summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/libads/config.m42
-rw-r--r--source4/libcli/auth/clikrb5.c14
-rw-r--r--source4/libcli/auth/kerberos.h1
-rw-r--r--source4/libcli/auth/kerberos_verify.c69
4 files changed, 55 insertions, 31 deletions
diff --git a/source4/libads/config.m4 b/source4/libads/config.m4
index 57416113b3..8c27dba49e 100644
--- a/source4/libads/config.m4
+++ b/source4/libads/config.m4
@@ -341,6 +341,8 @@ if test x"$with_krb5_support" != x"no"; then
AC_CHECK_FUNC_EXT(krb5_krbhst_get_addrinfo, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_c_enctype_compare, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_enctypes_compatible_keys, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_get_error_string, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_free_error_string, $KRB5_LIBS)
LIBS="$LIBS $KRB5_LIBS"
diff --git a/source4/libcli/auth/clikrb5.c b/source4/libcli/auth/clikrb5.c
index 5a196db7a5..b7bd710304 100644
--- a/source4/libcli/auth/clikrb5.c
+++ b/source4/libcli/auth/clikrb5.c
@@ -461,4 +461,18 @@ cleanup_princ:
#endif
}
+ char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx)
+{
+ char *ret;
+
+#if defined(HAVE_KRB5_GET_ERROR_STRING) && defined(HAVE_KRB5_FREE_ERROR_STRING)
+ char *context_error = krb5_get_error_string(context);
+ ret = talloc_asprintf(mem_ctx, "%s: %s", error_message(code), context_error);
+ krb5_free_error_string(context, context_error);
+#else
+ ret = talloc_strdup(mem_ctx, error_message(code));
+#endif
+ return ret;
+}
+
#endif
diff --git a/source4/libcli/auth/kerberos.h b/source4/libcli/auth/kerberos.h
index c9b2eae55c..4daf0ea07a 100644
--- a/source4/libcli/auth/kerberos.h
+++ b/source4/libcli/auth/kerberos.h
@@ -94,5 +94,6 @@ void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype);
BOOL kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2);
void kerberos_free_data_contents(krb5_context context, krb5_data *pdata);
krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
+char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx);
#endif /* HAVE_KRB5 */
diff --git a/source4/libcli/auth/kerberos_verify.c b/source4/libcli/auth/kerberos_verify.c
index fd4c3f6ba3..a1dfe1056e 100644
--- a/source4/libcli/auth/kerberos_verify.c
+++ b/source4/libcli/auth/kerberos_verify.c
@@ -80,7 +80,6 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex
krb5_keyblock *keyblock)
{
krb5_error_code ret = 0;
- krb5_error_code our_ret = 0;
krb5_keytab keytab = NULL;
krb5_kt_cursor kt_cursor;
krb5_keytab_entry kt_entry;
@@ -89,6 +88,7 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex
const char *my_name, *my_fqdn;
int i;
int number_matched_principals = 0;
+ const char *last_error_message;
/* Generate the list of principal names which we expect
* clients might want to use for authenticating to the file
@@ -111,7 +111,8 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex
ret = krb5_kt_default(context, &keytab);
if (ret) {
- DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_default failed (%s)\n", error_message(ret)));
+ DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_default failed (%s)\n",
+ smb_get_krb5_error_message(context, ret, mem_ctx)));
goto out;
}
@@ -121,37 +122,43 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex
ret = krb5_kt_start_seq_get(context, keytab, &kt_cursor);
if (ret) {
- DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (%s)\n", error_message(ret)));
+ last_error_message = smb_get_krb5_error_message(context, ret, mem_ctx);
+ DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (%s)\n",
+ last_error_message));
goto out;
}
ret = krb5_kt_start_seq_get(context, keytab, &kt_cursor);
if (ret != KRB5_KT_END && ret != ENOENT ) {
+ ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; /* Pick an error... */
