summaryrefslogtreecommitdiff
path: root/source4/libcli/auth
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-03-28 06:40:18 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:11:18 -0500
commite6aeeb5269a4953e48dd023e03aeba0cf47f6698 (patch)
tree792c8c8f09690ce34c62f49b2d03737573fd3784 /source4/libcli/auth
parent8c270fcedb1629526f1f40fb42e0ee329c0f2178 (diff)
downloadsamba-e6aeeb5269a4953e48dd023e03aeba0cf47f6698.tar.gz
samba-e6aeeb5269a4953e48dd023e03aeba0cf47f6698.tar.bz2
samba-e6aeeb5269a4953e48dd023e03aeba0cf47f6698.zip
r6094: Work on the Kerberos code recently merged from Samba 3.0. This fixes
up issues I introduced during the merge, that caused a segfault. I've still not got the keytab code to work for me (using Samba3 to generate the keytab) so this is still not fully tested, but it's better than it was. To add debugging, I now use the krb5_get_error_message() function from Heimdal when present, to return the custom error string, which contains far, far more information than the simple error code does. (This last point may well be worth merging back into 3.0) Andrew Bartlett (This used to be commit ed5755d9d1e48df7ae77a9410d30e10cb8b0cbd7)
Diffstat (limited to 'source4/libcli/auth')
-rw-r--r--source4/libcli/auth/clikrb5.c14
-rw-r--r--source4/libcli/auth/kerberos.h1
-rw-r--r--source4/libcli/auth/kerberos_verify.c69
3 files changed, 53 insertions, 31 deletions
diff --git a/source4/libcli/auth/clikrb5.c b/source4/libcli/auth/clikrb5.c
index 5a196db7a5..b7bd710304 100644
--- a/source4/libcli/auth/clikrb5.c
+++ b/source4/libcli/auth/clikrb5.c
@@ -461,4 +461,18 @@ cleanup_princ:
#endif
}
+ char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx)
+{
+ char *ret;
+
+#if defined(HAVE_KRB5_GET_ERROR_STRING) && defined(HAVE_KRB5_FREE_ERROR_STRING)
+ char *context_error = krb5_get_error_string(context);
+ ret = talloc_asprintf(mem_ctx, "%s: %s", error_message(code), context_error);
+ krb5_free_error_string(context, context_error);
+#else
+ ret = talloc_strdup(mem_ctx, error_message(code));
+#endif
+ return ret;
+}
+
#endif
diff --git a/source4/libcli/auth/kerberos.h b/source4/libcli/auth/kerberos.h
index c9b2eae55c..4daf0ea07a 100644
--- a/source4/libcli/auth/kerberos.h
+++ b/source4/libcli/auth/kerberos.h
@@ -94,5 +94,6 @@ void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype);
BOOL kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2);
void kerberos_free_data_contents(krb5_context context, krb5_data *pdata);
krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
+char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx);
#endif /* HAVE_KRB5 */
diff --git a/source4/libcli/auth/kerberos_verify.c b/source4/libcli/auth/kerberos_verify.c
index fd4c3f6ba3..a1dfe1056e 100644
--- a/source4/libcli/auth/kerberos_verify.c
+++ b/source4/libcli/auth/kerberos_verify.c
@@ -80,7 +80,6 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex
krb5_keyblock *keyblock)
{
krb5_error_code ret = 0;
- krb5_error_code our_ret = 0;
krb5_keytab keytab = NULL;
krb5_kt_cursor kt_cursor;
krb5_keytab_entry kt_entry;
@@ -89,6 +88,7 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex
const char *my_name, *my_fqdn;
int i;
int number_matched_principals = 0;
+ const char *last_error_message;
/* Generate the list of principal names which we expect
* clients might want to use for authenticating to the file
@@ -111,7 +111,8 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex
ret = krb5_kt_default(context, &keytab);
if (ret) {
- DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_default failed (%s)\n", error_message(ret)));
+ DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_default failed (%s)\n",
+ smb_get_krb5_error_message(context, ret, mem_ctx)));
goto out;
}
@@ -121,37 +122,43 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex
ret = krb5_kt_start_seq_get(context, keytab, &kt_cursor);
if (ret) {
- DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (%s)\n", error_message(ret)));
+ last_error_message = smb_get_krb5_error_message(context, ret, mem_ctx);
+ DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (%s)\n",
+ last_error_message));
goto out;
}
ret = krb5_kt_start_seq_get(context, keytab, &kt_cursor);
if (ret != KRB5_KT_END && ret != ENOENT ) {
+ ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; /* Pick an error... */
while (ret && (krb5_kt_next_entry(context, keytab, &kt_entry, &kt_cursor) == 0)) {
- ret = krb5_unparse_name(context, kt_entry.principal, &entry_princ_s);
- if (ret) {
- DEBUG(1, ("ads_keytab_verify_ticket: krb5_unparse_name failed (%s)\n", error_message(ret)));
+ krb5_error_code upn_ret;
+ upn_ret = krb5_unparse_name(context, kt_entry.principal, &entry_princ_s);
+ if (upn_ret) {
+ last_error_message = smb_get_krb5_error_message(context, ret, mem_ctx);
+ DEBUG(1, ("ads_keytab_verify_ticket: krb5_unparse_name failed (%s)\n",
+ last_error_message));
+ ret = upn_ret;
break;
}
- ret = KRB5_BAD_ENCTYPE;
- for (i = 0; i < sizeof(valid_princ_formats) / sizeof(valid_princ_formats[0]); i++) {
- if (strequal(entry_princ_s, valid_princ_formats[i])) {
- number_matched_principals++;
- p_packet->length = ticket->length;
- p_packet->data = (krb5_pointer)ticket->data;
- *pp_tkt = NULL;
- our_ret = krb5_rd_req(context, &auth_context, p_packet, kt_entry.principal, keytab, NULL, pp_tkt);
- if (our_ret != KRB5_BAD_ENCTYPE) {
- ret = our_ret;
- }
- if (our_ret) {
- DEBUG(10, ("ads_keytab_verify_ticket: krb5_rd_req(%s) failed: %s\n",
- entry_princ_s, error_message(our_ret)));
- } else {
- DEBUG(3,("ads_keytab_verify_ticket: krb5_rd_req succeeded for principal %s\n",
- entry_princ_s));
- break;
- }
+ for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
+ if (!strequal(entry_princ_s, valid_princ_formats[i])) {
+ continue;
+ }
+
+ number_matched_principals++;
+ p_packet->length = ticket->length;
+ p_packet->data = (krb5_pointer)ticket->data;
+ *pp_tkt = NULL;
+ ret = krb5_rd_req(context, &auth_context, p_packet, kt_entry.principal, keytab, NULL, pp_tkt);
+ if (ret) {
+ last_error_message = smb_get_krb5_error_message(context, ret, mem_ctx);
+ DEBUG(10, ("ads_keytab_verify_ticket: krb5_rd_req(%s) failed: %s\n",
+ entry_princ_s, last_error_message));
+ } else {
+ DEBUG(3,("ads_keytab_verify_ticket: krb5_rd_req succeeded for principal %s\n",
+ entry_princ_s));
+ break;
}
}
@@ -177,7 +184,7 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex
DEBUG(3, ("ads_keytab_verify_ticket: krb5_rd_req failed for all %d matched keytab principals\n",
number_matched_principals));
}
- DEBUG(3, ("ads_keytab_verify_ticket: last error: %s\n", error_message(ret)));
+ DEBUG(3, ("ads_keytab_verify_ticket: last error: %s\n", last_error_message));
}
if (entry_princ_s) {
@@ -304,7 +311,7 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_conte
DEBUG((our_ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
- (unsigned int)enctypes[i], error_message(our_ret)));
+ (unsigned int)enctypes[i], smb_get_krb5_error_message(context, our_ret, mem_ctx)));
if (our_ret != KRB5_BAD_ENCTYPE) {
ret = our_ret;
@@ -355,7 +362,7 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_conte
ret = krb5_parse_name(context, host_princ_s, &host_princ);
if (ret) {
DEBUG(1,("ads_verify_ticket: krb5_parse_name(%s) failed (%s)\n",
- host_princ_s, error_message(ret)));
+ host_princ_s, error_message(ret)));
goto out;
}
@@ -400,14 +407,14 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_conte
if (ret) {
DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n",
- error_message(ret)));
+ smb_get_krb5_error_message(context, ret, mem_ctx)));
goto out;
}
ret = krb5_mk_rep(context, auth_context, &packet);
if (ret) {
DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n",
- error_message(ret)));
+ smb_get_krb5_error_message(context, ret, mem_ctx)));
goto out;
}
@@ -434,7 +441,7 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_conte
if ((ret = krb5_unparse_name(context, get_principal_from_tkt(tkt),
&malloc_principal))) {
DEBUG(3,("ads_verify_ticket: krb5_unparse_name failed (%s)\n",
- error_message(ret)));
+ smb_get_krb5_error_message(context, ret, mem_ctx)));
sret = NT_STATUS_LOGON_FAILURE;
goto out;
}