r1475: More kerberos work

- We can now connect to hosts that follow the SPNEGO RFC, and *do not*
give us their principal name in the mechListMIC.
 - The client code now remembers the hostname it connects to

- We now kinit for a user, if there is not valid ticket already

- Re-introduce clock skew compensation

TODO:
 - See if the username in the ccache matches the username specified
 - Use a private ccache, rather then the global one, for a 'new' kinit
 - Determine 'default' usernames.
  - The default for Krb5 is the one in the ccache, then $USER
  - For NTLMSSP, it's just $USER

Andrew Bartlett
(This used to be commit de5da669397db4ac87c6da08d3533ca3030da2b0)

1 files changed, 40 insertions, 24 deletions

diff --git a/source4/libcli/auth/kerberos.c b/source4/libcli/auth/kerberos.c
index 97b895a241..b08c7f505c 100644
--- a/source4/libcli/auth/kerberos.c
+++ b/source4/libcli/auth/kerberos.c
@@ -54,28 +54,13 @@ kerb_prompter(krb5_context ctx, void *data,
   simulate a kinit, putting the tgt in the default cache location
   remus@snapserver.com
 */
-int kerberos_kinit_password(const char *principal, const char *password, int time_offset, time_t *expire_time)
+ int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, const char *principal, const char *password, time_t *expire_time, time_t *kdc_time)
 {
-	krb5_context ctx = NULL;
 	krb5_error_code code = 0;
-	krb5_ccache cc = NULL;
 	krb5_principal me;
 	krb5_creds my_creds;
 
-	if ((code = krb5_init_context(&ctx)))
-		return code;
-
-	if (time_offset != 0) {
-		krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
-	}
-	
-	if ((code = krb5_cc_default(ctx, &cc))) {
-		krb5_free_context(ctx);
-		return code;
-	}
-	
 	if ((code = krb5_parse_name(ctx, principal, &me))) {
-		krb5_free_context(ctx);	
 		return code;
 	}
 	
@@ -83,32 +68,63 @@ int kerberos_kinit_password(const char *principal, const char *password, int tim
 						 kerb_prompter, 
 						 NULL, 0, NULL, NULL))) {
 		krb5_free_principal(ctx, me);
-		krb5_free_context(ctx);		
 		return code;
 	}
 	
 	if ((code = krb5_cc_initialize(ctx, cc, me))) {
 		krb5_free_cred_contents(ctx, &my_creds);
 		krb5_free_principal(ctx, me);
-		krb5_free_context(ctx);		
 		return code;
 	}
 	
 	if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
-		krb5_cc_close(ctx, cc);
 		krb5_free_cred_contents(ctx, &my_creds);
 		krb5_free_principal(ctx, me);
-		krb5_free_context(ctx);		
 		return code;
 	}
 	
-	if (expire_time)
+	if (expire_time) {
 		*expire_time = (time_t) my_creds.times.endtime;
+	}
+
+	if (kdc_time) {
+		*kdc_time = (time_t) my_creds.times.starttime;
+	}
 
-	krb5_cc_close(ctx, cc);
 	krb5_free_cred_contents(ctx, &my_creds);
 	krb5_free_principal(ctx, me);
-	krb5_free_context(ctx);		
+	
+	return 0;
+}
+
+
+/*
+  simulate a kinit, putting the tgt in the default cache location
+  remus@snapserver.com
+*/
+int kerberos_kinit_password(const char *principal, const char *password, int time_offset, time_t *expire_time, time_t *kdc_time)
+{
+	krb5_context ctx = NULL;
+	krb5_error_code code = 0;
+	krb5_ccache cc = NULL;
+
+	if ((code = krb5_init_context(&ctx)))
+		return code;
+
+	if (time_offset != 0) {
+		krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
+	}
+	
+	if ((code = krb5_cc_default(ctx, &cc))) {
+		krb5_free_context(ctx);
+		return code;
+	}
+
+	if ((code = kerberos_kinit_password_cc(ctx, cc, principal, password, expire_time, kdc_time))) {
+		krb5_cc_close(ctx, cc);
+		krb5_free_context(ctx);
+		return code;
+	}
 	
 	return 0;
 }
@@ -129,7 +145,7 @@ int ads_kinit_password(ADS_STRUCT *ads)
 		return KRB5_LIBOS_CANTREADPWD;
 	}
 	
-	ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset, &ads->auth.expire);
+	ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset, &ads->auth.expire, NULL);
 
 	if (ret) {
 		DEBUG(0,("kerberos_kinit_password %s failed: %s\n",