summaryrefslogtreecommitdiff
path: root/source3/libads
diff options
context:
space:
mode:
Diffstat (limited to 'source3/libads')
-rw-r--r--source3/libads/kerberos_verify.c44
-rw-r--r--source3/libads/ldap.c19
2 files changed, 19 insertions, 44 deletions
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 52fd2e6862..22b58f47dd 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -38,7 +38,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
krb5_ticket *tkt = NULL;
krb5_data salt;
krb5_encrypt_block eblock;
- int ret, i;
+ int ret;
krb5_keyblock * key;
krb5_principal host_princ;
char *host_princ_s;
@@ -46,7 +46,6 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
fstring myname;
char *password_s;
krb5_data password;
- krb5_enctype *enctypes = NULL;
if (!secrets_init()) {
DEBUG(1,("secrets_init failed\n"));
@@ -71,6 +70,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
ret = krb5_set_default_realm(context, ads->auth.realm);
if (ret) {
DEBUG(1,("krb5_set_default_realm failed (%s)\n", error_message(ret)));
+ ads_destroy(&ads);
return NT_STATUS_LOGON_FAILURE;
}
@@ -102,44 +102,30 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
return NT_STATUS_NO_MEMORY;
}
- if ((ret = krb5_get_permitted_enctypes(context, &enctypes))) {
- DEBUG(1,("krb5_get_permitted_enctypes failed (%s)\n",
- error_message(ret)));
+ krb5_use_enctype(context, &eblock, ENCTYPE_DES_CBC_MD5);
+
+ ret = krb5_string_to_key(context, &eblock, key, &password, &salt);
+ if (ret) {
+ DEBUG(1,("krb5_string_to_key failed (%s)\n", error_message(ret)));
return NT_STATUS_LOGON_FAILURE;
}
- /* we need to setup a auth context with each possible encoding type in turn */
- for (i=0;enctypes[i];i++) {
- krb5_use_enctype(context, &eblock, enctypes[i]);
-
- ret = krb5_string_to_key(context, &eblock, key, &password, &salt);
- if (ret) {
- continue;
- }
+ krb5_auth_con_setuseruserkey(context, auth_context, key);
- krb5_auth_con_setuseruserkey(context, auth_context, key);
+ packet.length = ticket->length;
+ packet.data = (krb5_pointer)ticket->data;
- packet.length = ticket->length;
- packet.data = (krb5_pointer)ticket->data;
-
- if (!(ret = krb5_rd_req(context, &auth_context, &packet,
- NULL, keytab, NULL, &tkt))) {
- krb5_free_ktypes(context, enctypes);
- break;
- }
- }
+#if 0
+ file_save("/tmp/ticket.dat", ticket->data, ticket->length);
+#endif
- if (!enctypes[i]) {
+ if ((ret = krb5_rd_req(context, &auth_context, &packet,
+ NULL, keytab, NULL, &tkt))) {
DEBUG(3,("krb5_rd_req with auth failed (%s)\n",
error_message(ret)));
return NT_STATUS_LOGON_FAILURE;
}
-#if 0
- file_save("/tmp/ticket.dat", ticket->data, ticket->length);
-#endif
-
-
if (tkt->enc_part2) {
*auth_data = data_blob(tkt->enc_part2->authorization_data[0]->contents,
tkt->enc_part2->authorization_data[0]->length);
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index d3c8b39e22..2133bf0719 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -1031,8 +1031,6 @@ static ADS_STATUS ads_add_machine_acct(ADS_STRUCT *ads, const char *hostname,
ADS_MODLIST mods;
const char *objectClass[] = {"top", "person", "organizationalPerson",
"user", "computer", NULL};
- char *servicePrincipalName[3] = {NULL, NULL, NULL};
- unsigned acct_control;
if (!(ctx = talloc_init_named("machine_account")))
return ADS_ERROR(LDAP_NO_MEMORY);
@@ -1050,24 +1048,15 @@ static ADS_STATUS ads_add_machine_acct(ADS_STRUCT *ads, const char *hostname,
}
new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", hostname, ou_str,
ads->config.bind_path);
- servicePrincipalName[0] = talloc_asprintf(ctx, "HOST/%s", hostname);
- servicePrincipalName[1] = talloc_asprintf(ctx, "HOST/%s.%s",
- hostname,
- ads->config.realm);
- strlower(&servicePrincipalName[1][5]);
-
free(ou_str);
if (!new_dn)
goto done;
if (!(samAccountName = talloc_asprintf(ctx, "%s$", hostname)))
goto done;
-
- acct_control = UF_WORKSTATION_TRUST_ACCOUNT | UF_DONT_EXPIRE_PASSWD;
-#ifndef ENCTYPE_ARCFOUR_HMAC
- acct_control |= UF_USE_DES_KEY_ONLY;
-#endif
- if (!(controlstr = talloc_asprintf(ctx, "%u", acct_control)))
+ if (!(controlstr = talloc_asprintf(ctx, "%u",
+ UF_DONT_EXPIRE_PASSWD | UF_WORKSTATION_TRUST_ACCOUNT |
+ UF_TRUSTED_FOR_DELEGATION | UF_USE_DES_KEY_ONLY)))
goto done;
if (!(mods = ads_init_mods(ctx)))
@@ -1077,7 +1066,7 @@ static ADS_STATUS ads_add_machine_acct(ADS_STRUCT *ads, const char *hostname,
ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName);
ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
ads_mod_str(ctx, &mods, "userPrincipalName", host_upn);
- ads_mod_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
+ ads_mod_str(ctx, &mods, "servicePrincipalName", host_spn);
ads_mod_str(ctx, &mods, "dNSHostName", hostname);
ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
ads_mod_str(ctx, &mods, "operatingSystem", "Samba");
generated by cgit (git 2.34.1) at 2024-11-08 16:11:12 +0000