r6094: Work on the Kerberos code recently merged from Samba 3.0. This fixes

up issues I introduced during the merge, that caused a segfault. I've still not got the keytab code to work for me (using Samba3 to generate the keytab) so this is still not fully tested, but it's better than it was. To add debugging, I now use the krb5_get_error_message() function from Heimdal when present, to return the custom error string, which contains far, far more information than the simple error code does. (This last point may well be worth merging back into 3.0) Andrew Bartlett (This used to be commit ed5755d9d1e48df7ae77a9410d30e10cb8b0cbd7)
author: Andrew Bartlett <abartlet@samba.org> 2005-03-28 06:40:18 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 13:11:18 -0500
commit: e6aeeb5269a4953e48dd023e03aeba0cf47f6698 (patch)
tree: 792c8c8f09690ce34c62f49b2d03737573fd3784 /source4/libcli/auth
parent: 8c270fcedb1629526f1f40fb42e0ee329c0f2178 (diff)
download: samba-e6aeeb5269a4953e48dd023e03aeba0cf47f6698.tar.gz
samba-e6aeeb5269a4953e48dd023e03aeba0cf47f6698.tar.bz2
samba-e6aeeb5269a4953e48dd023e03aeba0cf47f6698.zip
3 files changed, 53 insertions, 31 deletions
diff --git a/source4/libcli/auth/clikrb5.c b/source4/libcli/auth/clikrb5.c
index 5a196db7a5..b7bd710304 100644
--- a/source4/libcli/auth/clikrb5.c
+++ b/source4/libcli/auth/clikrb5.c
@@ -461,4 +461,18 @@ cleanup_princ:
 #endif
 }
 
+ char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx) 
+{
+	char *ret;
+	
+#if defined(HAVE_KRB5_GET_ERROR_STRING) && defined(HAVE_KRB5_FREE_ERROR_STRING) 	
+	char *context_error = krb5_get_error_string(context);
+	ret = talloc_asprintf(mem_ctx, "%s: %s", error_message(code), context_error);
+	krb5_free_error_string(context, context_error);
+#else 
+	ret = talloc_strdup(mem_ctx, error_message(code));
+#endif
+	return ret;
+}
+
 #endif
diff --git a/source4/libcli/auth/kerberos.h b/source4/libcli/auth/kerberos.h
index c9b2eae55c..4daf0ea07a 100644
--- a/source4/libcli/auth/kerberos.h
+++ b/source4/libcli/auth/kerberos.h
@@ -94,5 +94,6 @@ void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype);
 BOOL kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2);
 void kerberos_free_data_contents(krb5_context context, krb5_data *pdata);
 krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
+char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx);
 #endif /* HAVE_KRB5 */
 
diff --git a/source4/libcli/auth/kerberos_verify.c b/source4/libcli/auth/kerberos_verify.c
index fd4c3f6ba3..a1dfe1056e 100644
--- a/source4/libcli/auth/kerberos_verify.c
+++ b/source4/libcli/auth/kerberos_verify.c
@@ -80,7 +80,6 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex
 						krb5_keyblock *keyblock)
 {
 	krb5_error_code ret = 0;
-	krb5_error_code our_ret = 0;
 	krb5_keytab keytab = NULL;
 	krb5_kt_cursor kt_cursor;
 	krb5_keytab_entry kt_entry;
@@ -89,6 +88,7 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex
 	const char *my_name, *my_fqdn;
 	int i;
 	int number_matched_principals = 0;
+	const char *last_error_message;
 
 	/* Generate the list of principal names which we expect
 	 * clients might want to use for authenticating to the file
@@ -111,7 +111,8 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex
 
 	ret = krb5_kt_default(context, &keytab);
 	if (ret) {
-		DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_default failed (%s)\n", error_message(ret)));
+		DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_default failed (%s)\n", 
+			  smb_get_krb5_error_message(context, ret, mem_ctx)));
 		goto out;
 	}
 
@@ -121,37 +122,43 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex
 
 	ret = krb5_kt_start_seq_get(context, keytab, &kt_cursor);
 	if (ret) {
-		DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (%s)\n", error_message(ret)));
+		last_error_message = smb_get_krb5_error_message(context, ret, mem_ctx);
+		DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (%s)\n", 
+			  last_error_message));
 		goto out;
 	}
   
