diff options
author | Andrew Bartlett <abartlet@samba.org> | 2004-07-13 05:14:59 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:57:34 -0500 |
commit | ed03516c915c4a4c8ae6f7decfa04d51049d9dd5 (patch) | |
tree | 41f535a24108d59c367849ae80885198e371bda3 /source4/libcli/auth/kerberos.c | |
parent | 39b12015846e06cbf89079e365e6c228ca3883c2 (diff) | |
download | samba-ed03516c915c4a4c8ae6f7decfa04d51049d9dd5.tar.gz samba-ed03516c915c4a4c8ae6f7decfa04d51049d9dd5.tar.bz2 samba-ed03516c915c4a4c8ae6f7decfa04d51049d9dd5.zip |
r1475: More kerberos work
- We can now connect to hosts that follow the SPNEGO RFC, and *do not*
give us their principal name in the mechListMIC.
- The client code now remembers the hostname it connects to
- We now kinit for a user, if there is not valid ticket already
- Re-introduce clock skew compensation
TODO:
- See if the username in the ccache matches the username specified
- Use a private ccache, rather then the global one, for a 'new' kinit
- Determine 'default' usernames.
- The default for Krb5 is the one in the ccache, then $USER
- For NTLMSSP, it's just $USER
Andrew Bartlett
(This used to be commit de5da669397db4ac87c6da08d3533ca3030da2b0)
Diffstat (limited to 'source4/libcli/auth/kerberos.c')
-rw-r--r-- | source4/libcli/auth/kerberos.c | 64 |
1 files changed, 40 insertions, 24 deletions
diff --git a/source4/libcli/auth/kerberos.c b/source4/libcli/auth/kerberos.c index 97b895a241..b08c7f505c 100644 --- a/source4/libcli/auth/kerberos.c +++ b/source4/libcli/auth/kerberos.c @@ -54,28 +54,13 @@ kerb_prompter(krb5_context ctx, void *data, simulate a kinit, putting the tgt in the default cache location remus@snapserver.com */ -int kerberos_kinit_password(const char *principal, const char *password, int time_offset, time_t *expire_time) + int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, const char *principal, const char *password, time_t *expire_time, time_t *kdc_time) { - krb5_context ctx = NULL; krb5_error_code code = 0; - krb5_ccache cc = NULL; krb5_principal me; krb5_creds my_creds; - if ((code = krb5_init_context(&ctx))) - return code; - - if (time_offset != 0) { - krb5_set_real_time(ctx, time(NULL) + time_offset, 0); - } - - if ((code = krb5_cc_default(ctx, &cc))) { - krb5_free_context(ctx); - return code; - } - if ((code = krb5_parse_name(ctx, principal, &me))) { - krb5_free_context(ctx); return code; } @@ -83,32 +68,63 @@ int kerberos_kinit_password(const char *principal, const char *password, int tim kerb_prompter, NULL, 0, NULL, NULL))) { krb5_free_principal(ctx, me); - krb5_free_context(ctx); return code; } if ((code = krb5_cc_initialize(ctx, cc, me))) { krb5_free_cred_contents(ctx, &my_creds); krb5_free_principal(ctx, me); - krb5_free_context(ctx); return code; } if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) { - krb5_cc_close(ctx, cc); krb5_free_cred_contents(ctx, &my_creds); krb5_free_principal(ctx, me); - krb5_free_context(ctx); return code; } - if (expire_time) + if (expire_time) { *expire_time = (time_t) my_creds.times.endtime; + } + + if (kdc_time) { + *kdc_time = (time_t) my_creds.times.starttime; + } - krb5_cc_close(ctx, cc); krb5_free_cred_contents(ctx, &my_creds); krb5_free_principal(ctx, me); - krb5_free_context(ctx); + + return 0; +} + + +/* + simulate a kinit, putting the tgt in the default cache location + remus@snapserver.com +*/ +int kerberos_kinit_password(const char *principal, const char *password, int time_offset, time_t *expire_time, time_t *kdc_time) +{ + krb5_context ctx = NULL; + krb5_error_code code = 0; + krb5_ccache cc = NULL; + + if ((code = krb5_init_context(&ctx))) + return code; + + if (time_offset != 0) { + krb5_set_real_time(ctx, time(NULL) + time_offset, 0); + } + + if ((code = krb5_cc_default(ctx, &cc))) { + krb5_free_context(ctx); + return code; + } + + if ((code = kerberos_kinit_password_cc(ctx, cc, principal, password, expire_time, kdc_time))) { + krb5_cc_close(ctx, cc); + krb5_free_context(ctx); + return code; + } return 0; } @@ -129,7 +145,7 @@ int ads_kinit_password(ADS_STRUCT *ads) return KRB5_LIBOS_CANTREADPWD; } - ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset, &ads->auth.expire); + ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset, &ads->auth.expire, NULL); if (ret) { DEBUG(0,("kerberos_kinit_password %s failed: %s\n", |