summaryrefslogtreecommitdiff
path: root/source4/libcli/auth/gensec_krb5.c
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2004-07-13 05:14:59 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:57:34 -0500
commited03516c915c4a4c8ae6f7decfa04d51049d9dd5 (patch)
tree41f535a24108d59c367849ae80885198e371bda3 /source4/libcli/auth/gensec_krb5.c
parent39b12015846e06cbf89079e365e6c228ca3883c2 (diff)
downloadsamba-ed03516c915c4a4c8ae6f7decfa04d51049d9dd5.tar.gz
samba-ed03516c915c4a4c8ae6f7decfa04d51049d9dd5.tar.bz2
samba-ed03516c915c4a4c8ae6f7decfa04d51049d9dd5.zip
r1475: More kerberos work
- We can now connect to hosts that follow the SPNEGO RFC, and *do not* give us their principal name in the mechListMIC. - The client code now remembers the hostname it connects to - We now kinit for a user, if there is not valid ticket already - Re-introduce clock skew compensation TODO: - See if the username in the ccache matches the username specified - Use a private ccache, rather then the global one, for a 'new' kinit - Determine 'default' usernames. - The default for Krb5 is the one in the ccache, then $USER - For NTLMSSP, it's just $USER Andrew Bartlett (This used to be commit de5da669397db4ac87c6da08d3533ca3030da2b0)
Diffstat (limited to 'source4/libcli/auth/gensec_krb5.c')
-rw-r--r--source4/libcli/auth/gensec_krb5.c114
1 files changed, 95 insertions, 19 deletions
diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c
index 3a4f995937..78b6e334a7 100644
--- a/source4/libcli/auth/gensec_krb5.c
+++ b/source4/libcli/auth/gensec_krb5.c
@@ -43,6 +43,7 @@ struct gensec_krb5_state {
krb5_context krb5_context;
krb5_auth_context krb5_auth_context;
krb5_ccache krb5_ccache;
+ krb5_data ticket;
};
static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
@@ -68,6 +69,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
gensec_krb5_state->krb5_context = NULL;
gensec_krb5_state->krb5_auth_context = NULL;
gensec_krb5_state->krb5_ccache = NULL;
+ ZERO_STRUCT(gensec_krb5_state->ticket);
gensec_krb5_state->session_key = data_blob(NULL, 0);
ret = krb5_init_context(&gensec_krb5_state->krb5_context);
@@ -114,6 +116,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
struct gensec_krb5_state *gensec_krb5_state;
krb5_error_code ret;
NTSTATUS nt_status;
+
nt_status = gensec_krb5_start(gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
@@ -122,6 +125,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
gensec_krb5_state = gensec_security->private_data;
gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
+ /* TODO: This is effecivly a static/global variable... */
ret = krb5_cc_default(gensec_krb5_state->krb5_context, &gensec_krb5_state->krb5_ccache);
if (ret) {
DEBUG(1,("krb5_cc_default failed (%s)\n",
@@ -129,13 +133,101 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
return NT_STATUS_INTERNAL_ERROR;
}
- return NT_STATUS_OK;
+ while (1) {
+ if (gensec_security->target.principal) {
+ DEBUG(5, ("Finding ticket for target [%s]\n", gensec_security->target.principal));
+ ret = ads_krb5_mk_req(gensec_krb5_state->krb5_context,
+ &gensec_krb5_state->krb5_auth_context,
+ AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
+ gensec_security->target.principal,
+ gensec_krb5_state->krb5_ccache,
+ &gensec_krb5_state->ticket);
+ if (ret) {
+ DEBUG(1,("ads_krb5_mk_req failed (%s)\n",
+ error_message(ret)));
+ }
+ } else {
+ krb5_data in_data;
+ in_data.length = 0;
+ const char *hostname = gensec_get_target_hostname(gensec_security);
+ if (!hostname) {
+ DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ ret = krb5_mk_req(gensec_krb5_state->krb5_context,
