summaryrefslogtreecommitdiff
path: root/source4/libcli
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2004-07-11 10:47:41 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:56:56 -0500
commitbd38d43214ebe71715776f1c0c1b9edf6e1b28ef (patch)
tree37a226d61dcef6feb8b64f8d3e6a9d308c275582 /source4/libcli
parent0f3f9090faa0f35b5ead4a4ac6801a5caa43766c (diff)
downloadsamba-bd38d43214ebe71715776f1c0c1b9edf6e1b28ef.tar.gz
samba-bd38d43214ebe71715776f1c0c1b9edf6e1b28ef.tar.bz2
samba-bd38d43214ebe71715776f1c0c1b9edf6e1b28ef.zip
r1443: More changes towards Kerberos in Samba4's GENSEC.
The kerberos context is now tied in life to the GENSEC context. Andrew Bartlett (This used to be commit 64e99170c3b53a14d7f8d29cf78283f2bc22c1f7)
Diffstat (limited to 'source4/libcli')
-rw-r--r--source4/libcli/auth/clikrb5.c139
-rw-r--r--source4/libcli/auth/kerberos.h17
2 files changed, 24 insertions, 132 deletions
diff --git a/source4/libcli/auth/clikrb5.c b/source4/libcli/auth/clikrb5.c
index cf0c4b6424..17824ceefe 100644
--- a/source4/libcli/auth/clikrb5.c
+++ b/source4/libcli/auth/clikrb5.c
@@ -23,16 +23,6 @@
#ifdef HAVE_KRB5
-#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE
-#define KRB5_KEY_TYPE(k) ((k)->keytype)
-#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length)
-#define KRB5_KEY_DATA(k) ((k)->keyvalue.data)
-#else
-#define KRB5_KEY_TYPE(k) ((k)->enctype)
-#define KRB5_KEY_LENGTH(k) ((k)->length)
-#define KRB5_KEY_DATA(k) ((k)->contents)
-#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
-
#ifndef HAVE_KRB5_SET_REAL_TIME
/*
* This function is not in the Heimdal mainline.
@@ -160,7 +150,8 @@
}
#endif
- void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt)
+void get_auth_data_from_tkt(TALLOC_CTX *mem_ctx,
+ DATA_BLOB *auth_data, krb5_ticket *tkt)
{
#if defined(HAVE_KRB5_TKT_ENC_PART2)
if (tkt->enc_part2)
@@ -286,12 +277,12 @@ static BOOL ads_cleanup_expired_creds(krb5_context context,
/*
we can't use krb5_mk_req because w2k wants the service to be in a particular format
*/
-static krb5_error_code ads_krb5_mk_req(krb5_context context,
- krb5_auth_context *auth_context,
- const krb5_flags ap_req_options,
- const char *principal,
- krb5_ccache ccache,
- krb5_data *outbuf)
+ krb5_error_code ads_krb5_mk_req(krb5_context context,
+ krb5_auth_context *auth_context,
+ const krb5_flags ap_req_options,
+ const char *principal,
+ krb5_ccache ccache,
+ krb5_data *outbuf)
{
krb5_error_code retval;
krb5_principal server;
@@ -374,111 +365,6 @@ cleanup_princ:
return retval;
}
-/*
- get a kerberos5 ticket for the given service
-*/
-int cli_krb5_get_ticket(const char *principal, time_t time_offset,
- DATA_BLOB *ticket, DATA_BLOB *session_key_krb5)
-{
- krb5_error_code retval;
- krb5_data packet;
- krb5_context context = NULL;
- krb5_ccache ccdef = NULL;
- krb5_auth_context auth_context = NULL;
- krb5_enctype enc_types[] = {
-#ifdef ENCTYPE_ARCFOUR_HMAC
- ENCTYPE_ARCFOUR_HMAC,
-#endif
- ENCTYPE_DES_CBC_MD5,
- ENCTYPE_DES_CBC_CRC,
- ENCTYPE_NULL};
-
- retval = krb5_init_context(&context);
- if (retval) {
- DEBUG(1,("krb5_init_context failed (%s)\n",
- error_message(retval)));
- goto failed;
- }
-
- if (time_offset != 0) {
- krb5_set_real_time(context, time(NULL) + time_offset, 0);
- }
-
- if ((retval = krb5_cc_default(context, &ccdef))) {
- DEBUG(1,("krb5_cc_default failed (%s)\n",
- error_message(retval)));
- goto failed;
- }
-
- if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) {
- DEBUG(1,("krb5_set_default_tgs_ktypes failed (%s)\n",
- error_message(retval)));
- goto failed;
- }
-
- if ((retval = ads_krb5_mk_req(context,
- &auth_context,
- AP_OPTS_USE_SUBKEY,
- principal,
- ccdef, &packet))) {
- goto failed;
- }
-
- get_krb5_smb_session_key(context, auth_context, session_key_krb5, False);
-
- *ticket = data_blob(packet.data, packet.length);
-
-/* Hmm, heimdal dooesn't have this - what's the correct call? */
-#ifdef HAVE_KRB5_FREE_DATA_CONTENTS
- krb5_free_data_contents(context, &packet);
-#endif
-
-failed:
-
- if ( context ) {
-/* Removed by jra. They really need to fix their kerberos so we don't leak memory.
