summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xsource3/configure442
-rw-r--r--source3/configure.in8
-rw-r--r--source3/include/config.h.in21
-rw-r--r--source3/include/includes.h12
-rw-r--r--source3/libads/kerberos_verify.c17
-rw-r--r--source3/libsmb/clikrb5.c48
6 files changed, 533 insertions, 15 deletions
diff --git a/source3/configure b/source3/configure
index 7ec6b6ec22..078fa25beb 100755
--- a/source3/configure
+++ b/source3/configure
@@ -21193,6 +21193,448 @@ _ACEOF
fi
+ echo "$as_me:$LINENO: checking for krb5_principal2salt in -lkrb5" >&5
+echo $ECHO_N "checking for krb5_principal2salt in -lkrb5... $ECHO_C" >&6
+if test "${ac_cv_lib_krb5_krb5_principal2salt+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lkrb5 $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+
+/* Override any gcc2 internal prototype to avoid an error. */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char krb5_principal2salt ();
+#ifdef F77_DUMMY_MAIN
+# ifdef __cplusplus
+ extern "C"
+# endif
+ int F77_DUMMY_MAIN() { return 1; }
+#endif
+int
+main ()
+{
+krb5_principal2salt ();
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+ (eval $ac_link) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+ { ac_try='test -s conftest$ac_exeext'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; }; then
+ ac_cv_lib_krb5_krb5_principal2salt=yes
+else
+ echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_krb5_krb5_principal2salt=no
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_krb5_krb5_principal2salt" >&5
+echo "${ECHO_T}$ac_cv_lib_krb5_krb5_principal2salt" >&6
+if test $ac_cv_lib_krb5_krb5_principal2salt = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_KRB5_PRINCIPAL2SALT 1
+_ACEOF
+
+fi
+
+ echo "$as_me:$LINENO: checking for krb5_use_enctype in -lkrb5" >&5
+echo $ECHO_N "checking for krb5_use_enctype in -lkrb5... $ECHO_C" >&6
+if test "${ac_cv_lib_krb5_krb5_use_enctype+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lkrb5 $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+
+/* Override any gcc2 internal prototype to avoid an error. */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char krb5_use_enctype ();
+#ifdef F77_DUMMY_MAIN
+# ifdef __cplusplus
+ extern "C"
+# endif
+ int F77_DUMMY_MAIN() { return 1; }
+#endif
+int
+main ()
+{
+krb5_use_enctype ();
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+ (eval $ac_link) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+ { ac_try='test -s conftest$ac_exeext'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; }; then
+ ac_cv_lib_krb5_krb5_use_enctype=yes
+else
+ echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_krb5_krb5_use_enctype=no
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_krb5_krb5_use_enctype" >&5
+echo "${ECHO_T}$ac_cv_lib_krb5_krb5_use_enctype" >&6
+if test $ac_cv_lib_krb5_krb5_use_enctype = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_KRB5_USE_ENCTYPE 1
+_ACEOF
+
+fi
+
+ echo "$as_me:$LINENO: checking for krb5_string_to_key in -lkrb5" >&5
+echo $ECHO_N "checking for krb5_string_to_key in -lkrb5... $ECHO_C" >&6
+if test "${ac_cv_lib_krb5_krb5_string_to_key+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lkrb5 $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+
+/* Override any gcc2 internal prototype to avoid an error. */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char krb5_string_to_key ();
+#ifdef F77_DUMMY_MAIN
+# ifdef __cplusplus
+ extern "C"
+# endif
+ int F77_DUMMY_MAIN() { return 1; }
+#endif
+int
+main ()
+{
+krb5_string_to_key ();
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+ (eval $ac_link) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+ { ac_try='test -s conftest$ac_exeext'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; }; then
+ ac_cv_lib_krb5_krb5_string_to_key=yes
+else
+ echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_krb5_krb5_string_to_key=no
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_krb5_krb5_string_to_key" >&5
