r10035: This patch removes the need for the special case hack

'MEMORY_WILDCARD' keytab type. (part of this checking is in effect a merge from lorikeet-heimdal, where I removed this) This is achieved by correctly using the GSSAPI gsskrb5_acquire_cred() function, as this allows us to specify the target principal, regardless of which alias the client may use. This patch also tries to simplify some principal handling and fixes some error cases. Posted to samba-technical, reviewed by metze, and looked over by lha on IRC. Andrew Bartlett (This used to be commit 506a7b67aee949b102d8bf0d6ee9cd12def10d00)
author: Andrew Bartlett <abartlet@samba.org> 2005-09-05 10:53:14 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 13:36:31 -0500
commit: 6b14ffe2713efe2e16a988d920d2dbd7c088601d (patch)
tree: a5b65d3ac673fee94037f026769ffe781a29f301 /source4/auth/kerberos
parent: a5148773417adcc343b194693168fb4817bc3a65 (diff)
download: samba-6b14ffe2713efe2e16a988d920d2dbd7c088601d.tar.gz
samba-6b14ffe2713efe2e16a988d920d2dbd7c088601d.tar.bz2
samba-6b14ffe2713efe2e16a988d920d2dbd7c088601d.zip
3 files changed, 65 insertions, 34 deletions
diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c
index 31e0c71c55..3935bfaf92 100644
--- a/source4/auth/kerberos/kerberos.c
+++ b/source4/auth/kerberos/kerberos.c
@@ -69,35 +69,27 @@ kerb_prompter(krb5_context ctx, void *data,
   original password.
 */
  int kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc, 
-				const char *principal, krb5_keyblock *keyblock,
+				krb5_principal principal, krb5_keyblock *keyblock,
 				time_t *expire_time, time_t *kdc_time)
 {
 	krb5_error_code code = 0;
-	krb5_principal me;
 	krb5_creds my_creds;
 	krb5_get_init_creds_opt options;
 
-	if ((code = krb5_parse_name(ctx, principal, &me))) {
-		return code;
-	}
-
 	krb5_get_init_creds_opt_init(&options);
 
-	if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, me, keyblock,
+	if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, principal, keyblock,
 						 0, NULL, &options))) {
-		krb5_free_principal(ctx, me);
 		return code;
 	}
 	
-	if ((code = krb5_cc_initialize(ctx, cc, me))) {
+	if ((code = krb5_cc_initialize(ctx, cc, principal))) {
 		krb5_free_cred_contents(ctx, &my_creds);
-		krb5_free_principal(ctx, me);
 		return code;
 	}
 	
 	if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
 		krb5_free_cred_contents(ctx, &my_creds);
-		krb5_free_principal(ctx, me);
 		return code;
 	}
 	
@@ -110,7 +102,6 @@ kerb_prompter(krb5_context ctx, void *data,
 	}
 
 	krb5_free_cred_contents(ctx, &my_creds);
-	krb5_free_principal(ctx, me);
 	
 	return 0;
 }
@@ -120,36 +111,28 @@ kerb_prompter(krb5_context ctx, void *data,
   Orignally by remus@snapserver.com
 */
  int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, 
-			       const char *principal, const char *password, 
-			       time_t *expire_time, time_t *kdc_time)
+				krb5_principal principal, const char *password, 
+				time_t *expire_time, time_t *kdc_time)
 {
 	krb5_error_code code = 0;
-	krb5_principal me;
 	krb5_creds my_creds;
 	krb5_get_init_creds_opt options;
 
-	if ((code = krb5_parse_name(ctx, principal, &me))) {
-		return code;
-	}
-
 	krb5_get_init_creds_opt_init(&options);
 
-	if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, password, 
+	if ((code = krb5_get_init_creds_password(ctx, &my_creds, principal, password, 
 						 kerb_prompter, 
 						 NULL, 0, NULL, &options))) {
-		krb5_free_principal(ctx, me);
 		return code;
 	}
 	
-	if ((code = krb5_cc_initialize(ctx, cc, me))) {
+	if ((code = krb5_cc_initialize(ctx, cc, principal))) {
 		krb5_free_cred_contents(ctx, &my_creds);
-		krb5_free_principal(ctx, me);
 		return code;
 	}
 	
 	if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
 		krb5_free_cred_contents(ctx, &my_creds);
-		krb5_free_principal(ctx, me);
 		return code;
 	}
 	
@@ -162,7 +145,6 @@ kerb_prompter(krb5_context ctx, void *data,
 	}
 
 	krb5_free_cred_contents(ctx, &my_creds);
-	krb5_free_principal(ctx, me);
 	
 	return 0;
 }
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index 8cc8e561ac..39bba5f46f 100644
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -102,10 +102,10 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
 			   DATA_BLOB *ap_rep,
 			   krb5_keyblock **keyblock);
 int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, 
-			       const char *principal, const char *password, 
+			       krb5_principal principal, const char *password, 
 			       time_t *expire_time, time_t *kdc_time);
 int kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc, 
-			       const char *principal, krb5_keyblock *keyblock,
+			       krb5_principal principal, krb5_keyblock *keyblock,
 			       time_t *expire_time, time_t *kdc_time);
 krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context,
 							krb5_principal host_princ,
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 9dc8621b0e..922869af5c 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -87,7 +87,7 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
 				  cli_credentials_get_realm(machine_account), 
 				  "host", salt_body, NULL);
 
