diff options
Diffstat (limited to 'source4')
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 21 | ||||
-rw-r--r-- | source4/auth/kerberos/kerberos.c | 32 | ||||
-rw-r--r-- | source4/auth/kerberos/kerberos.h | 4 | ||||
-rw-r--r-- | source4/auth/kerberos/kerberos_util.c | 63 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/context.c | 1 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/keytab_memory.c | 53 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/krb5.h | 1 |
7 files changed, 84 insertions, 91 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 26494f0222..6316b52bad 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -154,6 +154,7 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi { NTSTATUS nt_status; OM_uint32 maj_stat, min_stat; + gss_buffer_desc name_token; struct gensec_gssapi_state *gensec_gssapi_state; struct cli_credentials *machine_account; @@ -177,7 +178,6 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi machine_account, gensec_gssapi_state->smb_krb5_context, &gensec_gssapi_state->keytab); - talloc_free(machine_account); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(3, ("Could not create memory keytab!\n")); talloc_free(machine_account); @@ -185,9 +185,26 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi } } + name_token.value = cli_credentials_get_principal(machine_account, + machine_account); + name_token.length = strlen(name_token.value); + + maj_stat = gss_import_name (&min_stat, + &name_token, + GSS_C_NT_USER_NAME, + &gensec_gssapi_state->server_name); + talloc_free(machine_account); + + if (maj_stat) { + DEBUG(2, ("GSS Import name of %s failed: %s\n", + (char *)name_token.value, + gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat))); + return NT_STATUS_UNSUCCESSFUL; + } + maj_stat = gsskrb5_acquire_cred(&min_stat, gensec_gssapi_state->keytab, NULL, - NULL, + gensec_gssapi_state->server_name, GSS_C_INDEFINITE, GSS_C_NULL_OID_SET, GSS_C_ACCEPT, diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c index 31e0c71c55..3935bfaf92 100644 --- a/source4/auth/kerberos/kerberos.c +++ b/source4/auth/kerberos/kerberos.c @@ -69,35 +69,27 @@ kerb_prompter(krb5_context ctx, void *data, original password. */ int kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc, - const char *principal, krb5_keyblock *keyblock, + krb5_principal principal, krb5_keyblock *keyblock, time_t *expire_time, time_t *kdc_time) { krb5_error_code code = 0; - krb5_principal me; krb5_creds my_creds; krb5_get_init_creds_opt options; - if ((code = krb5_parse_name(ctx, principal, &me))) { - return code; - } - krb5_get_init_creds_opt_init(&options); - if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, me, keyblock, + if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, principal, keyblock, 0, NULL, &options))) { - krb5_free_principal(ctx, me); return code; } - if ((code = krb5_cc_initialize(ctx, cc, me))) { + if ((code = krb5_cc_initialize(ctx, cc, principal))) { krb5_free_cred_contents(ctx, &my_creds); - krb5_free_principal(ctx, me); return code; } if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) { krb5_free_cred_contents(ctx, &my_creds); - krb5_free_principal(ctx, me); return code; } @@ -110,7 +102,6 @@ kerb_prompter(krb5_context ctx, void *data, } krb5_free_cred_contents(ctx, &my_creds); - krb5_free_principal(ctx, me); return 0; } @@ -120,36 +111,28 @@ kerb_prompter(krb5_context ctx, void *data, Orignally by remus@snapserver.com */ int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, - const char *principal, const char *password, - time_t *expire_time, time_t *kdc_time) + krb5_principal principal, const char *password, + time_t *expire_time, time_t *kdc_time) { krb5_error_code code = 0; - krb5_principal me; krb5_creds my_creds; krb5_get_init_creds_opt options; - if ((code = krb5_parse_name(ctx, principal, &me))) { - return code; - } - krb5_get_init_creds_opt_init(&options); - if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, password, + if ((code = krb5_get_init_creds_password(ctx, &my_creds, principal, password, kerb_prompter, NULL, 