- JERRY -- disabled since it causes heimdal 0.6.1rc3 to die
- SuSE 9.1 Pro
-*/
- if (ccdef)
-#if 0 /* redisabled by gd :) at least until any official heimdal version has it fixed. */
- krb5_cc_close(context, ccdef);
-#endif
- if (auth_context)
- krb5_auth_con_free(context, auth_context);
- krb5_free_context(context);
- }
-
- return retval;
-}
-
- BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote)
- {
- krb5_keyblock *skey;
- krb5_error_code err;
- BOOL ret = False;
-
- memset(session_key, 0, 16);
-
- if (remote)
- err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
- else
- err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
- if (err == 0 && skey != NULL) {
- DEBUG(10, ("Got KRB5 session key of length %d\n", KRB5_KEY_LENGTH(skey)));
- *session_key = data_blob(KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
- dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
-
- ret = True;
-
- krb5_free_keyblock(context, skey);
- } else {
- DEBUG(10, ("KRB5 error getting session key %d\n", err));
- }
-
- return ret;
- }
-
#if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) && !defined(HAVE_KRB5_PRINC_COMPONENT)
const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i )
@@ -502,13 +388,4 @@ failed:
#endif
}
-#else /* HAVE_KRB5 */
- /* this saves a few linking headaches */
-int cli_krb5_get_ticket(const char *principal, time_t time_offset,
- DATA_BLOB *ticket, DATA_BLOB *session_key_krb5)
-{
- DEBUG(0,("NO KERBEROS SUPPORT\n"));
- return 1;
-}
-
#endif
diff --git a/source4/libcli/auth/kerberos.h b/source4/libcli/auth/kerberos.h
index 6f63f6eef2..193a1a9438 100644
--- a/source4/libcli/auth/kerberos.h
+++ b/source4/libcli/auth/kerberos.h
@@ -21,6 +21,16 @@
#if defined(HAVE_KRB5)
+#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE
+#define KRB5_KEY_TYPE(k) ((k)->keytype)
+#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length)
+#define KRB5_KEY_DATA(k) ((k)->keyvalue.data)
+#else
+#define KRB5_KEY_TYPE(k) ((k)->enctype)
+#define KRB5_KEY_LENGTH(k) ((k)->length)
+#define KRB5_KEY_DATA(k) ((k)->contents)
+#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
+
#ifndef HAVE_KRB5_SET_REAL_TIME
krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds);
#endif
@@ -40,11 +50,16 @@ void krb5_free_unparsed_name(krb5_context ctx, char *val);
/* Samba wrapper function for krb5 functionality. */
void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr);
int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype);
-void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt);
krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt);
krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes);
void free_kerberos_etypes(krb5_context context, krb5_enctype *enctypes);
BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote);
+krb5_error_code ads_krb5_mk_req(krb5_context context,
+ krb5_auth_context *auth_context,
+ const krb5_flags ap_req_options,
+ const char *principal,
+ krb5_ccache ccache,
+ krb5_data *outbuf);
#endif /* HAVE_KRB5 */