diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/include/includes.h | 16 | ||||
-rw-r--r-- | source3/libads/kerberos_verify.c | 60 | ||||
-rw-r--r-- | source3/libsmb/clikrb5.c | 122 | ||||
-rw-r--r-- | source3/utils/net_lookup.c | 2 |
4 files changed, 47 insertions, 153 deletions
diff --git a/source3/include/includes.h b/source3/include/includes.h index 08e801427c..23d6d1c457 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -1214,22 +1214,8 @@ krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_ krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc); #endif -#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) -krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, - krb5_auth_context auth_context, - krb5_keyblock *keyblock); -#endif - -/* Samba wrapper functions for krb5 functionality. */ +/* Samba wrapper function for krb5 functionality. */ void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr); -int create_kerberos_key_from_string(krb5_context context, - krb5_principal host_princ, - krb5_data *password, - krb5_keyblock *key); - -void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt); -krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt); -krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters); #endif /* HAVE_KRB5 */ diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index 268326fca9..c1402b1370 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -36,13 +36,17 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, krb5_keytab keytab = NULL; krb5_data packet; krb5_ticket *tkt = NULL; - int ret; + krb5_data salt; + krb5_encrypt_block eblock; + int ret, i; krb5_keyblock * key; krb5_principal host_princ; char *host_princ_s; fstring myname; char *password_s; krb5_data password; + krb5_enctype *enctypes = NULL; + BOOL auth_ok = False; if (!secrets_init()) { DEBUG(1,("secrets_init failed\n")); @@ -67,7 +71,6 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, ret = krb5_set_default_realm(context, ads->auth.realm); if (ret) { DEBUG(1,("krb5_set_default_realm failed (%s)\n", error_message(ret))); - ads_destroy(&ads); return NT_STATUS_LOGON_FAILURE; } @@ -89,32 +92,59 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, return NT_STATUS_LOGON_FAILURE; } + ret = krb5_principal2salt(context, host_princ, &salt); + if (ret) { + DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); + return NT_STATUS_LOGON_FAILURE; + } + if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) { return NT_STATUS_NO_MEMORY; } - if (create_kerberos_key_from_string(context, host_princ, &password, key)) { - SAFE_FREE(key); + if ((ret = krb5_get_permitted_enctypes(context, &enctypes))) { + DEBUG(1,("krb5_get_permitted_enctypes failed (%s)\n", + error_message(ret))); return NT_STATUS_LOGON_FAILURE; } - - krb5_auth_con_setuseruserkey(context, auth_context, key); - packet.length = ticket->length; - packet.data = (krb5_pointer)ticket->data; + /* we need to setup a auth context with each possible encoding type in turn */ + for (i=0;enctypes[i];i++) { + krb5_use_enctype(context, &eblock, enctypes[i]); -#if 0 - file_save("/tmp/ticket.dat", ticket->data, ticket->length); -#endif + ret = krb5_string_to_key(context, &eblock, key, &password, &salt); + if (ret) { + continue; + } + + krb5_auth_con_setuseruserkey(context, auth_context, key); - if ((ret = krb5_rd_req(context, &auth_context, &packet, - NULL, keytab, NULL, &tkt))) { + packet.length = ticket->length; + packet.data = (krb5_pointer)ticket->data; + + if (!(ret = krb5_rd_req(context, &auth_context, &packet, + NULL, keytab, NULL, &tkt))) { + krb5_free_ktypes(context, enctypes); + auth_ok = True; + break; + } + } + + if (!auth_ok) { DEBUG(3,("krb5_rd_req with auth failed (%s)\n", error_message(ret))); return NT_STATUS_LOGON_FAILURE; } - get_auth_data_from_tkt(auth_data, tkt); +#if 0 + file_save("/tmp/ticket.dat", ticket->data, ticket->length); +#endif + + + if (tkt->enc_part2) { + *auth_data = data_blob(tkt->enc_part2->authorization_data[0]->contents, + tkt->enc_part2->authorization_data[0]->length); + } #if 0 if (tkt->enc_part2) { @@ -124,7 +154,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, } #endif - if ((ret = krb5_unparse_name(context, get_principal_from_tkt(tkt), principal))) { + if ((ret = krb5_unparse_name(context, tkt->enc_part2->client, principal))) { DEBUG(3,("krb5_unparse_name failed (%s)\n", error_message(ret))); return NT_STATUS_LOGON_FAILURE; diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 203d9d874b..2047efd704 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -70,128 +70,6 @@ __ERROR__XX__UNKNOWN_ADDRTYPE #endif -#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) - int create_kerberos_key_from_string(krb5_context context, - krb5_principal host_princ, - krb5_data *password, - krb5_keyblock *key) -{ - int ret; - krb5_data salt; - krb5_encrypt_block eblock; - - ret = krb5_principal2salt(context, host_princ, &salt); - if (ret) { - DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); - return ret; - } - krb5_use_enctype(context, &eblock, ENCTYPE_DES_CBC_MD5); - return krb5_string_to_key(context, &eblock, key, password, &salt); -} -#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT) - int create_kerberos_key_from_string(krb5_context context, - krb5_principal host_princ, - krb5_data *password, - krb5_keyblock *key) -{ - int ret; - krb5_salt salt; - - ret = krb5_get_pw_salt(context, host_princ, &salt); - if (ret) { - DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret))); - return ret; - } - return krb5_string_to_key_salt(context, ENCTYPE_DES_CBC_MD5, password->data, - salt, key); -} -#else - __ERROR_XX_UNKNOWN_CREATE_KEY_FUNCTIONS -#endif - -#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) - krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, - krb5_auth_context auth_context, - krb5_keyblock *keyblock) -{ - return krb5_auth_con_setkey(context, auth_context, keyblock); -} -#endif - - void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt) -{ -#if defined(HAVE_KRB5_TKT_ENC_PART2) - if (tkt->enc_part2) - *auth_data = data_blob(tkt->enc_part2->authorization_data[0]->contents, - tkt->enc_part2->authorization_data[0]->length); -#else - if (tkt->ticket.authorization_data && tkt->ticket.authorization_data->len) - *auth_data = data_blob(tkt->ticket.authorization_data->val->ad_data.data, - tkt->ticket.authorization_data->val->ad_data.length); -#endif -} - - krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt) -{ -#if defined(HAVE_KRB5_TKT_ENC_PART2) - return tkt->enc_part2->client; -#else - return tkt->client; -#endif -} - -#if !defined(HAVE_KRB5_LOCATE_KDC) - krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters) -{ - krb5_krbhst_handle hnd; - krb5_krbhst_info *hinfo; - krb5_error_code rc; - int num_kdcs, i; - struct sockaddr *sa; - - *addr_pp = NULL; - *naddrs = 0; - - rc = krb5_krbhst_init(ctx, realm->data, KRB5_KRBHST_KDC, &hnd); - if (rc) { - DEBUG(0, ("krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc))); - return rc; - } - - for ( num_kdcs = 0; (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); num_kdcs++) - ; - - krb5_krbhst_reset(ctx, hnd); - - if (!num_kdcs) { - DEBUG(0, ("krb5_locate_kdc: zero kdcs found !\n")); - krb5_krbhst_free(ctx, hnd); - return -1; - } - - sa = malloc( sizeof(struct sockaddr) * num_kdcs ); - if (!sa) { - DEBUG(0, ("krb5_locate_kdc: malloc failed\n")); - krb5_krbhst_free(ctx, hnd); - naddrs = 0; - return -1; - } - - memset(*addr_pp, '\0', sizeof(struct sockaddr) * num_kdcs ); - - for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) { - if (hinfo->ai->ai_family == AF_INET) - memcpy(&sa[i], hinfo->ai->ai_addr, sizeof(struct sockaddr)); - } - - krb5_krbhst_free(ctx, hnd); - - *naddrs = num_kdcs; - *addr_pp = sa; - return 0; -} -#endif - /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ diff --git a/source3/utils/net_lookup.c b/source3/utils/net_lookup.c index eedc2c7f92..271094480c 100644 --- a/source3/utils/net_lookup.c +++ b/source3/utils/net_lookup.c @@ -201,7 +201,7 @@ static int net_lookup_kdc(int argc, const char **argv) realm.length = strlen(realm.data); } - rc = krb5_locate_kdc(ctx, &realm, (struct sockaddr **)&addrs, &num_kdcs, 0); + rc = krb5_locate_kdc(ctx, &realm, &addrs, &num_kdcs, 0); if (rc) { DEBUG(1, ("krb5_locate_kdc failed (%s)\n", error_message(rc))); return -1; |