0, NULL, &options))) { - krb5_free_principal(ctx, me); return code; } - if ((code = krb5_cc_initialize(ctx, cc, me))) { + if ((code = krb5_cc_initialize(ctx, cc, principal))) { krb5_free_cred_contents(ctx, &my_creds); - krb5_free_principal(ctx, me); return code; } if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) { krb5_free_cred_contents(ctx, &my_creds); - krb5_free_principal(ctx, me); return code; } @@ -162,7 +145,6 @@ kerb_prompter(krb5_context ctx, void *data, } krb5_free_cred_contents(ctx, &my_creds); - krb5_free_principal(ctx, me); return 0; } diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h index 8cc8e561ac..39bba5f46f 100644 --- a/source4/auth/kerberos/kerberos.h +++ b/source4/auth/kerberos/kerberos.h @@ -102,10 +102,10 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, DATA_BLOB *ap_rep, krb5_keyblock **keyblock); int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, - const char *principal, const char *password, + krb5_principal principal, const char *password, time_t *expire_time, time_t *kdc_time); int kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc, - const char *principal, krb5_keyblock *keyblock, + krb5_principal principal, krb5_keyblock *keyblock, time_t *expire_time, time_t *kdc_time); krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c index 9dc8621b0e..922869af5c 100644 --- a/source4/auth/kerberos/kerberos_util.c +++ b/source4/auth/kerberos/kerberos_util.c @@ -87,7 +87,7 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx, cli_credentials_get_realm(machine_account), "host", salt_body, NULL); - if (ret != 0) { + if (ret == 0) { mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context); mem_ctx->principal = *salt_princ; talloc_set_destructor(mem_ctx, free_principal); @@ -95,6 +95,36 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx, return ret; } +krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx, + struct cli_credentials *credentials, + struct smb_krb5_context *smb_krb5_context, + krb5_principal *princ) +{ + krb5_error_code ret; + const char *princ_string; + struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container); + if (!mem_ctx) { + return ENOMEM; + } + + princ_string = cli_credentials_get_principal(credentials, mem_ctx); + + if (!princ_string) { + talloc_free(mem_ctx); + return ENOMEM; + } + + ret = krb5_parse_name(smb_krb5_context->krb5_context, + princ_string, princ); + + if (ret == 0) { + mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context); + mem_ctx->principal = *princ; + talloc_set_destructor(mem_ctx, free_principal); + } + return ret; +} + /** * Return a freshly allocated ccache (destroyed by destructor on child * of parent_ctx), for a given set of client credentials @@ -108,6 +138,7 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx, krb5_error_code ret; const char *password; time_t kdc_time = 0; + krb5_principal princ; TALLOC_CTX *mem_ctx = talloc_new(parent_ctx); @@ -115,11 +146,17 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx, return ENOMEM; } + ret = principal_from_credentials(mem_ctx, credentials, smb_krb5_context, &princ); + if (ret) { + talloc_free(mem_ctx); + return ret; + } + password = cli_credentials_get_password(credentials); if (password) { ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache, - cli_credentials_get_principal(credentials, mem_ctx), + princ, password, NULL, &kdc_time); } else { /* No password available, try to use a keyblock instead */ @@ -139,7 +176,7 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx, if (ret == 0) { ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, ccache, - cli_credentials_get_principal(credentials, mem_ctx), + princ, &keyblock, NULL, &kdc_time); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &keyblock); } @@ -191,12 +228,13 @@ static int free_keytab(void *ptr) { struct keytab_container *mem_ctx = talloc(parent_ctx, struct keytab_container); krb5_enctype *enctypes; krb5_principal salt_princ; + krb5_principal princ; if (!mem_ctx) { return