diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/include/krb5_protos.h | 3 | ||||
-rw-r--r-- | source3/libads/kerberos.c | 140 | ||||
-rw-r--r-- | source3/libads/kerberos_proto.h | 3 | ||||
-rw-r--r-- | source3/libsmb/clikrb5.c | 142 |
4 files changed, 145 insertions, 143 deletions
diff --git a/source3/include/krb5_protos.h b/source3/include/krb5_protos.h index c2d4517665..99569998a1 100644 --- a/source3/include/krb5_protos.h +++ b/source3/include/krb5_protos.h @@ -121,6 +121,9 @@ krb5_error_code smb_krb5_get_creds(const char *server_s, char *smb_krb5_principal_get_realm(krb5_context context, krb5_principal principal); +char *kerberos_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx, + const char *service, + const char *remote_name); #endif /* HAVE_KRB5 */ diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index a43c7b167c..f1df31ca4f 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -424,146 +424,6 @@ char* kerberos_secrets_fetch_des_salt( void ) } /************************************************************************ - Routine to get the default realm from the kerberos credentials cache. - Caller must free if the return value is not NULL. -************************************************************************/ - -char *kerberos_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx) -{ - char *realm = NULL; - krb5_context ctx = NULL; - krb5_ccache cc = NULL; - krb5_principal princ = NULL; - - initialize_krb5_error_table(); - if (krb5_init_context(&ctx)) { - return NULL; - } - - DEBUG(5,("kerberos_get_default_realm_from_ccache: " - "Trying to read krb5 cache: %s\n", - krb5_cc_default_name(ctx))); - if (krb5_cc_default(ctx, &cc)) { - DEBUG(0,("kerberos_get_default_realm_from_ccache: " - "failed to read default cache\n")); - goto out; - } - if (krb5_cc_get_principal(ctx, cc, &princ)) { - DEBUG(0,("kerberos_get_default_realm_from_ccache: " - "failed to get default principal\n")); - goto out; - } - -#if defined(HAVE_KRB5_PRINCIPAL_GET_REALM) - realm = talloc_strdup(mem_ctx, krb5_principal_get_realm(ctx, princ)); -#elif defined(HAVE_KRB5_PRINC_REALM) - { - krb5_data *realm_data = krb5_princ_realm(ctx, princ); - realm = talloc_strndup(mem_ctx, realm_data->data, realm_data->length); - } -#endif - - out: - - if (ctx) { - if (princ) { - krb5_free_principal(ctx, princ); - } - if (cc) { - krb5_cc_close(ctx, cc); - } - krb5_free_context(ctx); - } - - return realm; -} - -/************************************************************************ - Routine to get the realm from a given DNS name. -************************************************************************/ - -char *kerberos_get_realm_from_hostname(TALLOC_CTX *mem_ctx, const char *hostname) -{ -#if defined(HAVE_KRB5_REALM_TYPE) - /* Heimdal. */ - krb5_realm *realm_list = NULL; -#else - /* MIT */ - char **realm_list = NULL; -#endif - char *realm = NULL; - krb5_error_code kerr; - krb5_context ctx = NULL; - - initialize_krb5_error_table(); - if (krb5_init_context(&ctx)) { - return NULL; - } - - kerr = krb5_get_host_realm(ctx, hostname, &realm_list); - if (kerr != 0) { - DEBUG(3,("kerberos_get_realm_from_hostname %s: " - "failed %s\n", - hostname ? hostname : "(NULL)", - error_message(kerr) )); - goto out; - } - - if (realm_list && realm_list[0]) { - realm = talloc_strdup(mem_ctx, realm_list[0]); - } - - out: - - if (ctx) { - if (realm_list) { - krb5_free_host_realm(ctx, realm_list); - realm_list = NULL; - } - krb5_free_context(ctx); - ctx = NULL; - } - return realm; -} - -char *kerberos_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx, - const char *service, - const char *remote_name) -{ - char *realm = NULL; - char *host = NULL; - char *principal; - host = strchr_m(remote_name, '.'); - if (host) { - /* DNS name. */ - realm = kerberos_get_realm_from_hostname(talloc_tos(), remote_name); - } else { - /* NetBIOS name - use our realm. */ - realm = kerberos_get_default_realm_from_ccache(talloc_tos()); - } - - if (realm == NULL || *realm == '\0') { - realm = talloc_strdup(talloc_tos(), lp_realm()); - if (!realm) { - return NULL; - } - DEBUG(3,("kerberos_get_principal_from_service_hostname: " - "cannot get realm from, " - "desthost %s or default ccache. Using default " - "smb.conf realm %s\n", - remote_name, - realm)); - } - - principal = talloc_asprintf(mem_ctx, - "%s/%s@%s", - service, remote_name, - realm); - TALLOC_FREE(realm); - return principal; -} - -/************************************************************************ Routine to get the salting principal