+ &gensec_krb5_state->krb5_auth_context,
+ AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
+ gensec_get_target_service(gensec_security),
+ hostname,
+ &in_data, gensec_krb5_state->krb5_ccache,
+ &gensec_krb5_state->ticket);
+ if (ret) {
+ DEBUG(1,("krb5_mk_req failed (%s)\n",
+ error_message(ret)));
+ }
+
+ }
+ switch (ret) {
+ case 0:
+ return NT_STATUS_OK;
+ case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
+ DEBUG(3, ("Server is not registered with our KDC: %s\n",
+ error_message(ret)));
+ return NT_STATUS_ACCESS_DENIED;
+ case KRB5KDC_ERR_PREAUTH_FAILED:
+ case KRB5KRB_AP_ERR_TKT_EXPIRED:
+ case KRB5_CC_END:
+ case KRB5_FCC_NOFILE:
+ case KRB5_CC_NOTFOUND:
+ {
+ char *password;
+ time_t kdc_time;
+ DEBUG(3, ("kerberos: %s\n",
+ error_message(ret)));
+ nt_status = gensec_get_password(gensec_security,
+ gensec_security->mem_ctx,
+ &password);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ ret = kerberos_kinit_password_cc(gensec_krb5_state->krb5_context, gensec_krb5_state->krb5_ccache,
+ gensec_get_client_principal(gensec_security, gensec_security->mem_ctx),
+ password, NULL, &kdc_time);
+
+ /* cope with ticket being in the future due to clock skew */
+ if ((unsigned)kdc_time > time(NULL)) {
+ time_t t = time(NULL);
+ int time_offset =(unsigned)kdc_time-t;
+ DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
+ krb5_set_real_time(gensec_krb5_state->krb5_context, t + time_offset + 1, 0);
+ }
+
+ if (ret) {
+ DEBUG(1,("kinit failed (%s)\n",
+ error_message(ret)));
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+ break;
+ }
+ default:
+ DEBUG(0, ("kerberos: %s\n",
+ error_message(ret)));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ }
}
static void gensec_krb5_end(struct gensec_security *gensec_security)
{
struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
+ if (gensec_krb5_state->ticket.length) {
+ /* Hmm, heimdal dooesn't have this - what's the correct call? */
+#ifdef HAVE_KRB5_FREE_DATA_CONTENTS
+ krb5_free_data_contents(gensec_krb5_state->krb5_context, &gensec_krb5_state->ticket);
+#endif
+ }
if (gensec_krb5_state->krb5_ccache) {
/* Removed by jra. They really need to fix their kerberos so we don't leak memory.
JERRY -- disabled since it causes heimdal 0.6.1rc3 to die
@@ -182,33 +274,17 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
switch (gensec_krb5_state->state_position) {
case GENSEC_KRB5_CLIENT_START:
{
- krb5_data packet;
-
-#if 0 /* When we get some way to input the time offset */
- if (time_offset != 0) {
- krb5_set_real_time(context, time(NULL) + time_offset, 0);
- }
-#endif
-
- ret = ads_krb5_mk_req(gensec_krb5_state->krb5_context,
- &gensec_krb5_state->krb5_auth_context,
- AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
- gensec_security->target.principal,
- gensec_krb5_state->krb5_ccache, &packet);
if (ret) {
DEBUG(1,("ads_krb5_mk_req (request ticket) failed (%s)\n",
error_message(ret)));
nt_status = NT_STATUS_LOGON_FAILURE;
} else {
DATA_BLOB unwrapped_out;
- unwrapped_out = data_blob_talloc(out_mem_ctx, packet.data, packet.length);
+ unwrapped_out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->ticket.data, gensec_krb5_state->ticket.length);
/* wrap that up in a nice GSS-API wrapping */
*out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REQ);
- /* Hmm, heimdal dooesn't have this - what's the correct call? */
-#ifdef HAVE_KRB5_FREE_DATA_CONTENTS
- krb5_free_data_contents(gensec_krb5_state->krb5_context, &packet);
-#endif
+
gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
}