diff options
| -rw-r--r-- | source3/libads/kerberos.c | 76 | ||||
| -rw-r--r-- | source3/libads/ldap.c | 2 |
2 files changed, 66 insertions, 12 deletions
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 1b0de382bd..c494016f98 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -23,25 +23,79 @@ #ifdef HAVE_KRB5 +/* + simulate a kinit, putting the tgt in the default cache location + remus@snapserver.com +*/ +int kerberos_kinit_password(const char *principal, const char *password) +{ + krb5_context ctx; + krb5_error_code code = 0; + krb5_ccache cc; + krb5_principal me; + krb5_creds my_creds; + + if ((code = krb5_init_context(&ctx))) + return code; + + if ((code = krb5_cc_default(ctx, &cc))) { + krb5_free_context(ctx); + return code; + } + + if ((code = krb5_parse_name(ctx, principal, &me))) { + krb5_free_context(ctx); + return code; + } + + if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, password, NULL, + NULL, 0, NULL, NULL))) { + krb5_free_principal(ctx, me); + krb5_free_context(ctx); + return code; + } + + if ((code = krb5_cc_initialize(ctx, cc, me))) { + krb5_free_cred_contents(ctx, &my_creds); + krb5_free_principal(ctx, me); + krb5_free_context(ctx); + return code; + } + + if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) { + krb5_cc_close(ctx, cc); + krb5_free_cred_contents(ctx, &my_creds); + krb5_free_principal(ctx, me); + krb5_free_context(ctx); + return code; + } + + krb5_cc_close(ctx, cc); + krb5_free_cred_contents(ctx, &my_creds); + krb5_free_principal(ctx, me); + krb5_free_context(ctx); + + return 0; +} + -/* VERY nasty hack until we have proper kerberos code for this */ -void kerberos_kinit_password(ADS_STRUCT *ads) + +/* run kinit to setup our ccache */ +int ads_kinit_password(ADS_STRUCT *ads) { char *s; - FILE *f; + int ret; extern pstring global_myname; fstring myname; fstrcpy(myname, global_myname); strlower(myname); - asprintf(&s, "kinit 'HOST/%s@%s'", global_myname, ads->realm); - DEBUG(0,("HACK!! Running %s\n", s)); - f = popen(s, "w"); - if (f) { - fprintf(f,"%s\n", ads->password); - fflush(f); - fclose(f); - } + asprintf(&s, "HOST/%s@%s", global_myname, ads->realm); + ret = kerberos_kinit_password(s, ads->password); free(s); + if (ret) { + DEBUG(1,("kerberos_kinit_password failed: %s\n", error_message(ret))); + } + return ret; } /* diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 60f620d2f4..a7c9265b18 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -74,7 +74,7 @@ int ads_connect(ADS_STRUCT *ads) /* the machine acct password might have changed */ free(ads->password); ads->password = secrets_fetch_machine_password(); - kerberos_kinit_password(ads); + ads_kinit_password(ads); } rc = ldap_sasl_interactive_bind_s(ads->ld, NULL, NULL, NULL, NULL, |