diff options
| -rwxr-xr-x | source3/configure | 442 | ||||
| -rw-r--r-- | source3/configure.in | 8 | ||||
| -rw-r--r-- | source3/include/config.h.in | 21 | ||||
| -rw-r--r-- | source3/include/includes.h | 12 | ||||
| -rw-r--r-- | source3/libads/kerberos_verify.c | 17 | ||||
| -rw-r--r-- | source3/libsmb/clikrb5.c | 48 |
6 files changed, 533 insertions, 15 deletions
diff --git a/source3/configure b/source3/configure index 7ec6b6ec22..078fa25beb 100755 --- a/source3/configure +++ b/source3/configure @@ -21193,6 +21193,448 @@ _ACEOF fi + echo "$as_me:$LINENO: checking for krb5_principal2salt in -lkrb5" >&5 +echo $ECHO_N "checking for krb5_principal2salt in -lkrb5... $ECHO_C" >&6 +if test "${ac_cv_lib_krb5_krb5_principal2salt+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lkrb5 $LIBS" +cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char krb5_principal2salt (); +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +krb5_principal2salt (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_krb5_krb5_principal2salt=yes +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +ac_cv_lib_krb5_krb5_principal2salt=no +fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_krb5_krb5_principal2salt" >&5 +echo "${ECHO_T}$ac_cv_lib_krb5_krb5_principal2salt" >&6 +if test $ac_cv_lib_krb5_krb5_principal2salt = yes; then + +cat >>confdefs.h <<\_ACEOF +#define HAVE_KRB5_PRINCIPAL2SALT 1 +_ACEOF + +fi + + echo "$as_me:$LINENO: checking for krb5_use_enctype in -lkrb5" >&5 +echo $ECHO_N "checking for krb5_use_enctype in -lkrb5... $ECHO_C" >&6 +if test "${ac_cv_lib_krb5_krb5_use_enctype+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lkrb5 $LIBS" +cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char krb5_use_enctype (); +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +krb5_use_enctype (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_krb5_krb5_use_enctype=yes +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +ac_cv_lib_krb5_krb5_use_enctype=no +fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_krb5_krb5_use_enctype" >&5 +echo "${ECHO_T}$ac_cv_lib_krb5_krb5_use_enctype" >&6 +if test $ac_cv_lib_krb5_krb5_use_enctype = yes; then + +cat >>confdefs.h <<\_ACEOF +#define HAVE_KRB5_USE_ENCTYPE 1 +_ACEOF + +fi + + echo "$as_me:$LINENO: checking for krb5_string_to_key in -lkrb5" >&5 +echo $ECHO_N "checking for krb5_string_to_key in -lkrb5... $ECHO_C" >&6 +if test "${ac_cv_lib_krb5_krb5_string_to_key+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lkrb5 $LIBS" +cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char krb5_string_to_key (); +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +krb5_string_to_key (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_krb5_krb5_string_to_key=yes +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +ac_cv_lib_krb5_krb5_string_to_key=no +fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_krb5_krb5_string_to_key" >&5 +echo "${ECHO_T}$ac_cv_lib_krb5_krb5_string_to_key" >&6 +if test $ac_cv_lib_krb5_krb5_string_to_key = yes; then + +cat >>confdefs.h <<\_ACEOF +#define HAVE_KRB5_STRING_TO_KEY 1 +_ACEOF + +fi + + echo "$as_me:$LINENO: checking for krb5_get_pw_salt in -lkrb5" >&5 +echo $ECHO_N "checking for krb5_get_pw_salt in -lkrb5... $ECHO_C" >&6 +if test "${ac_cv_lib_krb5_krb5_get_pw_salt+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lkrb5 $LIBS" +cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char krb5_get_pw_salt (); +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +krb5_get_pw_salt (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_krb5_krb5_get_pw_salt=yes +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +ac_cv_lib_krb5_krb5_get_pw_salt=no +fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_krb5_krb5_get_pw_salt" >&5 +echo "${ECHO_T}$ac_cv_lib_krb5_krb5_get_pw_salt" >&6 +if test $ac_cv_lib_krb5_krb5_get_pw_salt = yes; then + +cat >>confdefs.h <<\_ACEOF +#define HAVE_KRB5_GET_PW_SALT 1 +_ACEOF + +fi + + echo "$as_me:$LINENO: checking for krb5_string_to_key_salt in -lkrb5" >&5 +echo $ECHO_N "checking for krb5_string_to_key_salt in -lkrb5... $ECHO_C" >&6 +if test "${ac_cv_lib_krb5_krb5_string_to_key_salt+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lkrb5 $LIBS" +cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char krb5_string_to_key_salt (); +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +krb5_string_to_key_salt (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_krb5_krb5_string_to_key_salt=yes +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +ac_cv_lib_krb5_krb5_string_to_key_salt=no +fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_krb5_krb5_string_to_key_salt" >&5 +echo "${ECHO_T}$ac_cv_lib_krb5_krb5_string_to_key_salt" >&6 +if test $ac_cv_lib_krb5_krb5_string_to_key_salt = yes; then + +cat >>confdefs.h <<\_ACEOF +#define HAVE_KRB5_STRING_TO_KEY_SALT 1 +_ACEOF + +fi + + echo "$as_me:$LINENO: checking for krb5_auth_con_setkey in -lkrb5" >&5 +echo $ECHO_N "checking for krb5_auth_con_setkey in -lkrb5... $ECHO_C" >&6 +if test "${ac_cv_lib_krb5_krb5_auth_con_setkey+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lkrb5 $LIBS" +cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char krb5_auth_con_setkey (); +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +krb5_auth_con_setkey (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_krb5_krb5_auth_con_setkey=yes +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +ac_cv_lib_krb5_krb5_auth_con_setkey=no +fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_krb5_krb5_auth_con_setkey" >&5 +echo "${ECHO_T}$ac_cv_lib_krb5_krb5_auth_con_setkey" >&6 +if test $ac_cv_lib_krb5_krb5_auth_con_setkey = yes; then + +cat >>confdefs.h <<\_ACEOF +#define HAVE_KRB5_AUTH_CON_SETKEY 1 +_ACEOF + +fi + + echo "$as_me:$LINENO: checking for krb5_auth_con_setuseruserkey in -lkrb5" >&5 +echo $ECHO_N "checking for krb5_auth_con_setuseruserkey in -lkrb5... $ECHO_C" >&6 +if test "${ac_cv_lib_krb5_krb5_auth_con_setuseruserkey+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lkrb5 $LIBS" +cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char krb5_auth_con_setuseruserkey (); +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +krb5_auth_con_setuseruserkey (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_krb5_krb5_auth_con_setuseruserkey=yes +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +ac_cv_lib_krb5_krb5_auth_con_setuseruserkey=no +fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_krb5_krb5_auth_con_setuseruserkey" >&5 +echo "${ECHO_T}$ac_cv_lib_krb5_krb5_auth_con_setuseruserkey" >&6 +if test $ac_cv_lib_krb5_krb5_auth_con_setuseruserkey = yes; then + +cat >>confdefs.h <<\_ACEOF +#define HAVE_KRB5_AUTH_CON_SETUSERUSERKEY 1 +_ACEOF + +fi + + echo "$as_me:$LINENO: checking for addrtype in krb5_address" >&5 echo $ECHO_N "checking for addrtype in krb5_address... $ECHO_C" >&6 if test "${samba_cv_HAVE_ADDRTYPE_IN_KRB5_ADDRESS+set}" = set; then diff --git a/source3/configure.in b/source3/configure.in index dd145409c5..63a30007b4 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -2045,6 +2045,14 @@ fi AC_CHECK_LIB(krb5, krb5_set_default_in_tkt_etypes, [AC_DEFINE(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES,1,[Whether krb5_set_default_in_tkt_etypes, is available])]) AC_CHECK_LIB(krb5, krb5_set_default_tgs_ktypes, [AC_DEFINE(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES,1,[Whether krb5_set_default_tgs_ktypes is available])]) + AC_CHECK_LIB(krb5, krb5_principal2salt, [AC_DEFINE(HAVE_KRB5_PRINCIPAL2SALT,1,[Whether krb5_principal2salt is available])]) + AC_CHECK_LIB(krb5, krb5_use_enctype, [AC_DEFINE(HAVE_KRB5_USE_ENCTYPE,1,[Whether krb5_use_enctype is available])]) + AC_CHECK_LIB(krb5, krb5_string_to_key, [AC_DEFINE(HAVE_KRB5_STRING_TO_KEY,1,[Whether krb5_string_to_key is available])]) + AC_CHECK_LIB(krb5, krb5_get_pw_salt, [AC_DEFINE(HAVE_KRB5_GET_PW_SALT,1,[Whether krb5_get_pw_salt is available])]) + AC_CHECK_LIB(krb5, krb5_string_to_key_salt, [AC_DEFINE(HAVE_KRB5_STRING_TO_KEY_SALT,1,[Whether krb5_string_to_key_salt is available])]) + AC_CHECK_LIB(krb5, krb5_auth_con_setkey, [AC_DEFINE(HAVE_KRB5_AUTH_CON_SETKEY,1,[Whether krb5_auth_con_setkey is available])]) + AC_CHECK_LIB(krb5, krb5_auth_con_setuseruserkey, [AC_DEFINE(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY,1,[Whether krb5_auth_con_setuseruserkey is available])]) + AC_CACHE_CHECK([for addrtype in krb5_address],samba_cv_HAVE_ADDRTYPE_IN_KRB5_ADDRESS,[ AC_TRY_COMPILE([#include <krb5.h>], [krb5_address kaddr; kaddr.addrtype = ADDRTYPE_INET;], diff --git a/source3/include/config.h.in b/source3/include/config.h.in index 36e200eaa0..6b5256f879 100644 --- a/source3/include/config.h.in +++ b/source3/include/config.h.in @@ -555,9 +555,21 @@ /* Whether KRB5 is available */ #undef HAVE_KRB5 +/* Whether krb5_auth_con_setkey is available */ +#undef HAVE_KRB5_AUTH_CON_SETKEY + +/* Whether krb5_auth_con_setuseruserkey is available */ +#undef HAVE_KRB5_AUTH_CON_SETUSERUSERKEY + +/* Whether krb5_get_pw_salt is available */ +#undef HAVE_KRB5_GET_PW_SALT + /* Define to 1 if you have the <krb5.h> header file. */ #undef HAVE_KRB5_H +/* Whether krb5_principal2salt is available */ +#undef HAVE_KRB5_PRINCIPAL2SALT + /* Whether krb5_set_default_in_tkt_etypes, is available */ #undef HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES @@ -567,6 +579,15 @@ /* Whether krb5_set_real_time is available */ #undef HAVE_KRB5_SET_REAL_TIME +/* Whether krb5_string_to_key is available */ +#undef HAVE_KRB5_STRING_TO_KEY + +/* Whether krb5_string_to_key_salt is available */ +#undef HAVE_KRB5_STRING_TO_KEY_SALT + +/* Whether krb5_use_enctype is available */ +#undef HAVE_KRB5_USE_ENCTYPE + /* Define to 1 if you have the <lastlog.h> header file. */ #undef HAVE_LASTLOG_H diff --git a/source3/include/includes.h b/source3/include/includes.h index 23d6d1c457..c329085c97 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -1214,8 +1214,18 @@ krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_ krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc); #endif -/* Samba wrapper function for krb5 functionality. */ +#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) +krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, + krb5_auth_context auth_context, + krb5_keyblock *keyblock); +#endif + +/* Samba wrapper functions for krb5 functionality. */ void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr); +int create_kerberos_key_from_string(krb5_context context, + krb5_principal host_princ, + krb5_data *password, + krb5_keyblock *key); #endif /* HAVE_KRB5 */ diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index f761467d6f..379525a8e3 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -36,8 +36,6 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, krb5_keytab keytab = NULL; krb5_data packet; krb5_ticket *tkt = NULL; - krb5_data salt; - krb5_encrypt_block eblock; int ret; krb5_keyblock * key; krb5_principal host_princ; @@ -91,24 +89,15 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, return NT_STATUS_LOGON_FAILURE; } - ret = krb5_principal2salt(context, host_princ, &salt); - if (ret) { - DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); - return NT_STATUS_LOGON_FAILURE; - } - if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) { return NT_STATUS_NO_MEMORY; } - krb5_use_enctype(context, &eblock, ENCTYPE_DES_CBC_MD5); - - ret = krb5_string_to_key(context, &eblock, key, &password, &salt); - if (ret) { - DEBUG(1,("krb5_string_to_key failed (%s)\n", error_message(ret))); + if (create_kerberos_key_from_string(context, host_princ, &password, key)) { + SAFE_FREE(key); return NT_STATUS_LOGON_FAILURE; } - + krb5_auth_con_setuseruserkey(context, auth_context, key); packet.length = ticket->length; diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 2047efd704..c948431509 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -70,6 +70,54 @@ __ERROR__XX__UNKNOWN_ADDRTYPE #endif +#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) + int create_kerberos_key_from_string(krb5_context context, + krb5_principal host_princ, + krb5_data *password, + krb5_keyblock *key) +{ + int ret; + krb5_data salt, + krb5_encrypt_block eblock; + + ret = krb5_principal2salt(context, host_princ, &salt); + if (ret) { + DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); + return ret; + } + krb5_use_enctype(context, &eblock, ENCTYPE_DES_CBC_MD5); + return krb5_string_to_key(context, &eblock, key, password, &salt); +} +#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT) + int create_kerberos_key_from_string(krb5_context context, + krb5_principal host_princ, + krb5_data *password, + krb5_keyblock *key) +{ + int ret; + krb5_salt salt; + + ret = krb5_get_pw_salt(context, host_princ, &salt); + if (ret) { + DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret))); + return ret; + } + return krb5_string_to_key_salt(context, ENCTYPE_DES_CBC_MD5, password->data, + salt, key); +} +#else + __ERROR_XX_UNKNOWN_CREATE_KEY_FUNCTIONS +#endif + +#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) + krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, + krb5_auth_context auth_context, + krb5_keyblock *keyblock) +{ + return krb5_auth_con_setkey(context, auth_context, keyblock); +} +#endif + /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ |