diff options
Diffstat (limited to 'source4')
-rw-r--r-- | source4/libads/config.m4 | 2 | ||||
-rw-r--r-- | source4/libcli/auth/clikrb5.c | 14 | ||||
-rw-r--r-- | source4/libcli/auth/kerberos.h | 1 | ||||
-rw-r--r-- | source4/libcli/auth/kerberos_verify.c | 69 |
4 files changed, 55 insertions, 31 deletions
diff --git a/source4/libads/config.m4 b/source4/libads/config.m4 index 57416113b3..8c27dba49e 100644 --- a/source4/libads/config.m4 +++ b/source4/libads/config.m4 @@ -341,6 +341,8 @@ if test x"$with_krb5_support" != x"no"; then AC_CHECK_FUNC_EXT(krb5_krbhst_get_addrinfo, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_c_enctype_compare, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_enctypes_compatible_keys, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(krb5_get_error_string, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(krb5_free_error_string, $KRB5_LIBS) LIBS="$LIBS $KRB5_LIBS" diff --git a/source4/libcli/auth/clikrb5.c b/source4/libcli/auth/clikrb5.c index 5a196db7a5..b7bd710304 100644 --- a/source4/libcli/auth/clikrb5.c +++ b/source4/libcli/auth/clikrb5.c @@ -461,4 +461,18 @@ cleanup_princ: #endif } + char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx) +{ + char *ret; + +#if defined(HAVE_KRB5_GET_ERROR_STRING) && defined(HAVE_KRB5_FREE_ERROR_STRING) + char *context_error = krb5_get_error_string(context); + ret = talloc_asprintf(mem_ctx, "%s: %s", error_message(code), context_error); + krb5_free_error_string(context, context_error); +#else + ret = talloc_strdup(mem_ctx, error_message(code)); +#endif + return ret; +} + #endif diff --git a/source4/libcli/auth/kerberos.h b/source4/libcli/auth/kerberos.h index c9b2eae55c..4daf0ea07a 100644 --- a/source4/libcli/auth/kerberos.h +++ b/source4/libcli/auth/kerberos.h @@ -94,5 +94,6 @@ void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype); BOOL kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2); void kerberos_free_data_contents(krb5_context context, krb5_data *pdata); krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry); +char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx); #endif /* HAVE_KRB5 */ diff --git a/source4/libcli/auth/kerberos_verify.c b/source4/libcli/auth/kerberos_verify.c index fd4c3f6ba3..a1dfe1056e 100644 --- a/source4/libcli/auth/kerberos_verify.c +++ b/source4/libcli/auth/kerberos_verify.c @@ -80,7 +80,6 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex krb5_keyblock *keyblock) { krb5_error_code ret = 0; - krb5_error_code our_ret = 0; krb5_keytab keytab = NULL; krb5_kt_cursor kt_cursor; krb5_keytab_entry kt_entry; @@ -89,6 +88,7 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex const char *my_name, *my_fqdn; int i; int number_matched_principals = 0; + const char *last_error_message; /* Generate the list of principal names which we expect * clients might want to use for authenticating to the file @@ -111,7 +111,8 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex ret = krb5_kt_default(context, &keytab); if (ret) { - DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_default failed (%s)\n", error_message(ret))); + DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_default failed (%s)\n", + smb_get_krb5_error_message(context, ret, mem_ctx))); goto out; } @@ -121,37 +122,43 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex ret = krb5_kt_start_seq_get(context, keytab, &kt_cursor); if (ret) { - DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (%s)\n", error_message(ret))); + last_error_message = smb_get_krb5_error_message(context, ret, mem_ctx); + DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (%s)\n", + last_error_message)); goto out; } ret = krb5_kt_start_seq_get(context, keytab, &kt_cursor); if (ret != KRB5_KT_END && ret != ENOENT ) { + ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; /* Pick an error... */ while (ret && (krb5_kt_next_entry(context, keytab, &kt_entry, &kt_cursor) == 0)) { - ret = krb5_unparse_name(context, kt_entry.principal, &entry_princ_s); - if (ret) { - DEBUG(1, ("ads_keytab_verify_ticket: krb5_unparse_name failed (%s)\n", error_message(ret))); + krb5_error_code upn_ret; + upn_ret = krb5_unparse_name(context, kt_entry.principal, &entry_princ_s); + if (upn_ret) { + last_error_message = smb_get_krb5_error_message(context, ret, mem_ctx); + DEBUG(1, ("ads_keytab_verify_ticket: krb5_unparse_name failed (%s)\n", + last_error_message)); + ret = upn_ret; break; } - ret = KRB5_BAD_ENCTYPE; - for (i = 0; i < sizeof(valid_princ_formats) / sizeof(valid_princ_formats[0]); i++) { - if (strequal(entry_princ_s, valid_princ_formats[i])) { - number_matched_principals++; - p_packet->length = ticket->length; - p_packet->data = (krb5_pointer)ticket->data; - *pp_tkt = NULL; - our_ret = krb5_rd_req(context, &auth_context, p_packet, kt_entry.principal, keytab, NULL, pp_tkt); - if (our_ret != KRB5_BAD_ENCTYPE) { - ret = our_ret; - } - if (our_ret) { - DEBUG(10, ("ads_keytab_verify_ticket: krb5_rd_req(%s) failed: %s\n", - entry_princ_s, error_message(our_ret))); - } else { - DEBUG(3,("ads_keytab_verify_ticket: krb5_rd_req succeeded for principal %s\n", - entry_princ_s)); - break; - } + for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) { + if (!strequal(entry_princ_s, valid_princ_formats[i])) { + continue; + } + + number_matched_principals++; + p_packet->length = ticket->length; + p_packet->data = (krb5_pointer)ticket->data; + *pp_tkt = NULL; + ret = krb5_rd_req(context, &auth_context, p_packet, kt_entry.principal, keytab, NULL, pp_tkt); + if (ret) { + last_error_message = smb_get_krb5_error_message(context, ret, mem_ctx); + DEBUG(10, ("ads_keytab_verify_ticket: krb5_rd_req(%s) failed: %s\n", + entry_princ_s, last_error_message)); + } else { + DEBUG(3,("ads_keytab_verify_ticket: krb5_rd_req succeeded for principal %s\n", + entry_princ_s)); + break; } } @@ -177,7 +184,7 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex DEBUG(3, ("ads_keytab_verify_ticket: krb5_rd_req failed for all %d matched keytab principals\n", number_matched_principals)); } - DEBUG(3, ("ads_keytab_verify_ticket: last error: %s\n", error_message(ret))); + DEBUG(3, ("ads_keytab_verify_ticket: last error: %s\n", last_error_message)); } if (entry_princ_s) { @@ -304,7 +311,7 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_conte DEBUG((our_ret != KRB5_BAD_ENCTYPE) ? 3 : 10, ("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n", - (unsigned int)enctypes[i], error_message(our_ret))); + (unsigned int)enctypes[i], smb_get_krb5_error_message(context, our_ret, mem_ctx))); if (our_ret != KRB5_BAD_ENCTYPE) { ret = our_ret; @@ -355,7 +362,7 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_conte ret = krb5_parse_name(context, host_princ_s, &host_princ); if (ret) { DEBUG(1,("ads_verify_ticket: krb5_parse_name(%s) failed (%s)\n", - host_princ_s, error_message(ret))); + host_princ_s, error_message(ret))); goto out; } @@ -400,14 +407,14 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_conte if (ret) { DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n", - error_message(ret))); + smb_get_krb5_error_message(context, ret, mem_ctx))); goto out; } ret = krb5_mk_rep(context, auth_context, &packet); if (ret) { DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n", - error_message(ret))); + smb_get_krb5_error_message(context, ret, mem_ctx))); goto out; } @@ -434,7 +441,7 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_conte if ((ret = krb5_unparse_name(context, get_principal_from_tkt(tkt), &malloc_principal))) { DEBUG(3,("ads_verify_ticket: krb5_unparse_name failed (%s)\n", - error_message(ret))); + smb_get_krb5_error_message(context, ret, mem_ctx))); sret = NT_STATUS_LOGON_FAILURE; goto out; } |