summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/librpc/crypto/gse_krb5.c240
1 files changed, 234 insertions, 6 deletions
diff --git a/source3/librpc/crypto/gse_krb5.c b/source3/librpc/crypto/gse_krb5.c
index 0e53f410fc..c1eea7fc70 100644
--- a/source3/librpc/crypto/gse_krb5.c
+++ b/source3/librpc/crypto/gse_krb5.c
@@ -325,10 +325,238 @@ out:
}
static krb5_error_code fill_mem_keytab_from_system_keytab(krb5_context krbctx,
- krb5_keytab *keytab,
- bool verify)
+ krb5_keytab *mkeytab)
{
- return KRB5_KT_NOTFOUND;
+ krb5_error_code ret = 0;
+ krb5_keytab keytab = NULL;
+ krb5_kt_cursor kt_cursor;
+ krb5_keytab_entry kt_entry;
+ char *valid_princ_formats[7] = { NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL };
+ char *entry_princ_s = NULL;
+ fstring my_name, my_fqdn;
+ int i;
+ int err;
+
+ /* Generate the list of principal names which we expect
+ * clients might want to use for authenticating to the file
+ * service. We allow name$,{host,cifs}/{name,fqdn,name.REALM}. */
+
+ fstrcpy(my_name, lp_netbios_name());
+
+ my_fqdn[0] = '\0';
+ name_to_fqdn(my_fqdn, lp_netbios_name());
+
+ err = asprintf(&valid_princ_formats[0],
+ "%s$@%s", my_name, lp_realm());
+ if (err == -1) {
+ ret = ENOMEM;
+ goto out;
+ }
+ err = asprintf(&valid_princ_formats[1],
+ "host/%s@%s", my_name, lp_realm());
+ if (err == -1) {
+ ret = ENOMEM;
+ goto out;
+ }
+ err = asprintf(&valid_princ_formats[2],
+ "host/%s@%s", my_fqdn, lp_realm());
+ if (err == -1) {
+ ret = ENOMEM;
+ goto out;
+ }
+ err = asprintf(&valid_princ_formats[3],
+ "host/%s.%s@%s", my_name, lp_realm(), lp_realm());
+ if (err == -1) {
+ ret = ENOMEM;
+ goto out;
+ }
+ err = asprintf(&valid_princ_formats[4],
+ "cifs/%s@%s", my_name, lp_realm());
+ if (err == -1) {
+ ret = ENOMEM;
+ goto out;
+ }
+ err = asprintf(&valid_princ_formats[5],
+ "cifs/%s@%s", my_fqdn, lp_realm());
+ if (err == -1) {
+ ret = ENOMEM;
+ goto out;
+ }
+ err = asprintf(&valid_princ_formats[6],
+ "cifs/%s.%s@%s", my_name, lp_realm(), lp_realm());
+ if (err == -1) {
+ ret = ENOMEM;
+ goto out;
+ }
+
+ ZERO_STRUCT(kt_entry);
+ ZERO_STRUCT(kt_cursor);
+
+ ret = smb_krb5_open_keytab(krbctx, NULL, false, &keytab);
+ if (ret) {
+ DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
+ error_message(ret)));
+ goto out;
+ }
+
+ /*
+ * Iterate through the keytab. For each key, if the principal
+ * name case-insensitively matches one of the allowed formats,
+ * copy it to the memory keytab.
+ */
+
+ ret = krb5_kt_start_seq_get(krbctx, keytab, &kt_cursor);
+ if (ret) {
+ DEBUG(1, (__location__ ": krb5_kt_start_seq_get failed (%s)\n",
+ error_message(ret)));
+ goto out;
+ }
+
+ while ((krb5_kt_next_entry(krbctx, keytab,
+ &kt_entry, &kt_cursor) == 0)) {
+ ret = smb_krb5_unparse_name(talloc_tos(), krbctx,
+ kt_entry.principal,
+ &entry_princ_s);
+ if (ret) {
+ DEBUG(1, (__location__ ": smb_krb5_unparse_name "
+ "failed (%s)\n", error_message(ret)));
+ goto out;
+ }
+
+ for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
+
+ if (!strequal(entry_princ_s, valid_princ_formats[i])) {
+ continue;
+ }
+
+ ret = krb5_kt_add_entry(krbctx, *mkeytab, &kt_entry);
+ if (ret) {
+ DEBUG(1, (__location__ ": smb_krb5_unparse_name "
+ "failed (%s)\n", error_message(ret)));
+ goto out;
+ }
+ }
+
+ /* Free the name we parsed. */
+ TALLOC_FREE(entry_princ_s);
+
+ /* Free the entry we just read. */
+ smb_krb5_kt_free_entry(krbctx, &kt_entry);
+ ZERO_STRUCT(kt_entry);
+ }
+ krb5_kt_end_seq_get(krbctx, keytab, &kt_cursor);