+echo "${ECHO_T}$ac_cv_lib_krb5_krb5_string_to_key" >&6
+if test $ac_cv_lib_krb5_krb5_string_to_key = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_KRB5_STRING_TO_KEY 1
+_ACEOF
+
+fi
+
+ echo "$as_me:$LINENO: checking for krb5_get_pw_salt in -lkrb5" >&5
+echo $ECHO_N "checking for krb5_get_pw_salt in -lkrb5... $ECHO_C" >&6
+if test "${ac_cv_lib_krb5_krb5_get_pw_salt+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lkrb5 $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+
+/* Override any gcc2 internal prototype to avoid an error. */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char krb5_get_pw_salt ();
+#ifdef F77_DUMMY_MAIN
+# ifdef __cplusplus
+ extern "C"
+# endif
+ int F77_DUMMY_MAIN() { return 1; }
+#endif
+int
+main ()
+{
+krb5_get_pw_salt ();
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+ (eval $ac_link) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+ { ac_try='test -s conftest$ac_exeext'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; }; then
+ ac_cv_lib_krb5_krb5_get_pw_salt=yes
+else
+ echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_krb5_krb5_get_pw_salt=no
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_krb5_krb5_get_pw_salt" >&5
+echo "${ECHO_T}$ac_cv_lib_krb5_krb5_get_pw_salt" >&6
+if test $ac_cv_lib_krb5_krb5_get_pw_salt = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_KRB5_GET_PW_SALT 1
+_ACEOF
+
+fi
+
+ echo "$as_me:$LINENO: checking for krb5_string_to_key_salt in -lkrb5" >&5
+echo $ECHO_N "checking for krb5_string_to_key_salt in -lkrb5... $ECHO_C" >&6
+if test "${ac_cv_lib_krb5_krb5_string_to_key_salt+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lkrb5 $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+
+/* Override any gcc2 internal prototype to avoid an error. */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char krb5_string_to_key_salt ();
+#ifdef F77_DUMMY_MAIN
+# ifdef __cplusplus
+ extern "C"
+# endif
+ int F77_DUMMY_MAIN() { return 1; }
+#endif
+int
+main ()
+{
+krb5_string_to_key_salt ();
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+ (eval $ac_link) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+ { ac_try='test -s conftest$ac_exeext'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; }; then
+ ac_cv_lib_krb5_krb5_string_to_key_salt=yes
+else
+ echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_krb5_krb5_string_to_key_salt=no
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_krb5_krb5_string_to_key_salt" >&5
+echo "${ECHO_T}$ac_cv_lib_krb5_krb5_string_to_key_salt" >&6
+if test $ac_cv_lib_krb5_krb5_string_to_key_salt = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_KRB5_STRING_TO_KEY_SALT 1
+_ACEOF
+
+fi
+
+ echo "$as_me:$LINENO: checking for krb5_auth_con_setkey in -lkrb5" >&5
+echo $ECHO_N "checking for krb5_auth_con_setkey in -lkrb5... $ECHO_C" >&6
+if test "${ac_cv_lib_krb5_krb5_auth_con_setkey+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lkrb5 $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+
+/* Override any gcc2 internal prototype to avoid an error. */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char krb5_auth_con_setkey ();
+#ifdef F77_DUMMY_MAIN
+# ifdef __cplusplus
+ extern "C"
+# endif
+ int F77_DUMMY_MAIN() { return 1; }
+#endif
+int
+main ()
+{
+krb5_auth_con_setkey ();
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+ (eval $ac_link) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+ { ac_try='test -s conftest$ac_exeext'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; }; then
+ ac_cv_lib_krb5_krb5_auth_con_setkey=yes
+else
+ echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_krb5_krb5_auth_con_setkey=no
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_krb5_krb5_auth_con_setkey" >&5
+echo "${ECHO_T}$ac_cv_lib_krb5_krb5_auth_con_setkey" >&6
+if test $ac_cv_lib_krb5_krb5_auth_con_setkey = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_KRB5_AUTH_CON_SETKEY 1
