diff options
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/kerberos/clikrb5.c | 152 |
1 files changed, 0 insertions, 152 deletions
diff --git a/source4/auth/kerberos/clikrb5.c b/source4/auth/kerberos/clikrb5.c index e48e1940ab..3caba8be22 100644 --- a/source4/auth/kerberos/clikrb5.c +++ b/source4/auth/kerberos/clikrb5.c @@ -28,26 +28,6 @@ #ifdef HAVE_KRB5 -#ifndef HAVE_KRB5_SET_REAL_TIME -/* - * This function is not in the Heimdal mainline. - */ - krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds) -{ - krb5_error_code ret; - int32_t sec, usec; - - ret = krb5_us_timeofday(context, &sec, &usec); - if (ret) - return ret; - - context->kdc_sec_offset = seconds - sec; - context->kdc_usec_offset = microseconds - usec; - - return 0; -} -#endif - #if defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES) && !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES) krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc) { @@ -200,138 +180,6 @@ #endif } -static BOOL ads_cleanup_expired_creds(krb5_context context, - krb5_ccache ccache, - krb5_creds *credsp) -{ - krb5_error_code retval; - TALLOC_CTX *mem_ctx = talloc_init("ticket expied time"); - if (!mem_ctx) { - return False; - } - - DEBUG(3, ("Ticket in ccache[%s] expiration %s\n", - krb5_cc_default_name(context), - http_timestring(mem_ctx, credsp->times.endtime))); - - talloc_free(mem_ctx); - - /* we will probably need new tickets if the current ones - will expire within 10 seconds. - */ - if (credsp->times.endtime >= (time(NULL) + 10)) - return False; - - /* heimdal won't remove creds from a file ccache, and - perhaps we shouldn't anyway, since internally we - use memory ccaches, and a FILE one probably means that - we're using creds obtained outside of our exectuable - */ - if (strcasecmp_m(krb5_cc_get_type(context, ccache), "FILE") == 0) { - DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a FILE ccache\n")); - return False; - } - - retval = krb5_cc_remove_cred(context, ccache, 0, credsp); - if (retval) { - DEBUG(1, ("ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err %s\n", - error_message(retval))); - /* If we have an error in this, we want to display it, - but continue as though we deleted it */ - } - return True; -} - -/* - we can't use krb5_mk_req because w2k wants the service to be in a particular format -*/ -krb5_error_code ads_krb5_mk_req(krb5_context context, - krb5_auth_context *auth_context, - const krb5_flags ap_req_options, - const char *principal, - krb5_ccache ccache, - krb5_data *outbuf) -{ - krb5_error_code retval; - krb5_principal server; - krb5_creds * credsp; - krb5_creds creds; - krb5_data in_data; - BOOL creds_ready = False; - - TALLOC_CTX *mem_ctx = NULL; - - retval = krb5_parse_name(context, principal, &server); - if (retval) { - DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal)); - return retval; - } - - /* obtain ticket & session key */ - ZERO_STRUCT(creds); - if ((retval = krb5_copy_principal(context, server, &creds.server))) { - DEBUG(1,("krb5_copy_principal failed (%s)\n", - error_message(retval))); - goto cleanup_princ; - } - - if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) { - /* This can commonly fail on smbd startup with no ticket in the cache. - * Report at higher level than 1. */ - DEBUG(3,("ads_krb5_mk_req: krb5_cc_get_principal failed (%s)\n", - error_message(retval))); - goto cleanup_creds; - } - - while(!creds_ready) { - if ((retval = krb5_get_credentials(context, 0, ccache, - &creds, &credsp))) { - DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n", - principal, error_message(retval))); - goto cleanup_creds; - } - - /* cope with ticket being in the future due to clock skew */ - if ((unsigned)credsp->times.starttime > time(NULL)) { - time_t t = time(NULL); - int time_offset =(unsigned)credsp->times.starttime-t; - DEBUG(4,("ads_krb5_mk_req: Advancing clock by %d seconds to cope with clock skew\n", time_offset)); - krb5_set_real_time(context, t + time_offset + 1, 0); - } - - if (!ads_cleanup_expired_creds(context, ccache, credsp)) - creds_ready = True; - } - - mem_ctx = talloc_init("ticket expied time"); - if (!mem_ctx) { - retval = ENOMEM; - goto cleanup_creds; - } - DEBUG(10,("Ticket (%s) in ccache (%s) is valid until: (%s - %d)\n", - principal, krb5_cc_default_name(context), - http_timestring(mem_ctx, (unsigned)credsp->times.endtime), - (unsigned)credsp->times.endtime)); - - in_data.length = 0; - retval = krb5_mk_req_extended(context, auth_context, ap_req_options, - &in_data, credsp, outbuf); - if (retval) { - DEBUG(1,("ads_krb5_mk_req: krb5_mk_req_extended failed (%s)\n", - error_message(retval))); - } - - krb5_free_creds(context, credsp); - -cleanup_creds: - krb5_free_cred_contents(context, &creds); - -cleanup_princ: - krb5_free_principal(context, server); - - return retval; -} - krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry) { #if defined(HAVE_KRB5_KT_FREE_ENTRY) |