diff options
-rw-r--r-- | source3/configure.in | 3 | ||||
-rw-r--r-- | source3/include/includes.h | 5 | ||||
-rw-r--r-- | source3/libads/kerberos_verify.c | 45 | ||||
-rw-r--r-- | source3/libsmb/clikrb5.c | 37 |
4 files changed, 70 insertions, 20 deletions
diff --git a/source3/configure.in b/source3/configure.in index 8a6cae254d..bd5a088502 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -2192,6 +2192,9 @@ fi AC_CHECK_LIB(krb5, krb5_auth_con_setkey, [AC_DEFINE(HAVE_KRB5_AUTH_CON_SETKEY,1,[Whether krb5_auth_con_setkey is available])]) AC_CHECK_LIB(krb5, krb5_auth_con_setuseruserkey, [AC_DEFINE(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY,1,[Whether krb5_auth_con_setuseruserkey is available])]) AC_CHECK_LIB(krb5, krb5_locate_kdc, [AC_DEFINE(HAVE_KRB5_LOCATE_KDC,1,[Whether krb5_locate_kdc is available])]) + AC_CHECK_LIB(krb5, krb5_get_permitted_enctypes, [AC_DEFINE(HAVE_KRB5_GET_PERMITTED_ENCTYPES,1,[Whether krb5_get_permitted_enctypes is available])]) + AC_CHECK_LIB(krb5, krb5_get_default_in_tkt_etypes, [AC_DEFINE(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES,1,[Whether krb5_get_default_in_tkt_etypes is available])]) + AC_CHECK_LIB(krb5, krb5_free_ktypes, [AC_DEFINE(HAVE_KRB5_FREE_KTYPES,1,[Whether krb5_free_ktypes is available])]) AC_CACHE_CHECK([for addrtype in krb5_address],samba_cv_HAVE_ADDRTYPE_IN_KRB5_ADDRESS,[ AC_TRY_COMPILE([#include <krb5.h>], diff --git a/source3/include/includes.h b/source3/include/includes.h index 5aaf009738..d33c7d766a 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -1224,11 +1224,12 @@ krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_con /* Samba wrapper function for krb5 functionality. */ void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr); -int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key); +int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype); void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt); krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt); krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters); - +krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes); +void free_kerberos_etypes(krb5_context context, krb5_enctype *enctypes); #endif /* HAVE_KRB5 */ #endif /* _INCLUDES_H */ diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index 268326fca9..17fecf60c8 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -36,13 +36,15 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, krb5_keytab keytab = NULL; krb5_data packet; krb5_ticket *tkt = NULL; - int ret; + int ret, i; krb5_keyblock * key; krb5_principal host_princ; char *host_princ_s; fstring myname; char *password_s; krb5_data password; + krb5_enctype *enctypes = NULL; + BOOL auth_ok = False; if (!secrets_init()) { DEBUG(1,("secrets_init failed\n")); @@ -67,7 +69,6 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, ret = krb5_set_default_realm(context, ads->auth.realm); if (ret) { DEBUG(1,("krb5_set_default_realm failed (%s)\n", error_message(ret))); - ads_destroy(&ads); return NT_STATUS_LOGON_FAILURE; } @@ -93,27 +94,42 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, return NT_STATUS_NO_MEMORY; } - if (create_kerberos_key_from_string(context, host_princ, &password, key)) { - SAFE_FREE(key); + if ((ret = get_kerberos_allowed_etypes(context, &enctypes))) { + DEBUG(1,("krb5_get_permitted_enctypes failed (%s)\n", + error_message(ret))); return NT_STATUS_LOGON_FAILURE; } - - krb5_auth_con_setuseruserkey(context, auth_context, key); - packet.length = ticket->length; - packet.data = (krb5_pointer)ticket->data; + /* we need to setup a auth context with each possible encoding type in turn */ + for (i=0;enctypes[i];i++) { + if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) { + continue; + } -#if 0 - file_save("/tmp/ticket.dat", ticket->data, ticket->length); -#endif + krb5_auth_con_setuseruserkey(context, auth_context, key); + + packet.length = ticket->length; + packet.data = (krb5_pointer)ticket->data; - if ((ret = krb5_rd_req(context, &auth_context, &packet, - NULL, keytab, NULL, &tkt))) { + if (!(ret = krb5_rd_req(context, &auth_context, &packet, + NULL, keytab, NULL, &tkt))) { + free_kerberos_etypes(context, enctypes); + auth_ok = True; + break; + } + } + + if (!auth_ok) { DEBUG(3,("krb5_rd_req with auth failed (%s)\n", error_message(ret))); + SAFE_FREE(key); return NT_STATUS_LOGON_FAILURE; } +#if 0 + file_save("/tmp/ticket.dat", ticket->data, ticket->length); +#endif + get_auth_data_from_tkt(auth_data, tkt); #if 0 @@ -124,7 +140,8 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, } #endif - if ((ret = krb5_unparse_name(context, get_principal_from_tkt(tkt), principal))) { + if ((ret = krb5_unparse_name(context, get_principal_from_tkt(tkt), + principal))) { DEBUG(3,("krb5_unparse_name failed (%s)\n", error_message(ret))); return NT_STATUS_LOGON_FAILURE; diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index e380d80bcc..96e737166c 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -74,7 +74,8 @@ int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, - krb5_keyblock *key) + krb5_keyblock *key, + krb5_enctype enctype) { int ret; krb5_data salt; @@ -85,14 +86,15 @@ DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); return ret; } - krb5_use_enctype(context, &eblock, ENCTYPE_DES_CBC_MD5); + krb5_use_enctype(context, &eblock, enctype); return krb5_string_to_key(context, &eblock, key, password, &salt); } #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT) int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, - krb5_keyblock *key) + krb5_keyblock *key, + krb5_enctype enctype) { int ret; krb5_salt salt; @@ -102,13 +104,40 @@ DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret))); return ret; } - return krb5_string_to_key_salt(context, ENCTYPE_DES_CBC_MD5, password->data, + return krb5_string_to_key_salt(context, enctype, password->data, salt, key); } #else __ERROR_XX_UNKNOWN_CREATE_KEY_FUNCTIONS #endif +#if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES) +krb5_error_code get_kerberos_allowed_etypes(krb5_context context, + krb5_enctype **enctypes) +{ + return krb5_get_permitted_enctypes(context, enctypes); +} +#elif defined(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES) +krb5_error_code get_kerberos_allowed_etypes(krb5_context context, + krb5_enctype **enctypes) +{ + return krb5_get_default_in_tkt_etypes(context, enctypes); +} +#else + __ERROR_XX_UNKNOWN_GET_ENCTYPES_FUNCTIONS +#endif + + void free_kerberos_etypes(krb5_context context, + krb5_enctype *enctypes) +{ +#if defined(HAVE_KRB5_FREE_KTYPES) + return krb5_free_ktypes(context, enctypes); +#else + SAFE_FREE(enctypes); + return; +#endif +} + #if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, |