summaryrefslogtreecommitdiff
path: root/source3/libads
diff options
context:
space:
mode:
Diffstat (limited to 'source3/libads')
-rw-r--r--source3/libads/authdata.c1
-rw-r--r--source3/libads/kerberos.c37
-rw-r--r--source3/libads/kerberos_proto.h14
3 files changed, 48 insertions, 4 deletions
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 5a8ca28b14..cb218dd7b2 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -31,6 +31,7 @@
#include "librpc/crypto/gse.h"
#include "auth/gensec/gensec.h"
#include "../libcli/auth/spnego.h"
+#include "auth/kerberos/pac_utils.h"
#ifdef HAVE_KRB5
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index f1df31ca4f..7e95380011 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -219,7 +219,8 @@ int kerberos_kinit_password_ext(const char *principal,
}
#endif
if (add_netbios_addr) {
- if ((code = smb_krb5_gen_netbios_krb5_address(&addr))) {
+ if ((code = smb_krb5_gen_netbios_krb5_address(&addr,
+ lp_netbios_name()))) {
goto out;
}
krb5_get_init_creds_opt_set_address_list(opt, addr->addrs);
@@ -407,6 +408,7 @@ bool kerberos_secrets_store_des_salt( const char* salt )
/************************************************************************
************************************************************************/
+static
char* kerberos_secrets_fetch_des_salt( void )
{
char *salt, *key;
@@ -430,6 +432,7 @@ char* kerberos_secrets_fetch_des_salt( void )
to look for the older tdb keys. Caller must free if return is not null.
************************************************************************/
+static
krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context,
krb5_principal host_princ,
int enctype)
@@ -462,6 +465,38 @@ krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context,
return ret_princ;
}
+int create_kerberos_key_from_string(krb5_context context,
+ krb5_principal host_princ,
+ krb5_data *password,
+ krb5_keyblock *key,
+ krb5_enctype enctype,
+ bool no_salt)
+{
+ krb5_principal salt_princ = NULL;
+ int ret;
+ /*
+ * Check if we've determined that the KDC is salting keys for this
+ * principal/enctype in a non-obvious way. If it is, try to match
+ * its behavior.
+ */
+ if (no_salt) {
+ KRB5_KEY_DATA(key) = (KRB5_KEY_DATA_CAST *)SMB_MALLOC(password->length);
+ if (!KRB5_KEY_DATA(key)) {
+ return ENOMEM;
+ }
+ memcpy(KRB5_KEY_DATA(key), password->data, password->length);
+ KRB5_KEY_LENGTH(key) = password->length;
+ KRB5_KEY_TYPE(key) = enctype;
+ return 0;
+ }
+ salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype);
+ ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype);
+ if (salt_princ) {
+ krb5_free_principal(context, salt_princ);
+ }
+ return ret;
+}
+
/************************************************************************
Routine to set the salting principal for this service. Active
Directory may use a non-obvious principal name to generate the salt
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index 50c56dc081..f7470d2f81 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -30,6 +30,8 @@
#ifndef _LIBADS_KERBEROS_PROTO_H_
#define _LIBADS_KERBEROS_PROTO_H_
+#include "system/kerberos.h"
+
struct PAC_LOGON_INFO;
#include "libads/ads_status.h"
@@ -49,9 +51,6 @@ int kerberos_kinit_password_ext(const char *principal,
int ads_kdestroy(const char *cc_name);
char* kerberos_standard_des_salt( void );
bool kerberos_secrets_store_des_salt( const char* salt );
-char* kerberos_secrets_fetch_des_salt( void );
-char *kerberos_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx);
-char *kerberos_get_realm_from_hostname(TALLOC_CTX *mem_ctx, const char *hostname);
bool kerberos_secrets_store_salting_principal(const char *service,
int enctype,
@@ -90,4 +89,13 @@ ADS_STATUS kerberos_set_password(const char *kpasswd_server,
const char *target_principal, const char *new_password,
int time_offset);
+#ifdef HAVE_KRB5
+int create_kerberos_key_from_string(krb5_context context,
+ krb5_principal host_princ,
+ krb5_data *password,
+ krb5_keyblock *key,
+ krb5_enctype enctype,
+ bool no_salt);
+#endif
+
#endif /* _LIBADS_KERBEROS_PROTO_H_ */