diff options
-rw-r--r-- | source3/include/ads.h | 3 | ||||
-rw-r--r-- | source3/include/includes.h | 2 | ||||
-rw-r--r-- | source3/libads/kerberos.c | 6 | ||||
-rw-r--r-- | source3/libads/ldap_utils.c | 4 | ||||
-rw-r--r-- | source3/libads/sasl.c | 8 | ||||
-rw-r--r-- | source3/libsmb/cliconnect.c | 2 | ||||
-rw-r--r-- | source3/libsmb/clikrb5.c | 20 | ||||
-rw-r--r-- | source3/libsmb/clispnego.c | 6 | ||||
-rw-r--r-- | source3/nsswitch/idmap_ad.c | 13 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_ads.c | 32 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 3 | ||||
-rw-r--r-- | source3/rpc_client/cli_pipe.c | 2 | ||||
-rw-r--r-- | source3/utils/ntlm_auth.c | 4 |
13 files changed, 72 insertions, 33 deletions
diff --git a/source3/include/ads.h b/source3/include/ads.h index d97ae1531f..29df0d2f35 100644 --- a/source3/include/ads.h +++ b/source3/include/ads.h @@ -42,7 +42,8 @@ typedef struct { char *kdc_server; unsigned flags; int time_offset; - time_t expire; + time_t tgt_expire; + time_t tgs_expire; time_t renewable; } auth; diff --git a/source3/include/includes.h b/source3/include/includes.h index 8aaaba9799..3864faddb9 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -1165,7 +1165,7 @@ BOOL smb_krb5_principal_compare_any_realm(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2); int cli_krb5_get_ticket(const char *principal, time_t time_offset, - DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, const char *ccname); + DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, const char *ccname, time_t *tgs_expire); PAC_LOGON_INFO *get_logon_info_from_pac(PAC_DATA *pac_data); krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *new_start_time); krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code); diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 92461bd9c1..8e8297b07e 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -110,6 +110,10 @@ int kerberos_kinit_password_ext(const char *principal, krb5_get_init_creds_opt_set_renew_life(opt, renewable_time); krb5_get_init_creds_opt_set_forwardable(opt, True); +#if 0 + /* insane testing */ + krb5_get_init_creds_opt_set_tkt_life(opt, 60); +#endif #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST if (request_pac) { @@ -216,7 +220,7 @@ int ads_kinit_password(ADS_STRUCT *ads) } ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset, - &ads->auth.expire, NULL, NULL, False, False, ads->auth.renewable); + &ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable); if (ret) { DEBUG(0,("kerberos_kinit_password %s failed: %s\n", diff --git a/source3/libads/ldap_utils.c b/source3/libads/ldap_utils.c index af9e9af2b8..1da51b3c5c 100644 --- a/source3/libads/ldap_utils.c +++ b/source3/libads/ldap_utils.c @@ -110,10 +110,10 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind } SAFE_FREE(bp); - if (!ADS_ERR_OK(status)) + if (!ADS_ERR_OK(status)) { DEBUG(1,("ads reopen failed after error %s\n", ads_errstr(status))); - + } return status; } diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 7d1fd0d1a8..61fd54da1d 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -147,7 +147,8 @@ static ADS_STATUS ads_sasl_spnego_krb5_bind(ADS_STRUCT *ads, const char *princip DATA_BLOB session_key = data_blob(NULL, 0); int rc; - rc = spnego_gen_negTokenTarg(principal, ads->auth.time_offset, &blob, &session_key, 0); + rc = spnego_gen_negTokenTarg(principal, ads->auth.time_offset, &blob, &session_key, 0, + &ads->auth.tgs_expire); if (rc) { return ADS_ERROR_KRB5(rc); @@ -218,7 +219,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) #endif free(OIDs[i]); } - DEBUG(3,("ads_sasl_spnego_bind: got server principal name =%s\n", principal)); + DEBUG(3,("ads_sasl_spnego_bind: got server principal name = %s\n", principal)); #ifdef HAVE_KRB5 if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && @@ -229,6 +230,9 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) return status; } + DEBUG(10,("ads_sasl_spnego_krb5_bind failed