NT_STATUS_NO_MEMORY; } - ret = krb5_kt_resolve(smb_krb5_context->krb5_context, "MEMORY_WILDCARD:", keytab); + ret = krb5_kt_resolve(smb_krb5_context->krb5_context, "MEMORY:", keytab); if (ret) { DEBUG(1,("failed to generate a new krb5 keytab: %s\n", error_message(ret))); @@ -214,7 +252,18 @@ static int free_keytab(void *ptr) { &salt_princ); if (ret) { DEBUG(1,("create_memory_keytab: maksing salt principal failed (%s)\n", - error_message(ret))); + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, mem_ctx))); + talloc_free(mem_ctx); + return NT_STATUS_INTERNAL_ERROR; + } + + ret = principal_from_credentials(mem_ctx, machine_account, smb_krb5_context, &princ); + if (ret) { + DEBUG(1,("create_memory_keytab: maksing krb5 principal failed (%s)\n", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, mem_ctx))); + talloc_free(mem_ctx); return NT_STATUS_INTERNAL_ERROR; } @@ -243,7 +292,7 @@ static int free_keytab(void *ptr) { return NT_STATUS_INTERNAL_ERROR; } - entry.principal = salt_princ; + entry.principal = princ; entry.vno = cli_credentials_get_kvno(machine_account); ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry); if (ret) { @@ -283,7 +332,7 @@ static int free_keytab(void *ptr) { return NT_STATUS_INTERNAL_ERROR; } - entry.principal = salt_princ; + entry.principal = princ; entry.vno = cli_credentials_get_kvno(machine_account); ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry); if (ret) { diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c index 62fb92d666..4d6eae2b24 100644 --- a/source4/heimdal/lib/krb5/context.c +++ b/source4/heimdal/lib/krb5/context.c @@ -231,7 +231,6 @@ krb5_init_context(krb5_context *context) krb5_kt_register (p, &krb5_wrfkt_ops); krb5_kt_register (p, &krb5_javakt_ops); krb5_kt_register (p, &krb5_mkt_ops); - krb5_kt_register (p, &krb5_mktw_ops); krb5_kt_register (p, &krb5_akf_ops); krb5_kt_register (p, &krb4_fkt_ops); krb5_kt_register (p, &krb5_srvtab_fkt_ops); diff --git a/source4/heimdal/lib/krb5/keytab_memory.c b/source4/heimdal/lib/krb5/keytab_memory.c index 3dca5154e3..1d866fa11e 100644 --- a/source4/heimdal/lib/krb5/keytab_memory.c +++ b/source4/heimdal/lib/krb5/keytab_memory.c @@ -174,56 +174,3 @@ const krb5_kt_ops krb5_mkt_ops = { mkt_add_entry, mkt_remove_entry }; - -static krb5_error_code -mktw_get_entry(krb5_context context, - krb5_keytab id, - krb5_const_principal principal, - krb5_kvno kvno, - krb5_enctype enctype, - krb5_keytab_entry *entry) -{ - krb5_keytab_entry tmp; - krb5_error_code ret; - krb5_kt_cursor cursor; - - ret = krb5_kt_start_seq_get (context, id, &cursor); - if (ret) - return KRB5_KT_NOTFOUND; /* XXX i.e. file not found */ - - entry->vno = 0; - while (krb5_kt_next_entry(context, id, &tmp, &cursor) == 0) { - if (krb5_kt_compare(context, &tmp, NULL, 0, enctype)) { - if (kvno == tmp.vno) { - krb5_kt_copy_entry_contents (context, &tmp, entry); - krb5_kt_free_entry (context, &tmp); - krb5_kt_end_seq_get(context, id, &cursor); - return 0; - } else if (kvno == 0 && tmp.vno > entry->vno) { - if (entry->vno) - krb5_kt_free_entry (context, entry); - krb5_kt_copy_entry_contents (context, &tmp, entry); - } - } - krb5_kt_free_entry(context, &tmp); - } - krb5_kt_end_seq_get (context, id, &cursor); - if (entry->vno) { - return 0; - } else { - return KRB5_KT_NOTFOUND; - } -}; - -const krb5_kt_ops krb5_mktw_ops = { - "MEMORY_WILDCARD", - mkt_resolve, - mkt_get_name, - mkt_close, - mktw_get_entry, /* get */ - mkt_start_seq_get, - mkt_next_entry, - mkt_end_seq_get, - mkt_add_entry, - mkt_remove_entry -}; diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h index 5789bff205..c47c4450f1 100644 --- a/source4/heimdal/lib/krb5/krb5.h +++ b/source4/heimdal/lib/krb5/krb5.h @@ -698,7 +698,6 @@ extern const krb5_kt_ops krb5_fkt_ops; extern const krb5_kt_ops krb5_wrfkt_ops; extern const krb5_kt_ops krb5_javakt_ops; extern const krb5_kt_ops krb5_mkt_ops; -extern const krb5_kt_ops krb5_mktw_ops; extern const krb5_kt_ops krb5_akf_ops; extern const krb5_kt_ops krb4_fkt_ops; extern const krb5_kt_ops krb5_srvtab_fkt_ops; |