_realm()));
+ return ENOENT;
+ } else if (ldb_ret != 1) {
+ DEBUG(1, ("Found %d records matching cn=%s under DN %s\n", ldb_ret,
+ lp_realm(), base_dn));
+ return ENOENT;
+ }
+
+ password_v = ldb_msg_find_ldb_val(msgs[0], "secret");
+
+ password.data = password_v->data;
+ password.length = password_v->length;
+
+ /* CIFS doesn't use addresses in tickets. This would break NAT. JRA */
+
+ if ((ret = get_kerberos_allowed_etypes(context, &enctypes))) {
+ DEBUG(1,("ads_secrets_verify_ticket: krb5_get_permitted_enctypes failed (%s)\n",
+ error_message(ret)));
+ return ret;
+ }
+
+ p_packet->length = ticket->length;
+ p_packet->data = (krb5_pointer)ticket->data;
+
+ /* We need to setup a auth context with each possible encoding type in turn. */
+
+ ret = KRB5_BAD_ENCTYPE;
+ for (i=0;enctypes[i];i++) {
+ krb5_keyblock *key = NULL;
+
+ if (!(key = malloc_p(krb5_keyblock))) {
+ break;
+ }
+
+ if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) {
+ SAFE_FREE(key);
+ continue;
+ }
+
+ krb5_auth_con_setuseruserkey(context, auth_context, key);
+
+ krb5_free_keyblock(context, key);
+
+ our_ret = krb5_rd_req(context, &auth_context, p_packet,
+ NULL,
+ NULL, NULL, pp_tkt);
+ if (!our_ret) {
+
+ DEBUG(10,("ads_secrets_verify_ticket: enc type [%u] decrypted message !\n",
+ (unsigned int)enctypes[i] ));
+ ret = our_ret;
+ break;
+ }
+
+ DEBUG((our_ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
+ ("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
+ (unsigned int)enctypes[i], smb_get_krb5_error_message(context, our_ret, mem_ctx)));
+
+ if (our_ret != KRB5_BAD_ENCTYPE) {
+ ret = our_ret;
+ }
+ }
+
+ free_kerberos_etypes(context, enctypes);
+
+ return ret;
+}
+
+/**********************************************************************************
+ Verify an incoming ticket and parse out the principal name and
+ authorization_data if available.
+***********************************************************************************/
+
+ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
+ krb5_context context,
+ krb5_auth_context auth_context,
+ const char *realm, const char *service,
+ const DATA_BLOB *ticket,
+ char **principal, DATA_BLOB *auth_data,
+ DATA_BLOB *ap_rep,
+ krb5_keyblock *keyblock)
+{
+ NTSTATUS sret = NT_STATUS_LOGON_FAILURE;
+ krb5_data packet;
+ krb5_ticket *tkt = NULL;
+ krb5_rcache rcache = NULL;
+ int ret;
+
+ krb5_principal host_princ = NULL;
+ char *host_princ_s = NULL;
+ BOOL got_replay_mutex = False;
+
+ char *malloc_principal;
+
+ ZERO_STRUCT(packet);
+ ZERO_STRUCTP(auth_data);
+ ZERO_STRUCTP(ap_rep);
+
+ /* This whole process is far more complex than I would
+ like. We have to go through all this to allow us to store
+ the secret internally, instead of using /etc/krb5.keytab */
+
+ asprintf(&host_princ_s, "%s$", lp_netbios_name());
+ strlower_m(host_princ_s);
+ ret = krb5_parse_name(context, host_princ_s, &host_princ);
+ if (ret) {
+ DEBUG(1,("ads_verify_ticket: krb5_parse_name(%s) failed (%s)\n",
+ host_princ_s, error_message(ret)));
+ goto out;
+ }
+
+
+ /* Lock a mutex surrounding the replay as there is no locking in the MIT krb5
+ * code surrounding the replay cache... */
+
+ if (!grab_server_mutex("replay cache mutex")) {
+ DEBUG(1,("ads_verify_ticket: unable to protect replay cache with mutex.\n"));
+ goto out;
+ }
+
+ got_replay_mutex = True;
+
+ /*
+ * JRA. We must set the rcache here. This will prevent replay attacks.
+ */
+
+ ret = krb5_get_server_rcache(context, krb5_princ_component(context, host_princ, 0), &rcache);
+ if (ret) {
+ DEBUG(1,("ads_verify_ticket: krb5_get_server_rcache failed (%s)\n", error_message(ret)));
+ goto out;
+ }
+
+ ret = krb5_auth_con_setrcache(context, auth_context, rcache);
+ if (ret) {
+ DEBUG(1,("ads_verify_ticket: krb5_auth_con_setrcache failed (%s)\n", error_message(ret)));
+ goto out;
+ }
+
+ ret = ads_keytab_verify_ticket(mem_ctx, context, auth_context,
+ service, ticket, &packet, &tkt, keyblock);
+ if (ret) {
+ DEBUG(10, ("ads_secrets_verify_ticket: using host principal: [%s]\n", host_princ_s));
+ ret = ads_secrets_verify_ticket(mem_ctx, context, auth_context,
+ host_princ, ticket,
+ &packet, &tkt, keyblock);
+ }
+
+ release_server_mutex();
+ got_replay_mutex = False;
+
+ if (ret) {
+ DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n",
+ smb_get_krb5_error_message(context, ret, mem_ctx)));
+ goto out;
+ }
+
+ ret = krb5_mk_rep(context, auth_context, &packet);
+ if (ret) {
+ DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n",
+ smb_get_krb5_error_message(context, ret, mem_ctx)));
+ goto out;
+ }
+
+ *ap_rep = data_blob_talloc(mem_ctx, packet.data, packet.length);
+ SAFE_FREE(packet.data);
+ packet.length = 0;
+
+#if 0
+ file_save("/tmp/ticket.dat", ticket->data, ticket->length);
+#endif
+
+ *auth_data = get_auth_data_from_tkt(mem_ctx, tkt);
+
+ *auth_data = unwrap_pac(mem_ctx, auth_data);
+
+#if 0
+ if (tkt->enc_part2) {
+ file_save("/tmp/authdata.dat",
+ tkt->enc_part2->authorization_data[0]->contents,
+ tkt->enc_part2->authorization_data[0]->length);
+ }
+#endif
+
+ if ((ret = krb5_unparse_name(context, get_principal_from_tkt(tkt),
+ &malloc_principal))) {
+ DEBUG(3,("ads_verify_ticket: krb5_unparse_name failed (%s)\n",
+ smb_get_krb5_error_message(context, ret, mem_ctx)));
+ sret = NT_STATUS_LOGON_FAILURE;
+ goto out;
+ }
+
+ *principal = talloc_strdup(mem_ctx, malloc_principal);
+ SAFE_FREE(malloc_principal);
+ if (!principal) {
+ DEBUG(3,("ads_verify_ticket: talloc_strdup() failed\n"));
+ sret = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ sret = NT_STATUS_OK;
+
+ out:
+
+ if (got_replay_mutex) {
+ release_server_mutex();
+ }
+
+ if (!NT_STATUS_IS_OK(sret)) {
+ data_blob_free(auth_data);
+ }
+
+ if (!NT_STATUS_IS_OK(sret)) {
+ data_blob_free(ap_rep);
+ }
+
+ if (host_princ) {
+ krb5_free_principal(context, host_princ);
+ }
+
+ if (tkt != NULL) {
+ krb5_free_ticket(context, tkt);
+ }
+
+ SAFE_FREE(host_princ_s);
+
+ return sret;
+}
+
+#endif /* HAVE_KRB5 */