diff options
author | Andrew Bartlett <abartlet@samba.org> | 2004-09-11 23:09:26 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:58:39 -0500 |
commit | c0bea2aeb36d4a6b7ed8240d3ed479b2c5c34a16 (patch) | |
tree | 5f55d18648ea95db2430aa8e3982997f151a61dd /source4/libcli/auth/kerberos_verify.c | |
parent | a06b88863d165d20123ee19f9313249b870ed2be (diff) | |
download | samba-c0bea2aeb36d4a6b7ed8240d3ed479b2c5c34a16.tar.gz samba-c0bea2aeb36d4a6b7ed8240d3ed479b2c5c34a16.tar.bz2 samba-c0bea2aeb36d4a6b7ed8240d3ed479b2c5c34a16.zip |
r2286: Fixes towards krb5 logins into Samba's CIFS server.
These fixes aim particularly at allowing PAC-less logins, as I don't
yet generate a PAC in the lorikeet-heimdal KDC.
This is for the benifit of a Kerbeors-enabled domain join, which seems
to be progressing quite well!
Andrew Bartlett
(This used to be commit f5a381094dd5bcbd795a134bc4b8b89901b5e3eb)
Diffstat (limited to 'source4/libcli/auth/kerberos_verify.c')
-rw-r--r-- | source4/libcli/auth/kerberos_verify.c | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/source4/libcli/auth/kerberos_verify.c b/source4/libcli/auth/kerberos_verify.c index 88bf391cfa..843189c884 100644 --- a/source4/libcli/auth/kerberos_verify.c +++ b/source4/libcli/auth/kerberos_verify.c @@ -32,6 +32,9 @@ static DATA_BLOB unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data) DATA_BLOB pac_contents = data_blob(NULL, 0); ASN1_DATA data; int data_type; + if (!auth_data->length) { + return data_blob(NULL, 0); + } asn1_load(&data, *auth_data); asn1_start_tag(&data, ASN1_SEQUENCE(0)); @@ -95,7 +98,7 @@ static BOOL ads_keytab_verify_ticket(krb5_context context, krb5_auth_context aut goto out; } /* Look for a CIFS ticket */ - if (!StrnCaseCmp(princ_name, "cifs/", 5)) { + if (!StrnCaseCmp(princ_name, "cifs/", 5) || (!StrnCaseCmp(princ_name, "host/", 5))) { #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK krb5_auth_con_setuseruserkey(context, auth_context, &kt_entry.keyblock); #else @@ -254,6 +257,8 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au char *myname; BOOL auth_ok = False; + char *malloc_principal; + ZERO_STRUCT(packet); ZERO_STRUCTP(auth_data); ZERO_STRUCTP(ap_rep); @@ -329,7 +334,7 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au file_save("/tmp/ticket.dat", ticket->data, ticket->length); #endif - get_auth_data_from_tkt(mem_ctx, auth_data, tkt); + *auth_data = get_auth_data_from_tkt(mem_ctx, tkt); *auth_data = unwrap_pac(mem_ctx, auth_data); @@ -342,13 +347,21 @@ static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context au #endif if ((ret = krb5_unparse_name(context, get_principal_from_tkt(tkt), - principal))) { + &malloc_principal))) { DEBUG(3,("ads_verify_ticket: krb5_unparse_name failed (%s)\n", error_message(ret))); sret = NT_STATUS_LOGON_FAILURE; goto out; } + *principal = talloc_strdup(mem_ctx, malloc_principal); + SAFE_FREE(malloc_principal); + if (!principal) { + DEBUG(3,("ads_verify_ticket: talloc_strdup() failed\n")); + sret = NT_STATUS_NO_MEMORY; + goto out; + } + sret = NT_STATUS_OK; out: |