+_ACEOF
+
+fi
+
+ echo "$as_me:$LINENO: checking for krb5_auth_con_setuseruserkey in -lkrb5" >&5
+echo $ECHO_N "checking for krb5_auth_con_setuseruserkey in -lkrb5... $ECHO_C" >&6
+if test "${ac_cv_lib_krb5_krb5_auth_con_setuseruserkey+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lkrb5 $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+
+/* Override any gcc2 internal prototype to avoid an error. */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char krb5_auth_con_setuseruserkey ();
+#ifdef F77_DUMMY_MAIN
+# ifdef __cplusplus
+ extern "C"
+# endif
+ int F77_DUMMY_MAIN() { return 1; }
+#endif
+int
+main ()
+{
+krb5_auth_con_setuseruserkey ();
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+ (eval $ac_link) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+ { ac_try='test -s conftest$ac_exeext'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; }; then
+ ac_cv_lib_krb5_krb5_auth_con_setuseruserkey=yes
+else
+ echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_krb5_krb5_auth_con_setuseruserkey=no
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_krb5_krb5_auth_con_setuseruserkey" >&5
+echo "${ECHO_T}$ac_cv_lib_krb5_krb5_auth_con_setuseruserkey" >&6
+if test $ac_cv_lib_krb5_krb5_auth_con_setuseruserkey = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_KRB5_AUTH_CON_SETUSERUSERKEY 1
+_ACEOF
+
+fi
+
+
echo "$as_me:$LINENO: checking for addrtype in krb5_address" >&5
echo $ECHO_N "checking for addrtype in krb5_address... $ECHO_C" >&6
if test "${samba_cv_HAVE_ADDRTYPE_IN_KRB5_ADDRESS+set}" = set; then
diff --git a/source3/configure.in b/source3/configure.in
index dd145409c5..63a30007b4 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -2045,6 +2045,14 @@ fi
AC_CHECK_LIB(krb5, krb5_set_default_in_tkt_etypes, [AC_DEFINE(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES,1,[Whether krb5_set_default_in_tkt_etypes, is available])])
AC_CHECK_LIB(krb5, krb5_set_default_tgs_ktypes, [AC_DEFINE(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES,1,[Whether krb5_set_default_tgs_ktypes is available])])
+ AC_CHECK_LIB(krb5, krb5_principal2salt, [AC_DEFINE(HAVE_KRB5_PRINCIPAL2SALT,1,[Whether krb5_principal2salt is available])])
+ AC_CHECK_LIB(krb5, krb5_use_enctype, [AC_DEFINE(HAVE_KRB5_USE_ENCTYPE,1,[Whether krb5_use_enctype is available])])
+ AC_CHECK_LIB(krb5, krb5_string_to_key, [AC_DEFINE(HAVE_KRB5_STRING_TO_KEY,1,[Whether krb5_string_to_key is available])])
+ AC_CHECK_LIB(krb5, krb5_get_pw_salt, [AC_DEFINE(HAVE_KRB5_GET_PW_SALT,1,[Whether krb5_get_pw_salt is available])])
+ AC_CHECK_LIB(krb5, krb5_string_to_key_salt, [AC_DEFINE(HAVE_KRB5_STRING_TO_KEY_SALT,1,[Whether krb5_string_to_key_salt is available])])
+ AC_CHECK_LIB(krb5, krb5_auth_con_setkey, [AC_DEFINE(HAVE_KRB5_AUTH_CON_SETKEY,1,[Whether krb5_auth_con_setkey is available])])
+ AC_CHECK_LIB(krb5, krb5_auth_con_setuseruserkey, [AC_DEFINE(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY,1,[Whether krb5_auth_con_setuseruserkey is available])])
+
AC_CACHE_CHECK([for addrtype in krb5_address],samba_cv_HAVE_ADDRTYPE_IN_KRB5_ADDRESS,[
AC_TRY_COMPILE([#include <krb5.h>],
[krb5_address kaddr; kaddr.addrtype = ADDRTYPE_INET;],
diff --git a/source3/include/config.h.in b/source3/include/config.h.in
index 36e200eaa0..6b5256f879 100644
--- a/source3/include/config.h.in
+++ b/source3/include/config.h.in
@@ -555,9 +555,21 @@
/* Whether KRB5 is available */
#undef HAVE_KRB5
+/* Whether krb5_auth_con_setkey is available */
+#undef HAVE_KRB5_AUTH_CON_SETKEY
+
+/* Whether krb5_auth_con_setuseruserkey is available */
+#undef HAVE_KRB5_AUTH_CON_SETUSERUSERKEY
+
+/* Whether krb5_get_pw_salt is available */
+#undef HAVE_KRB5_GET_PW_SALT
+
/* Define to 1 if you have the <krb5.h> header file. */
#undef HAVE_KRB5_H
+/* Whether krb5_principal2salt is available */
+#undef HAVE_KRB5_PRINCIPAL2SALT
+
/* Whether krb5_set_default_in_tkt_etypes, is available */
#undef HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES
