diff options
Diffstat (limited to 'source3/libads')
-rw-r--r-- | source3/libads/ads_utils.c | 46 | ||||
-rw-r--r-- | source3/libads/kerberos_verify.c | 46 |
2 files changed, 15 insertions, 77 deletions
diff --git a/source3/libads/ads_utils.c b/source3/libads/ads_utils.c index 626c177926..750940e336 100644 --- a/source3/libads/ads_utils.c +++ b/source3/libads/ads_utils.c @@ -89,52 +89,6 @@ uint32 ads_uf2atype(uint32 uf) } /* -translated the GROUP_CTRL Flags to GroupType (groupType) -*/ -uint32 ads_gcb2gtype(uint16 gcb) -{ - uint32 gtype = 0x00000000; - - if (gcb & GCB_ALIAS_GROUP) gtype |= GTYPE_SECURITY_BUILTIN_LOCAL_GROUP; - else if(gcb & GCB_LOCAL_GROUP) gtype |= GTYPE_SECURITY_DOMAIN_LOCAL_GROUP; - if (gcb & GCB_GLOBAL_GROUP) gtype |= GTYPE_SECURITY_GLOBAL_GROUP; - - return gtype; -} - -/* -translated the GroupType (groupType) to GROUP_CTRL Flags -*/ -uint16 ads_gtype2gcb(uint32 gtype) -{ - uint16 gcb = 0x0000; - - switch(gtype) { - case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP: - gcb = GCB_ALIAS_GROUP; - break; - case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP: - gcb = GCB_LOCAL_GROUP; - break; - case GTYPE_SECURITY_GLOBAL_GROUP: - gcb = GCB_GLOBAL_GROUP; - break; - - case GTYPE_DISTRIBUTION_GLOBAL_GROUP: - gcb = GCB_GLOBAL_GROUP; - break; - case GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP: - gcb = GCB_LOCAL_GROUP; - break; - case GTYPE_DISTRIBUTION_UNIVERSAL_GROUP: - gcb = GCB_GLOBAL_GROUP; - break; - } - - return gcb; -} - -/* get the accountType from the groupType */ uint32 ads_gtype2atype(uint32 gtype) diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index c1402b1370..f761467d6f 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -38,15 +38,13 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, krb5_ticket *tkt = NULL; krb5_data salt; krb5_encrypt_block eblock; - int ret, i; + int ret; krb5_keyblock * key; krb5_principal host_princ; char *host_princ_s; fstring myname; char *password_s; krb5_data password; - krb5_enctype *enctypes = NULL; - BOOL auth_ok = False; if (!secrets_init()) { DEBUG(1,("secrets_init failed\n")); @@ -71,6 +69,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, ret = krb5_set_default_realm(context, ads->auth.realm); if (ret) { DEBUG(1,("krb5_set_default_realm failed (%s)\n", error_message(ret))); + ads_destroy(&ads); return NT_STATUS_LOGON_FAILURE; } @@ -102,45 +101,30 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, return NT_STATUS_NO_MEMORY; } - if ((ret = krb5_get_permitted_enctypes(context, &enctypes))) { - DEBUG(1,("krb5_get_permitted_enctypes failed (%s)\n", - error_message(ret))); + krb5_use_enctype(context, &eblock, ENCTYPE_DES_CBC_MD5); + + ret = krb5_string_to_key(context, &eblock, key, &password, &salt); + if (ret) { + DEBUG(1,("krb5_string_to_key failed (%s)\n", error_message(ret))); return NT_STATUS_LOGON_FAILURE; } - /* we need to setup a auth context with each possible encoding type in turn */ - for (i=0;enctypes[i];i++) { - krb5_use_enctype(context, &eblock, enctypes[i]); - - ret = krb5_string_to_key(context, &eblock, key, &password, &salt); - if (ret) { - continue; - } + krb5_auth_con_setuseruserkey(context, auth_context, key); - krb5_auth_con_setuseruserkey(context, auth_context, key); + packet.length = ticket->length; + packet.data = (krb5_pointer)ticket->data; - packet.length = ticket->length; - packet.data = (krb5_pointer)ticket->data; - - if (!(ret = krb5_rd_req(context, &auth_context, &packet, - NULL, keytab, NULL, &tkt))) { - krb5_free_ktypes(context, enctypes); - auth_ok = True; - break; - } - } +#if 0 + file_save("/tmp/ticket.dat", ticket->data, ticket->length); +#endif - if (!auth_ok) { + if ((ret = krb5_rd_req(context, &auth_context, &packet, + NULL, keytab, NULL, &tkt))) { DEBUG(3,("krb5_rd_req with auth failed (%s)\n", error_message(ret))); return NT_STATUS_LOGON_FAILURE; } -#if 0 - file_save("/tmp/ticket.dat", ticket->data, ticket->length); -#endif - - if (tkt->enc_part2) { *auth_data = data_blob(tkt->enc_part2->authorization_data[0]->contents, tkt->enc_part2->authorization_data[0]->length); |