with: %s, " + "calling kinit\n", ads_errstr(status))); + status = ADS_ERROR_KRB5(ads_kinit_password(ads)); if (ADS_ERR_OK(status)) { diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index f29449cfb2..2742d70194 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -554,7 +554,7 @@ static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char * DEBUG(2,("Doing kerberos session setup\n")); /* generate the encapsulated kerberos5 ticket */ - rc = spnego_gen_negTokenTarg(principal, 0, &negTokenTarg, &session_key_krb5, 0); + rc = spnego_gen_negTokenTarg(principal, 0, &negTokenTarg, &session_key_krb5, 0, NULL); if (rc) { DEBUG(1, ("spnego_gen_negTokenTarg failed: %s\n", error_message(rc))); diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 305139e1f4..f06a19b345 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -551,7 +551,8 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, const krb5_flags ap_req_options, const char *principal, krb5_ccache ccache, - krb5_data *outbuf) + krb5_data *outbuf, + time_t *expire_time) { krb5_error_code retval; krb5_principal server; @@ -584,6 +585,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, } while (!creds_ready && (i < maxtries)) { + if ((retval = krb5_get_credentials(context, 0, ccache, &creds, &credsp))) { DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n", @@ -599,8 +601,9 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, krb5_set_real_time(context, t + time_offset + 1, 0); } - if (!ads_cleanup_expired_creds(context, ccache, credsp)) + if (!ads_cleanup_expired_creds(context, ccache, credsp)) { creds_ready = True; + } i++; } @@ -610,6 +613,10 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, http_timestring((unsigned)credsp->times.endtime), (unsigned)credsp->times.endtime)); + if (expire_time) { + *expire_time = (time_t)credsp->times.endtime; + } + in_data.length = 0; retval = krb5_mk_req_extended(context, auth_context, ap_req_options, &in_data, credsp, outbuf); @@ -634,7 +641,9 @@ cleanup_princ: */ int cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, - uint32 extra_ap_opts, const char *ccname) + uint32 extra_ap_opts, const char *ccname, + time_t *tgs_expire) + { krb5_error_code retval; krb5_data packet; @@ -678,7 +687,8 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, &auth_context, AP_OPTS_USE_SUBKEY | (krb5_flags)extra_ap_opts, principal, - ccdef, &packet))) { + ccdef, &packet, + tgs_expire))) { goto failed; } @@ -1409,7 +1419,7 @@ done: /* this saves a few linking headaches */ int cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, - const char *ccname) + const char *ccname, time_t *tgs_expire) { DEBUG(0,("NO KERBEROS SUPPORT\n")); return 1; diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c index a01c009b6e..6aca217e25 100644 --- a/source3/libsmb/clispnego.c +++ b/source3/libsmb/clispnego.c @@ -343,7 +343,8 @@ BOOL spnego_parse_krb5_wrap(DATA_BLOB blob, DATA_BLOB *ticket, uint8 tok_id[2]) */ int spnego_gen_negTokenTarg(const char *principal, int time_offset, DATA_BLOB *targ, - DATA_BLOB *session_key_krb5, uint32 extra_ap_opts) + DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, + time_t *expire_time) { int retval; DATA_BLOB tkt, tkt_wrapped; @@ -351,7 +352,8 @@ int spnego_gen_negTokenTarg(const char *principal, int time_offset, /* get a kerberos ticket for the service and extract the session key */ retval = cli_krb5_get_ticket(principal, time_offset, - &tkt, session_key_krb5, extra_ap_opts, NULL); + &tkt, session_key_krb5, extra_ap_opts, NULL, + expire_time); if (retval) return retval; diff --git a/source3/nsswitch/idmap_ad.c b/source3/nsswitch/idmap_ad.c index a0ed084765..fee53a0539 100644 --- a/source3/nsswitch/idmap_ad.c +++ b/source3/nsswitch/idmap_ad.c @@ -64,16 +64,23 @@ static ADS_STRUCT *ad_idmap_cached_connection_internal(void) struct in_addr dc_ip; if (ad_idmap_ads != NULL) { + + time_t expire; + time_t now = time(NULL); + ads = ad_idmap_ads; + expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire); + /* check