while (ret && (krb5_kt_next_entry(context, keytab, &kt_entry, &kt_cursor) == 0)) {
- ret = krb5_unparse_name(context, kt_entry.principal, &entry_princ_s);
- if (ret) {
- DEBUG(1, ("ads_keytab_verify_ticket: krb5_unparse_name failed (%s)\n", error_message(ret)));
+ krb5_error_code upn_ret;
+ upn_ret = krb5_unparse_name(context, kt_entry.principal, &entry_princ_s);
+ if (upn_ret) {
+ last_error_message = smb_get_krb5_error_message(context, ret, mem_ctx);
+ DEBUG(1, ("ads_keytab_verify_ticket: krb5_unparse_name failed (%s)\n",
+ last_error_message));
+ ret = upn_ret;
break;
}
- ret = KRB5_BAD_ENCTYPE;
- for (i = 0; i < sizeof(valid_princ_formats) / sizeof(valid_princ_formats[0]); i++) {
- if (strequal(entry_princ_s, valid_princ_formats[i])) {
- number_matched_principals++;
- p_packet->length = ticket->length;
- p_packet->data = (krb5_pointer)ticket->data;
- *pp_tkt = NULL;
- our_ret = krb5_rd_req(context, &auth_context, p_packet, kt_entry.principal, keytab, NULL, pp_tkt);
- if (our_ret != KRB5_BAD_ENCTYPE) {
- ret = our_ret;
- }
- if (our_ret) {
- DEBUG(10, ("ads_keytab_verify_ticket: krb5_rd_req(%s) failed: %s\n",
- entry_princ_s, error_message(our_ret)));
- } else {
- DEBUG(3,("ads_keytab_verify_ticket: krb5_rd_req succeeded for principal %s\n",
- entry_princ_s));
- break;
- }
+ for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
+ if (!strequal(entry_princ_s, valid_princ_formats[i])) {
+ continue;
+ }
+
+ number_matched_principals++;
+ p_packet->length = ticket->length;
+ p_packet->data = (krb5_pointer)ticket->data;
+ *pp_tkt = NULL;
+ ret = krb5_rd_req(context, &auth_context, p_packet, kt_entry.principal, keytab, NULL, pp_tkt);
+ if (ret) {
+ last_error_message = smb_get_krb5_error_message(context, ret, mem_ctx);
+ DEBUG(10, ("ads_keytab_verify_ticket: krb5_rd_req(%s) failed: %s\n",
+ entry_princ_s, last_error_message));
+ } else {
+ DEBUG(3,("ads_keytab_verify_ticket: krb5_rd_req succeeded for principal %s\n",
+ entry_princ_s));
+ break;
}
}
@@ -177,7 +184,7 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex
DEBUG(3, ("ads_keytab_verify_ticket: krb5_rd_req failed for all %d matched keytab principals\n",
number_matched_principals));
}
- DEBUG(3, ("ads_keytab_verify_ticket: last error: %s\n", error_message(ret)));
+ DEBUG(3, ("ads_keytab_verify_ticket: last error: %s\n", last_error_message));
}
if (entry_princ_s) {
@@ -304,7 +311,7 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_conte
DEBUG((our_ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
- (unsigned int)enctypes[i], error_message(our_ret)));
+ (unsigned int)enctypes[i], smb_get_krb5_error_message(context, our_ret, mem_ctx)));
if (our_ret != KRB5_BAD_ENCTYPE) {
ret = our_ret;
@@ -355,7 +362,7 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_conte
ret = krb5_parse_name(context, host_princ_s, &host_princ);
if (ret) {
DEBUG(1,("ads_verify_ticket: krb5_parse_name(%s) failed (%s)\n",
- host_princ_s, error_message(ret)));
+ host_princ_s, error_message(ret)));
goto out;
}
@@ -400,14 +407,14 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_conte
if (ret) {
DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n",
- error_message(ret)));
+ smb_get_krb5_error_message(context, ret, mem_ctx)));
goto out;
}
ret = krb5_mk_rep(context, auth_context, &packet);
if (ret) {
DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n",
- error_message(ret)));
+ smb_get_krb5_error_message(context, ret, mem_ctx)));
goto out;
}
@@ -434,7 +441,7 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_conte
if ((ret = krb5_unparse_name(context, get_principal_from_tkt(tkt),
&malloc_principal))) {
DEBUG(3,("ads_verify_ticket: krb5_unparse_name failed (%s)\n",
- error_message(ret)));
+ smb_get_krb5_error_message(context, ret, mem_ctx)));
sret = NT_STATUS_LOGON_FAILURE;
goto out;
}