diff options
-rw-r--r-- | source3/include/includes.h | 9 | ||||
-rw-r--r-- | source3/libads/kerberos_keytab.c | 16 | ||||
-rw-r--r-- | source3/libads/kerberos_verify.c | 2 | ||||
-rw-r--r-- | source3/libsmb/clikrb5.c | 56 |
4 files changed, 57 insertions, 26 deletions
diff --git a/source3/include/includes.h b/source3/include/includes.h index 7513dfb6e0..61ca937138 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -1143,7 +1143,7 @@ void krb5_free_unparsed_name(krb5_context ctx, char *val); /* Samba wrapper function for krb5 functionality. */ bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr); -int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype); +int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype, bool no_salt); bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt); krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt); krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters); @@ -1221,6 +1221,13 @@ krb5_error_code smb_krb5_open_keytab(krb5_context context, const char *keytab_name, bool write_access, krb5_keytab *keytab); +int smb_krb5_kt_add_entry(krb5_context context, + krb5_keytab keytab, + krb5_kvno kvno, + const char *princ_s, + krb5_enctype *enctypes, + krb5_data password, + bool no_salt); #endif /* HAVE_KRB5 */ diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c index 8e6983897f..c8ffd734fc 100644 --- a/source3/libads/kerberos_keytab.c +++ b/source3/libads/kerberos_keytab.c @@ -32,9 +32,13 @@ /********************************************************************** **********************************************************************/ -static int smb_krb5_kt_add_entry( krb5_context context, krb5_keytab keytab, - krb5_kvno kvno, const char *princ_s, - krb5_enctype *enctypes, krb5_data password ) +int smb_krb5_kt_add_entry(krb5_context context, + krb5_keytab keytab, + krb5_kvno kvno, + const char *princ_s, + krb5_enctype *enctypes, + krb5_data password, + bool no_salt) { krb5_error_code ret = 0; krb5_kt_cursor cursor; @@ -166,7 +170,7 @@ static int smb_krb5_kt_add_entry( krb5_context context, krb5_keytab keytab, #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */ keyp = &kt_entry.keyblock; #endif - if (create_kerberos_key_from_string(context, princ, &password, keyp, enctypes[i])) { + if (create_kerberos_key_from_string(context, princ, &password, keyp, enctypes[i], no_salt)) { continue; } @@ -321,7 +325,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) /* add the fqdn principal to the keytab */ - ret = smb_krb5_kt_add_entry( context, keytab, kvno, princ_s, enctypes, password ); + ret = smb_krb5_kt_add_entry( context, keytab, kvno, princ_s, enctypes, password, false ); if ( ret ) { DEBUG(1,("ads_keytab_add_entry: Failed to add entry to keytab file\n")); goto out; @@ -330,7 +334,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) /* add the short principal name if we have one */ if ( short_princ_s ) { - ret = smb_krb5_kt_add_entry( context, keytab, kvno, short_princ_s, enctypes, password ); + ret = smb_krb5_kt_add_entry( context, keytab, kvno, short_princ_s, enctypes, password, false ); if ( ret ) { DEBUG(1,("ads_keytab_add_entry: Failed to add short entry to keytab file\n")); goto out; diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index a4d7a8e680..c667181642 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -259,7 +259,7 @@ static krb5_error_code ads_secrets_verify_ticket(krb5_context context, goto out; } - if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) { + if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i], false)) { SAFE_FREE(key); continue; } diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 4c535d2bcf..52c729625c 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -214,20 +214,31 @@ static int create_kerberos_key_from_string_direct(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, - krb5_enctype enctype) + krb5_enctype enctype, + bool no_salt) { int ret; krb5_data salt; krb5_encrypt_block eblock; - ret = krb5_principal2salt(context, host_princ, &salt); - if (ret) { - DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); - return ret; + if (no_salt) { + key->contents = (krb5_octet *)SMB_MALLOC(password->length); + if (!key->contents) { + return ENOMEM; + } + memcpy(key->contents, password->data, password->length); + key->length = password->length; + key->enctype = enctype; + } else { + ret = krb5_principal2salt(context, host_princ, &salt); + if (ret) { + DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); + return ret; + } + krb5_use_enctype(context, &eblock, enctype); + ret = krb5_string_to_key(context, &eblock, key, password, &salt); + SAFE_FREE(salt.data); } - krb5_use_enctype(context, &eblock, enctype); - ret = krb5_string_to_key(context, &eblock, key, password, &salt); - SAFE_FREE(salt.data); return ret; } #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT) @@ -235,19 +246,27 @@ static int create_kerberos_key_from_string_direct(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, - krb5_enctype enctype) + krb5_enctype enctype, + bool no_salt) { int ret; krb5_salt salt; - ret = krb5_get_pw_salt(context, host_princ, &salt); - if (ret) { - DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret))); - return ret; + if (no_salt) { + return krb5_keyblock_init(context, enctype, + password->data, password->length, + key); + } else { + ret = krb5_get_pw_salt(context, host_princ, &salt); + if (ret) { + DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret))); + return ret; + } + + ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key); + krb5_free_salt(context, salt); } - - ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key); - krb5_free_salt(context, salt); + return ret; } #else @@ -258,7 +277,8 @@ static int create_kerberos_key_from_string_direct(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, - krb5_enctype enctype) + krb5_enctype enctype, + bool no_salt) { krb5_principal salt_princ = NULL; int ret; @@ -268,7 +288,7 @@ static int create_kerberos_key_from_string_direct(krb5_context context, * its behavior. */ salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype); - ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype); + ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype, no_salt); if (salt_princ) { krb5_free_principal(context, salt_princ); } |