for a valid structure */ + DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n", + (uint32)expire-(uint32)now, (uint32) expire, (uint32) now)); - DEBUG(7, ("Current tickets expire at %d, time is now %d\n", - (uint32) ads->auth.expire, (uint32) time(NULL))); - if ( ads->config.realm && (ads->auth.expire > time(NULL))) { + if ( ads->config.realm && (expire > time(NULL))) { return ads; } else { /* we own this ADS_STRUCT so make sure it goes away */ + DEBUG(7,("Deleting expired krb5 credential cache\n")); ads->is_mine = True; ads_destroy( &ads ); ads_kdestroy(WINBIND_CCACHE_NAME); diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c index f572dd08ff..9c8f23b1cf 100644 --- a/source3/nsswitch/winbindd_ads.c +++ b/source3/nsswitch/winbindd_ads.c @@ -44,17 +44,23 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) DEBUG(10,("ads_cached_connection\n")); if (domain->private_data) { - ads = (ADS_STRUCT *)domain->private_data; + + time_t expire; + time_t now = time(NULL); /* check for a valid structure */ + ads = (ADS_STRUCT *)domain->private_data; - DEBUG(7, ("Current tickets expire at %d, time is now %d\n", - (uint32) ads->auth.expire, (uint32) time(NULL))); - if ( ads->config.realm && (ads->auth.expire > time(NULL))) { + expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire); + + DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n", + (uint32)expire-(uint32)now, (uint32) expire, (uint32) now)); + + if ( ads->config.realm && (expire > now)) { return ads; - } - else { + } else { /* we own this ADS_STRUCT so make sure it goes away */ + DEBUG(7,("Deleting expired krb5 credential cache\n")); ads->is_mine = True; ads_destroy( &ads ); ads_kdestroy("MEMORY:winbind_ccache"); @@ -998,11 +1004,15 @@ static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq) if (!ADS_ERR_OK(rc)) { - /* its a dead connection ; don't destroy it - through since ads_USN() has already done - that indirectly */ - - domain->private_data = NULL; + /* its a dead connection, destroy it */ + + if (domain->private_data) { + ads = (ADS_STRUCT *)domain->private_data; + ads->is_mine = True; + ads_destroy(&ads); + ads_kdestroy("MEMORY:winbind_ccache"); + domain->private_data = NULL; + } } return ads_ntstatus(rc); } diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index fcaad1fb1f..2a5ca40125 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -598,7 +598,8 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain, &tkt, &session_key_krb5, 0, - cc); + cc, + NULL); if (krb5_ret) { DEBUG(1,("winbindd_raw_kerberos_login: failed to get ticket for %s: %s\n", local_service, error_message(krb5_ret))); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 467e652ca9..547f300f3a 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -927,7 +927,7 @@ static NTSTATUS create_krb5_auth_bind_req( struct rpc_pipe_client *cli, /* Create the ticket for the service principal and return it in a gss-api wrapped blob. */ ret = cli_krb5_get_ticket(a->service_principal, 0, &tkt, - &a->session_key, (uint32)AP_OPTS_MUTUAL_REQUIRED, NULL); + &a->session_key, (uint32)AP_OPTS_MUTUAL_REQUIRED, NULL, NULL); if (ret) { DEBUG(1,("create_krb5_auth_bind_req: cli_krb5_get_ticket for principal %s " diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 28de39c4f4..1e7b361e86 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -1424,7 +1424,7 @@ static BOOL manage_client_krb5_init(SPNEGO_DATA spnego) spnego.negTokenInit.mechListMIC.length); principal[spnego.negTokenInit.mechListMIC.length] = '\0'; - retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL); + retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL); if (retval) { @@ -1446,7 +1446,7 @@ static BOOL manage_client_krb5_init(SPNEGO_DATA spnego) return False; } - retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL); + retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL); if (retval) { DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval))); |