for this service. This is maintained for backwards compatibilty with releases prior to 3.0.24. Since we store the salting principal string only at join, we may have diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h index 6a7811d652..50c56dc081 100644 --- a/source3/libads/kerberos_proto.h +++ b/source3/libads/kerberos_proto.h @@ -52,9 +52,6 @@ bool kerberos_secrets_store_des_salt( const char* salt ); char* kerberos_secrets_fetch_des_salt( void ); char *kerberos_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx); char *kerberos_get_realm_from_hostname(TALLOC_CTX *mem_ctx, const char *hostname); -char *kerberos_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx, - const char *service, - const char *remote_name); bool kerberos_secrets_store_salting_principal(const char *service, int enctype, diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 9e03b30c35..792400b3ce 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1439,6 +1439,148 @@ char *smb_krb5_principal_get_realm(krb5_context context, #endif } +/************************************************************************ + Routine to get the default realm from the kerberos credentials cache. + Caller must free if the return value is not NULL. +************************************************************************/ + +static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx) +{ + char *realm = NULL; + krb5_context ctx = NULL; + krb5_ccache cc = NULL; + krb5_principal princ = NULL; + + initialize_krb5_error_table(); + if (krb5_init_context(&ctx)) { + return NULL; + } + + DEBUG(5,("kerberos_get_default_realm_from_ccache: " + "Trying to read krb5 cache: %s\n", + krb5_cc_default_name(ctx))); + if (krb5_cc_default(ctx, &cc)) { + DEBUG(0,("kerberos_get_default_realm_from_ccache: " + "failed to read default cache\n")); + goto out; + } + if (krb5_cc_get_principal(ctx, cc, &princ)) { + DEBUG(0,("kerberos_get_default_realm_from_ccache: " + "failed to get default principal\n")); + goto out; + } + +#if defined(HAVE_KRB5_PRINCIPAL_GET_REALM) + realm = talloc_strdup(mem_ctx, krb5_principal_get_realm(ctx, princ)); +#elif defined(HAVE_KRB5_PRINC_REALM) + { + krb5_data *realm_data = krb5_princ_realm(ctx, princ); + realm = talloc_strndup(mem_ctx, realm_data->data, realm_data->length); + } +#endif + + out: + + if (ctx) { + if (princ) { + krb5_free_principal(ctx, princ); + } + if (cc) { + krb5_cc_close(ctx, cc); + } + krb5_free_context(ctx); + } + + return realm; +} + +/************************************************************************ + Routine to get the realm from a given DNS name. +************************************************************************/ + +static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, + const char *hostname) +{ +#if defined(HAVE_KRB5_REALM_TYPE) + /* Heimdal. */ + krb5_realm *realm_list = NULL; +#else + /* MIT */ + char **realm_list = NULL; +#endif + char *realm = NULL; + krb5_error_code kerr; + krb5_context ctx = NULL; + + initialize_krb5_error_table(); + if (krb5_init_context(&ctx)) { + return NULL; + } + + kerr = krb5_get_host_realm(ctx, hostname, &realm_list); + if (kerr != 0) { + DEBUG(3,("kerberos_get_realm_from_hostname %s: " + "failed %s\n", + hostname ? hostname : "(NULL)", + error_message(kerr) )); + goto out; + } + + if (realm_list && realm_list[0]) { + realm = talloc_strdup(mem_ctx, realm_list[0]); + } + + out: + + if (ctx) { + if (realm_list) { + krb5_free_host_realm(ctx, realm_list); + realm_list = NULL; + } + krb5_free_context(ctx); + ctx = NULL; + } + return realm; +} + +char *kerberos_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx, + const char *service, + const char *remote_name) +{ + char *realm = NULL; + char *host = NULL; + char *principal; + host = strchr_m(remote_name, '.'); + if (host) { + /* DNS name. */ + realm = smb_krb5_get_realm_from_hostname(talloc_tos(), + remote_name); + } else { + /* NetBIOS name - use our realm. */ + realm = smb_krb5_get_default_realm_from_ccache(talloc_tos()); + } + + if (realm == NULL || *realm == '\0') { + realm = talloc_strdup(talloc_tos(), lp_realm()); + if (!realm) { + return NULL; + } + DEBUG(3,("kerberos_get_principal_from_service_hostname: " + "cannot get realm from, " + "desthost %s or default ccache. Using default " + "smb.conf realm %s\n", + remote_name, + realm)); + } + + principal = talloc_asprintf(mem_ctx, + "%s/%s@%s", + service, remote_name, + realm); + TALLOC_FREE(realm); + return principal; +} + #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx, |