+
+ ZERO_STRUCT(kt_cursor);
+
+out:
+
+ for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
+ SAFE_FREE(valid_princ_formats[i]);
+ }
+
+ TALLOC_FREE(entry_princ_s);
+
+ {
+ krb5_keytab_entry zero_kt_entry;
+ ZERO_STRUCT(zero_kt_entry);
+ if (memcmp(&zero_kt_entry, &kt_entry,
+ sizeof(krb5_keytab_entry))) {
+ smb_krb5_kt_free_entry(krbctx, &kt_entry);
+ }
+ }
+
+ {
+ krb5_kt_cursor zero_csr;
+ ZERO_STRUCT(zero_csr);
+ if ((memcmp(&kt_cursor, &zero_csr,
+ sizeof(krb5_kt_cursor)) != 0) && keytab) {
+ krb5_kt_end_seq_get(krbctx, keytab, &kt_cursor);
+ }
+ }
+
+ if (keytab) {
+ krb5_kt_close(krbctx, keytab);
+ }
+
+ return ret;
+}
+
+static krb5_error_code fill_mem_keytab_from_dedicated_keytab(krb5_context krbctx,
+ krb5_keytab *mkeytab)
+{
+ krb5_error_code ret = 0;
+ krb5_keytab keytab = NULL;
+ krb5_kt_cursor kt_cursor;
+ krb5_keytab_entry kt_entry;
+
+ ZERO_STRUCT(kt_entry);
+ ZERO_STRUCT(kt_cursor);
+
+ ret = smb_krb5_open_keytab(krbctx, lp_dedicated_keytab_file(),
+ false, &keytab);
+ if (ret) {
+ DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
+ error_message(ret)));
+ goto out;
+ }
+
+ /*
+ * Iterate through the keytab. For each key, if the principal
+ * name case-insensitively matches one of the allowed formats,
+ * copy it to the memory keytab.
+ */
+
+ ret = krb5_kt_start_seq_get(krbctx, keytab, &kt_cursor);
+ if (ret) {
+ DEBUG(1, (__location__ ": krb5_kt_start_seq_get failed (%s)\n",
+ error_message(ret)));
+ goto out;
+ }
+
+ while ((krb5_kt_next_entry(krbctx, keytab,
+ &kt_entry, &kt_cursor) == 0)) {
+
+ ret = krb5_kt_add_entry(krbctx, *mkeytab, &kt_entry);
+ if (ret) {
+ DEBUG(1, (__location__ ": smb_krb5_unparse_name "
+ "failed (%s)\n", error_message(ret)));
+ goto out;
+ }
+
+ /* Free the entry we just read. */
+ smb_krb5_kt_free_entry(krbctx, &kt_entry);
+ ZERO_STRUCT(kt_entry);
+ }
+ krb5_kt_end_seq_get(krbctx, keytab, &kt_cursor);
+
+ ZERO_STRUCT(kt_cursor);
+
+out:
+
+ {
+ krb5_keytab_entry zero_kt_entry;
+ ZERO_STRUCT(zero_kt_entry);
+ if (memcmp(&zero_kt_entry, &kt_entry,
+ sizeof(krb5_keytab_entry))) {
+ smb_krb5_kt_free_entry(krbctx, &kt_entry);
+ }
+ }
+
+ {
+ krb5_kt_cursor zero_csr;
+ ZERO_STRUCT(zero_csr);
+ if ((memcmp(&kt_cursor, &zero_csr,
+ sizeof(krb5_kt_cursor)) != 0) && keytab) {
+ krb5_kt_end_seq_get(krbctx, keytab, &kt_cursor);
+ }
+ }
+
+ if (keytab) {
+ krb5_kt_close(krbctx, keytab);
+ }
+
+ return ret;
}
krb5_error_code gse_krb5_get_server_keytab(krb5_context krbctx,
@@ -354,11 +582,11 @@ krb5_error_code gse_krb5_get_server_keytab(krb5_context krbctx,
ret = fill_mem_keytab_from_secrets(krbctx, keytab);
break;
case KERBEROS_VERIFY_SYSTEM_KEYTAB:
- ret = fill_mem_keytab_from_system_keytab(krbctx, keytab, true);
+ ret = fill_mem_keytab_from_system_keytab(krbctx, keytab);
break;
case KERBEROS_VERIFY_DEDICATED_KEYTAB:
/* just use whatever keytab is configured */
- ret = fill_mem_keytab_from_system_keytab(krbctx, keytab, false);
+ ret = fill_mem_keytab_from_dedicated_keytab(krbctx, keytab);
break;
case KERBEROS_VERIFY_SECRETS_AND_KEYTAB:
ret1 = fill_mem_keytab_from_secrets(krbctx, keytab);
@@ -367,7 +595,7 @@ krb5_error_code gse_krb5_get_server_keytab(krb5_context krbctx,
"keytab from secrets!\n"));
}
/* Now append system keytab keys too */
- ret2 = fill_mem_keytab_from_system_keytab(krbctx, keytab, true);
+ ret2 = fill_mem_keytab_from_system_keytab(krbctx, keytab);
if (ret2) {
DEBUG(3, (__location__ ": Warning! Unable to set mem "
"keytab from system keytab!\n"));