 	ret = krb5_kt_start_seq_get(context, keytab, &kt_cursor);
 	if (ret != KRB5_KT_END && ret != ENOENT ) {
+		ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; /* Pick an error... */
 		while (ret && (krb5_kt_next_entry(context, keytab, &kt_entry, &kt_cursor) == 0)) {
-			ret = krb5_unparse_name(context, kt_entry.principal, &entry_princ_s);
-			if (ret) {
-				DEBUG(1, ("ads_keytab_verify_ticket: krb5_unparse_name failed (%s)\n", error_message(ret)));
+			krb5_error_code upn_ret;
+			upn_ret = krb5_unparse_name(context, kt_entry.principal, &entry_princ_s);
+			if (upn_ret) {
+				last_error_message = smb_get_krb5_error_message(context, ret, mem_ctx);
+				DEBUG(1, ("ads_keytab_verify_ticket: krb5_unparse_name failed (%s)\n", 
+					  last_error_message));
+				ret = upn_ret;
 				break;
 			}
-			ret = KRB5_BAD_ENCTYPE;
-			for (i = 0; i < sizeof(valid_princ_formats) / sizeof(valid_princ_formats[0]); i++) {
-				if (strequal(entry_princ_s, valid_princ_formats[i])) {
-					number_matched_principals++;
-					p_packet->length = ticket->length;
-					p_packet->data = (krb5_pointer)ticket->data;
-					*pp_tkt = NULL;
-					our_ret = krb5_rd_req(context, &auth_context, p_packet, kt_entry.principal, keytab, NULL, pp_tkt);
-					if (our_ret !=  KRB5_BAD_ENCTYPE) {
-						ret = our_ret;
-					}
-					if (our_ret) {
-						DEBUG(10, ("ads_keytab_verify_ticket: krb5_rd_req(%s) failed: %s\n",
-							entry_princ_s, error_message(our_ret)));
-					} else {
-						DEBUG(3,("ads_keytab_verify_ticket: krb5_rd_req succeeded for principal %s\n",
-							entry_princ_s));
-						break;
-					}
+			for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
+				if (!strequal(entry_princ_s, valid_princ_formats[i])) {
+					continue;
+				}
+
+				number_matched_principals++;
+				p_packet->length = ticket->length;
+				p_packet->data = (krb5_pointer)ticket->data;
+				*pp_tkt = NULL;
+				ret = krb5_rd_req(context, &auth_context, p_packet, kt_entry.principal, keytab, NULL, pp_tkt);
+				if (ret) {
+					last_error_message = smb_get_krb5_error_message(context, ret, mem_ctx);
+					DEBUG(10, ("ads_keytab_verify_ticket: krb5_rd_req(%s) failed: %s\n",
+						   entry_princ_s, last_error_message));
+				} else {
+					DEBUG(3,("ads_keytab_verify_ticket: krb5_rd_req succeeded for principal %s\n",
+						 entry_princ_s));
+					break;
 				}
 			}
 
@@ -177,7 +184,7 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex
 			DEBUG(3, ("ads_keytab_verify_ticket: krb5_rd_req failed for all %d matched keytab principals\n",
 				number_matched_principals));
 		}
-		DEBUG(3, ("ads_keytab_verify_ticket: last error: %s\n", error_message(ret)));
+		DEBUG(3, ("ads_keytab_verify_ticket: last error: %s\n", last_error_message));
 	}
 
 	if (entry_princ_s) {
@@ -304,7 +311,7 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_conte
 	
 		DEBUG((our_ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
 				("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
-				(unsigned int)enctypes[i], error_message(our_ret)));
+				 (unsigned int)enctypes[i], smb_get_krb5_error_message(context, our_ret, mem_ctx)));
 
 		if (our_ret !=  KRB5_BAD_ENCTYPE) {
 			ret = our_ret;
@@ -355,7 +362,7 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_conte
 	ret = krb5_parse_name(context, host_princ_s, &host_princ);
 	if (ret) {
 		DEBUG(1,("ads_verify_ticket: krb5_parse_name(%s) failed (%s)\n",
-					host_princ_s, error_message(ret)));
+			 host_princ_s, error_message(ret)));
 		goto out;
 	}
 
@@ -400,14 +407,14 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_conte
 
 	if (ret) {
 		DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n", 
-			 error_message(ret)));
+			 smb_get_krb5_error_message(context, ret, mem_ctx)));
 		goto out;
 	}
 
 	ret = krb5_mk_rep(context, auth_context, &packet);
 	if (ret) {
 		DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n",
-			error_message(ret)));
+			 smb_get_krb5_error_message(context, ret, mem_ctx)));
 		goto out;
 	}
 
@@ -434,7 +441,7 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_conte
 	if ((ret = krb5_unparse_name(context, get_principal_from_tkt(tkt),
 				     &malloc_principal))) {
 		DEBUG(3,("ads_verify_ticket: krb5_unparse_name failed (%s)\n", 
-			 error_message(ret)));
+			 smb_get_krb5_error_message(context, ret, mem_ctx)));
 		sret = NT_STATUS_LOGON_FAILURE;
 		goto out;
 	}
author	Andrew Bartlett <abartlet@samba.org>	2005-03-28 06:40:18 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 13:11:18 -0500
commit	e6aeeb5269a4953e48dd023e03aeba0cf47f6698 (patch)
tree	792c8c8f09690ce34c62f49b2d03737573fd3784 /source4/libcli/auth
parent	8c270fcedb1629526f1f40fb42e0ee329c0f2178 (diff)
download	samba-e6aeeb5269a4953e48dd023e03aeba0cf47f6698.tar.gz samba-e6aeeb5269a4953e48dd023e03aeba0cf47f6698.tar.bz2 samba-e6aeeb5269a4953e48dd023e03aeba0cf47f6698.zip