diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-07-09 01:58:38 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:19:25 -0500 |
commit | c0a78453a77fb0aa42d676635778a75204b6869c (patch) | |
tree | b8e6aee36941ffafe9858dbfbcebd93ab33e0f56 /source4/torture | |
parent | 37cf22a39eec62a62d5ad30d9419ce4e159dff31 (diff) | |
download | samba-c0a78453a77fb0aa42d676635778a75204b6869c.tar.gz samba-c0a78453a77fb0aa42d676635778a75204b6869c.tar.bz2 samba-c0a78453a77fb0aa42d676635778a75204b6869c.zip |
r8250: More PAC work. We now sucessfully verify the KDC signature from my DC
(I have included the krbtgt key from my test network).
It turns out the krbtgt signature is over the 16 (or whatever,
enc-type dependent) bytes of the signature, not the entire structure.
Also do not even try to use Kerberos or GSSAPI on an IP address, it
will only fail.
Andrew Bartlett
(This used to be commit 3b9558e82fdebb58f240d43f6a594d676eb04daf)
Diffstat (limited to 'source4/torture')
-rw-r--r-- | source4/torture/auth/pac.c | 39 |
1 files changed, 35 insertions, 4 deletions
diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index ecf67a9014..ade68fcd77 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -26,6 +26,7 @@ #include "auth/auth.h" #include "auth/kerberos/kerberos.h" #include "librpc/gen_ndr/ndr_krb5pac.h" +#include "librpc/gen_ndr/ndr_samr.h" #ifdef HAVE_KRB5 @@ -105,15 +106,14 @@ static BOOL torture_pac_self_check(void) &server_keyblock, &tmp_blob); - krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); - if (ret) { DEBUG(1, ("PAC encoding failed: %s\n", smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); talloc_free(mem_ctx); return False; @@ -125,7 +125,11 @@ static BOOL torture_pac_self_check(void) nt_status = kerberos_decode_pac(mem_ctx, &pac_info, tmp_blob, smb_krb5_context, + &krbtgt_keyblock, &server_keyblock); + + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); if (ret) { @@ -196,7 +200,9 @@ static BOOL torture_pac_saved_check(void) struct PAC_LOGON_INFO *pac_info; struct PAC_DATA pac_data; krb5_keyblock server_keyblock; + krb5_keyblock krbtgt_keyblock; uint8_t server_bytes[16]; + struct samr_Password *krbtgt_bytes; krb5_error_code ret; @@ -209,6 +215,13 @@ static BOOL torture_pac_saved_check(void) return False; } + krbtgt_bytes = smbpasswd_gethexpwd(mem_ctx, "B286757148AF7FD252C53603A150B7E7"); + if (!krbtgt_bytes) { + DEBUG(0, ("Could not interpret krbtgt key")); + talloc_free(mem_ctx); + return False; + } + /* The machine trust account in use when the above PAC was generated. It used arcfour-hmac-md5, so this is easy */ E_md4hash("iqvwmii8CuEkyY", server_bytes); @@ -226,6 +239,21 @@ static BOOL torture_pac_saved_check(void) return False; } + ret = krb5_keyblock_init(smb_krb5_context->krb5_context, + ENCTYPE_ARCFOUR_HMAC, + krbtgt_bytes->hash, sizeof(krbtgt_bytes->hash), + &krbtgt_keyblock); + if (ret) { + DEBUG(1, ("Server Keyblock encoding failed: %s\n", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, mem_ctx))); + + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + talloc_free(mem_ctx); + return False; + } + tmp_blob = data_blob_const(saved_pac, sizeof(saved_pac)); /*tmp_blob.data = file_load(lp_parm_string(-1,"torture","pac_file"), &tmp_blob.length);*/ @@ -236,10 +264,13 @@ static BOOL torture_pac_saved_check(void) nt_status = kerberos_decode_pac(mem_ctx, &pac_info, tmp_blob, smb_krb5_context, + &krbtgt_keyblock, &server_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); - if (ret) { + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("PAC decoding failed: %s\n", nt_errstr(nt_status))); |