diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/libads/kerberos.c | 74 | ||||
-rw-r--r-- | source3/libads/kerberos_keytab.c | 2 | ||||
-rw-r--r-- | source3/utils/net_ads.c | 14 |
3 files changed, 66 insertions, 24 deletions
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 6004bc8098..32f5951c9f 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -362,8 +362,8 @@ static krb5_error_code get_service_ticket(krb5_context ctx, } if ((err = krb5_get_credentials(ctx, 0, ccache, &creds, &new_creds))) { - DEBUG(5,("get_service_ticket: krb5_get_credentials for %s failed: %s\n", - service_s, error_message(err))); + DEBUG(5,("get_service_ticket: krb5_get_credentials for %s enctype %d failed: %s\n", + service_s, enctype, error_message(err))); goto out; } @@ -602,23 +602,12 @@ static void kerberos_derive_salting_principal_for_enctype(const char *service_pr Go through all the possible enctypes for this principal. ************************************************************************/ - void kerberos_derive_salting_principal(krb5_context context, +static void kerberos_derive_salting_principal_direct(krb5_context context, krb5_ccache ccache, krb5_enctype *enctypes, char *service_principal) { int i; - BOOL free_ccache = False; - - if (ccache == NULL) { - krb5_error_code ret; - if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) { - DEBUG(0, ("kerberos_derive_salting_principal: krb5_cc_resolve for %s failed: %s\n", - LIBADS_CCACHE_NAME, error_message(ret))); - return; - } - free_ccache = True; - } /* Try for each enctype separately, because the rules are * different for different enctypes. */ @@ -640,9 +629,48 @@ static void kerberos_derive_salting_principal_for_enctype(const char *service_pr enctypes[i], enctypes); } +} - if (free_ccache && ccache) { - krb5_cc_close(context, ccache); +/************************************************************************ + Wrapper function for the above. + ************************************************************************/ + +void kerberos_derive_salting_principal(char *service_principal) +{ + krb5_context context = NULL; + krb5_enctype *enctypes = NULL; + krb5_ccache ccache = NULL; + krb5_error_code ret = 0; + + initialize_krb5_error_table(); + if ((ret = krb5_init_context(&context)) != 0) { + DEBUG(1,("kerberos_derive_cifs_salting_principals: krb5_init_context failed. %s\n", + error_message(ret))); + return; + } + if ((ret = get_kerberos_allowed_etypes(context, &enctypes)) != 0) { + DEBUG(1,("kerberos_derive_cifs_salting_principals: get_kerberos_allowed_etypes failed. %s\n", + error_message(ret))); + goto out; + } + + if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) { + DEBUG(3, ("get_service_ticket: krb5_cc_resolve for %s failed: %s\n", + LIBADS_CCACHE_NAME, error_message(ret))); + goto out; + } + + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service_principal); + + out: + if (enctypes) { + free_kerberos_etypes(context, enctypes); + } + if (ccache) { + krb5_cc_destroy(context, ccache); + } + if (context) { + krb5_free_context(context); } } @@ -681,38 +709,38 @@ BOOL kerberos_derive_cifs_salting_principals(void) if (asprintf(&service, "%s$", global_myname()) != -1) { strlower_m(service); - kerberos_derive_salting_principal(context, ccache, enctypes, service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); SAFE_FREE(service); } if (asprintf(&service, "cifs/%s", global_myname()) != -1) { strlower_m(service); - kerberos_derive_salting_principal(context, ccache, enctypes, service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); SAFE_FREE(service); } if (asprintf(&service, "host/%s", global_myname()) != -1) { strlower_m(service); - kerberos_derive_salting_principal(context, ccache, enctypes, service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); SAFE_FREE(service); } if (asprintf(&service, "cifs/%s.%s", global_myname(), lp_realm()) != -1) { strlower_m(service); - kerberos_derive_salting_principal(context, ccache, enctypes, service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); SAFE_FREE(service); } if (asprintf(&service, "host/%s.%s", global_myname(), lp_realm()) != -1) { strlower_m(service); - kerberos_derive_salting_principal(context, ccache, enctypes, service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); SAFE_FREE(service); } name_to_fqdn(my_fqdn, global_myname()); if (asprintf(&service, "cifs/%s", my_fqdn) != -1) { strlower_m(service); - kerberos_derive_salting_principal(context, ccache, enctypes, service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); SAFE_FREE(service); } if (asprintf(&service, "host/%s", my_fqdn) != -1) { strlower_m(service); - kerberos_derive_salting_principal(context, ccache, enctypes, service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); SAFE_FREE(service); } diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c index 90f5a376d6..97374508ab 100644 --- a/source3/libads/kerberos_keytab.c +++ b/source3/libads/kerberos_keytab.c @@ -128,7 +128,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) } /* Guess at how the KDC is salting keys for this principal. */ - kerberos_derive_salting_principal(context, NULL, enctypes, princ_s); + kerberos_derive_salting_principal(princ_s); ret = krb5_parse_name(context, princ_s, &princ); if (ret) { diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 2202ee11e2..9efa45e58f 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -823,6 +823,20 @@ int net_ads_join(int argc, const char **argv) return -1; } +#ifdef HAVE_KRB5 + if (!kerberos_derive_salting_principal(machine_account)) { + DEBUG(1,("Failed to determine salting principal\n")); + ads_destroy(&ads); + return -1; + } + + if (!kerberos_derive_cifs_salting_principals()) { + DEBUG(1,("Failed to determine salting principals\n")); + ads_destroy(&ads); + return -1; + } +#endif + if (!secrets_store_domain_sid(short_domain_name, &dom_sid)) { DEBUG(1,("Failed to save domain sid\n")); ads_destroy(&ads); |