-	if (ret != 0) {
+	if (ret == 0) {
 		mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
 		mem_ctx->principal = *salt_princ;
 		talloc_set_destructor(mem_ctx, free_principal);
@@ -95,6 +95,36 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
 	return ret;
 }
 
+krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx, 
+					   struct cli_credentials *credentials, 
+					   struct smb_krb5_context *smb_krb5_context,
+					   krb5_principal *princ)
+{
+	krb5_error_code ret;
+	const char *princ_string;
+	struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container);
+	if (!mem_ctx) {
+		return ENOMEM;
+	}
+	
+	princ_string = cli_credentials_get_principal(credentials, mem_ctx);
+
+	if (!princ_string) {
+		talloc_free(mem_ctx);
+		return ENOMEM;
+	}
+
+	ret = krb5_parse_name(smb_krb5_context->krb5_context,
+			      princ_string, princ);
+
+	if (ret == 0) {
+		mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
+		mem_ctx->principal = *princ;
+		talloc_set_destructor(mem_ctx, free_principal);
+	}
+	return ret;
+}
+
 /**
  * Return a freshly allocated ccache (destroyed by destructor on child
  * of parent_ctx), for a given set of client credentials 
@@ -108,6 +138,7 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
 	krb5_error_code ret;
 	const char *password;
 	time_t kdc_time = 0;
+	krb5_principal princ;
 
 	TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 
@@ -115,11 +146,17 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
 		return ENOMEM;
 	}
 
+	ret = principal_from_credentials(mem_ctx, credentials, smb_krb5_context, &princ);
+	if (ret) {
+		talloc_free(mem_ctx);
+		return ret;
+	}
+
 	password = cli_credentials_get_password(credentials);
 	
 	if (password) {
 		ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache, 
-						 cli_credentials_get_principal(credentials, mem_ctx), 
+						 princ, 
 						 password, NULL, &kdc_time);
 	} else {
 		/* No password available, try to use a keyblock instead */
@@ -139,7 +176,7 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
 		
 		if (ret == 0) {
 			ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, ccache, 
-							 cli_credentials_get_principal(credentials, mem_ctx), 
+							 princ,
 							 &keyblock, NULL, &kdc_time);
 			krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &keyblock);
 		}
@@ -191,12 +228,13 @@ static int free_keytab(void *ptr) {
 	struct keytab_container *mem_ctx = talloc(parent_ctx, struct keytab_container);
 	krb5_enctype *enctypes;
 	krb5_principal salt_princ;
+	krb5_principal princ;
 	
 	if (!mem_ctx) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	ret = krb5_kt_resolve(smb_krb5_context->krb5_context, "MEMORY_WILDCARD:", keytab);
+	ret = krb5_kt_resolve(smb_krb5_context->krb5_context, "MEMORY:", keytab);
 	if (ret) {
 		DEBUG(1,("failed to generate a new krb5 keytab: %s\n", 
 			 error_message(ret)));
@@ -214,7 +252,18 @@ static int free_keytab(void *ptr) {
 					      &salt_princ);
 	if (ret) {
 		DEBUG(1,("create_memory_keytab: maksing salt principal failed (%s)\n",
-			 error_message(ret)));
+			 smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
+						    ret, mem_ctx)));
+		talloc_free(mem_ctx);
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	ret = principal_from_credentials(mem_ctx, machine_account, smb_krb5_context, &princ);
+	if (ret) {
+		DEBUG(1,("create_memory_keytab: maksing krb5 principal failed (%s)\n",
+			 smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
+						    ret, mem_ctx)));
+		talloc_free(mem_ctx);
 		return NT_STATUS_INTERNAL_ERROR;
 	}
 
@@ -243,7 +292,7 @@ static int free_keytab(void *ptr) {
 			return NT_STATUS_INTERNAL_ERROR;
 		}
 
-		entry.principal = salt_princ;
+		entry.principal = princ;
 		entry.vno       = cli_credentials_get_kvno(machine_account);
 		ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry);
 		if (ret) {
@@ -283,7 +332,7 @@ static int free_keytab(void *ptr) {
 			return NT_STATUS_INTERNAL_ERROR;
 		}
 
-                entry.principal = salt_princ;
+                entry.principal = princ;
                 entry.vno       = cli_credentials_get_kvno(machine_account);
 		ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry);
 		if (ret) {
author	Andrew Bartlett <abartlet@samba.org>	2005-09-05 10:53:14 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 13:36:31 -0500
commit	6b14ffe2713efe2e16a988d920d2dbd7c088601d (patch)
tree	a5b65d3ac673fee94037f026769ffe781a29f301 /source4/auth/kerberos
parent	a5148773417adcc343b194693168fb4817bc3a65 (diff)
download	samba-6b14ffe2713efe2e16a988d920d2dbd7c088601d.tar.gz samba-6b14ffe2713efe2e16a988d920d2dbd7c088601d.tar.bz2 samba-6b14ffe2713efe2e16a988d920d2dbd7c088601d.zip