@@ -567,6 +579,15 @@
/* Whether krb5_set_real_time is available */
#undef HAVE_KRB5_SET_REAL_TIME
+/* Whether krb5_string_to_key is available */
+#undef HAVE_KRB5_STRING_TO_KEY
+
+/* Whether krb5_string_to_key_salt is available */
+#undef HAVE_KRB5_STRING_TO_KEY_SALT
+
+/* Whether krb5_use_enctype is available */
+#undef HAVE_KRB5_USE_ENCTYPE
+
/* Define to 1 if you have the <lastlog.h> header file. */
#undef HAVE_LASTLOG_H
diff --git a/source3/include/includes.h b/source3/include/includes.h
index 23d6d1c457..c329085c97 100644
--- a/source3/include/includes.h
+++ b/source3/include/includes.h
@@ -1214,8 +1214,18 @@ krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_
krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc);
#endif
-/* Samba wrapper function for krb5 functionality. */
+#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
+krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_keyblock *keyblock);
+#endif
+
+/* Samba wrapper functions for krb5 functionality. */
void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr);
+int create_kerberos_key_from_string(krb5_context context,
+ krb5_principal host_princ,
+ krb5_data *password,
+ krb5_keyblock *key);
#endif /* HAVE_KRB5 */
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index f761467d6f..379525a8e3 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -36,8 +36,6 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
krb5_keytab keytab = NULL;
krb5_data packet;
krb5_ticket *tkt = NULL;
- krb5_data salt;
- krb5_encrypt_block eblock;
int ret;
krb5_keyblock * key;
krb5_principal host_princ;
@@ -91,24 +89,15 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
return NT_STATUS_LOGON_FAILURE;
}
- ret = krb5_principal2salt(context, host_princ, &salt);
- if (ret) {
- DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
- return NT_STATUS_LOGON_FAILURE;
- }
-
if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) {
return NT_STATUS_NO_MEMORY;
}
- krb5_use_enctype(context, &eblock, ENCTYPE_DES_CBC_MD5);
-
- ret = krb5_string_to_key(context, &eblock, key, &password, &salt);
- if (ret) {
- DEBUG(1,("krb5_string_to_key failed (%s)\n", error_message(ret)));
+ if (create_kerberos_key_from_string(context, host_princ, &password, key)) {
+ SAFE_FREE(key);
return NT_STATUS_LOGON_FAILURE;
}
-
+
krb5_auth_con_setuseruserkey(context, auth_context, key);
packet.length = ticket->length;
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 2047efd704..c948431509 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -70,6 +70,54 @@
__ERROR__XX__UNKNOWN_ADDRTYPE
#endif
+#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY)
+ int create_kerberos_key_from_string(krb5_context context,
+ krb5_principal host_princ,
+ krb5_data *password,
+ krb5_keyblock *key)
+{
+ int ret;
+ krb5_data salt,
+ krb5_encrypt_block eblock;
+
+ ret = krb5_principal2salt(context, host_princ, &salt);
+ if (ret) {
+ DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
+ return ret;
+ }
+ krb5_use_enctype(context, &eblock, ENCTYPE_DES_CBC_MD5);
+ return krb5_string_to_key(context, &eblock, key, password, &salt);
+}
+#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
+ int create_kerberos_key_from_string(krb5_context context,
+ krb5_principal host_princ,
+ krb5_data *password,
+ krb5_keyblock *key)
+{
+ int ret;
+ krb5_salt salt;
+
+ ret = krb5_get_pw_salt(context, host_princ, &salt);
+ if (ret) {
+ DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
+ return ret;
+ }
+ return krb5_string_to_key_salt(context, ENCTYPE_DES_CBC_MD5, password->data,
+ salt, key);
+}
+#else
+ __ERROR_XX_UNKNOWN_CREATE_KEY_FUNCTIONS
+#endif
+
+#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
+ krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_keyblock *keyblock)
+{
+ return krb5_auth_con_setkey(context, auth_context, keyblock);
+}
+#endif
+
/*
we can't use krb5_mk_req because w2k wants the service to be in a particular format
*/