summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/gensec/gensec_gssapi.c21
-rw-r--r--source4/auth/kerberos/kerberos.c32
-rw-r--r--source4/auth/kerberos/kerberos.h4
-rw-r--r--source4/auth/kerberos/kerberos_util.c63
-rw-r--r--source4/heimdal/lib/krb5/context.c1
-rw-r--r--source4/heimdal/lib/krb5/keytab_memory.c53
-rw-r--r--source4/heimdal/lib/krb5/krb5.h1
7 files changed, 84 insertions, 91 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 26494f0222..6316b52bad 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -154,6 +154,7 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
{
NTSTATUS nt_status;
OM_uint32 maj_stat, min_stat;
+ gss_buffer_desc name_token;
struct gensec_gssapi_state *gensec_gssapi_state;
struct cli_credentials *machine_account;
@@ -177,7 +178,6 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
machine_account,
gensec_gssapi_state->smb_krb5_context,
&gensec_gssapi_state->keytab);
- talloc_free(machine_account);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(3, ("Could not create memory keytab!\n"));
talloc_free(machine_account);
@@ -185,9 +185,26 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
}
}
+ name_token.value = cli_credentials_get_principal(machine_account,
+ machine_account);
+ name_token.length = strlen(name_token.value);
+
+ maj_stat = gss_import_name (&min_stat,
+ &name_token,
+ GSS_C_NT_USER_NAME,
+ &gensec_gssapi_state->server_name);
+ talloc_free(machine_account);
+
+ if (maj_stat) {
+ DEBUG(2, ("GSS Import name of %s failed: %s\n",
+ (char *)name_token.value,
+ gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
maj_stat = gsskrb5_acquire_cred(&min_stat,
gensec_gssapi_state->keytab, NULL,
- NULL,
+ gensec_gssapi_state->server_name,
GSS_C_INDEFINITE,
GSS_C_NULL_OID_SET,
GSS_C_ACCEPT,
diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c
index 31e0c71c55..3935bfaf92 100644
--- a/source4/auth/kerberos/kerberos.c
+++ b/source4/auth/kerberos/kerberos.c
@@ -69,35 +69,27 @@ kerb_prompter(krb5_context ctx, void *data,
original password.
*/
int kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc,
- const char *principal, krb5_keyblock *keyblock,
+ krb5_principal principal, krb5_keyblock *keyblock,
time_t *expire_time, time_t *kdc_time)
{
krb5_error_code code = 0;
- krb5_principal me;
krb5_creds my_creds;
krb5_get_init_creds_opt options;
- if ((code = krb5_parse_name(ctx, principal, &me))) {
- return code;
- }
-
krb5_get_init_creds_opt_init(&options);
- if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, me, keyblock,
+ if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, principal, keyblock,
0, NULL, &options))) {
- krb5_free_principal(ctx, me);
return code;
}
- if ((code = krb5_cc_initialize(ctx, cc, me))) {
+ if ((code = krb5_cc_initialize(ctx, cc, principal))) {
krb5_free_cred_contents(ctx, &my_creds);
- krb5_free_principal(ctx, me);
return code;
}
if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
krb5_free_cred_contents(ctx, &my_creds);
- krb5_free_principal(ctx, me);
return code;
}
@@ -110,7 +102,6 @@ kerb_prompter(krb5_context ctx, void *data,
}
krb5_free_cred_contents(ctx, &my_creds);
- krb5_free_principal(ctx, me);
return 0;
}
@@ -120,36 +111,28 @@ kerb_prompter(krb5_context ctx, void *data,
Orignally by remus@snapserver.com
*/
int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc,
- const char *principal, const char *password,
- time_t *expire_time, time_t *kdc_time)
+ krb5_principal principal, const char *password,
+ time_t *expire_time, time_t *kdc_time)
{
krb5_error_code code = 0;
- krb5_principal me;
krb5_creds my_creds;
krb5_get_init_creds_opt options;
- if ((code = krb5_parse_name(ctx, principal, &me))) {
- return code;
- }
-
krb5_get_init_creds_opt_init(&options);
- if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, password,
+ if ((code = krb5_get_init_creds_password(ctx, &my_creds, principal, password,
kerb_prompter,
NULL, 0, NULL, &options))) {
- krb5_free_principal(ctx, me);
return code;
}
- if ((code = krb5_cc_initialize(ctx, cc, me))) {
+ if ((code = krb5_cc_initialize(ctx, cc, principal))) {
krb5_free_cred_contents(ctx, &my_creds);
- krb5_free_principal(ctx, me);
return code;
}
if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
krb5_free_cred_contents(ctx, &my_creds);
- krb5_free_principal(ctx, me);
return code;
}
@@ -162,7 +145,6 @@ kerb_prompter(krb5_context ctx, void *data,
}
krb5_free_cred_contents(ctx, &my_creds);
- krb5_free_principal(ctx, me);
return 0;
}
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index 8cc8e561ac..39bba5f46f 100644
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -102,10 +102,10 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
DATA_BLOB *ap_rep,
krb5_keyblock **keyblock);
int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc,
- const char *principal, const char *password,
+ krb5_principal principal, const char *password,
time_t *expire_time, time_t *kdc_time);
int kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc,
- const char *principal, krb5_keyblock *keyblock,
+ krb5_principal principal, krb5_keyblock *keyblock,
time_t *expire_time, time_t *kdc_time);
krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context,
krb5_principal host_princ,
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 9dc8621b0e..922869af5c 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -87,7 +87,7 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
cli_credentials_get_realm(machine_account),
"host", salt_body, NULL);
- if (ret != 0) {
+ if (ret == 0) {
mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
mem_ctx->principal = *salt_princ;
talloc_set_destructor(mem_ctx, free_principal);
@@ -95,6 +95,36 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
return ret;
}
+krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
+ struct cli_credentials *credentials,
+ struct smb_krb5_context *smb_krb5_context,
+ krb5_principal *princ)
+{
+ krb5_error_code ret;
+ const char *princ_string;
+ struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container);
+ if (!mem_ctx) {
+ return ENOMEM;
+ }
+
+ princ_string = cli_credentials_get_principal(credentials, mem_ctx);
+
+ if (!princ_string) {
+ talloc_free(mem_ctx);
+ return ENOMEM;
+ }
+
+ ret = krb5_parse_name(smb_krb5_context->krb5_context,
+ princ_string, princ);
+
+ if (ret == 0) {
+ mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
+ mem_ctx->principal = *princ;
+ talloc_set_destructor(mem_ctx, free_principal);
+ }
+ return ret;
+}
+
/**
* Return a freshly allocated ccache (destroyed by destructor on child
* of parent_ctx), for a given set of client credentials
@@ -108,6 +138,7 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
krb5_error_code ret;
const char *password;
time_t kdc_time = 0;
+ krb5_principal princ;
TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
@@ -115,11 +146,17 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
return ENOMEM;
}
+ ret = principal_from_credentials(mem_ctx, credentials, smb_krb5_context, &princ);
+ if (ret) {
+ talloc_free(mem_ctx);
+ return ret;
+ }
+
password = cli_credentials_get_password(credentials);
if (password) {
ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache,
- cli_credentials_get_principal(credentials, mem_ctx),
+ princ,
password, NULL, &kdc_time);
} else {
/* No password available, try to use a keyblock instead */
@@ -139,7 +176,7 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
if (ret == 0) {
ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, ccache,
- cli_credentials_get_principal(credentials, mem_ctx),
+ princ,
&keyblock, NULL, &kdc_time);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &keyblock);
}
@@ -191,12 +228,13 @@ static int free_keytab(void *ptr) {
struct keytab_container *mem_ctx = talloc(parent_ctx, struct keytab_container);
krb5_enctype *enctypes;
krb5_principal salt_princ;
+ krb5_principal princ;
if (!mem_ctx) {
return NT_STATUS_NO_MEMORY;
}
- ret = krb5_kt_resolve(smb_krb5_context->krb5_context, "MEMORY_WILDCARD:", keytab);
+ ret = krb5_kt_resolve(smb_krb5_context->krb5_context, "MEMORY:", keytab);
if (ret) {
DEBUG(1,("failed to generate a new krb5 keytab: %s\n",
error_message(ret)));
@@ -214,7 +252,18 @@ static int free_keytab(void *ptr) {
&salt_princ);
if (ret) {
DEBUG(1,("create_memory_keytab: maksing salt principal failed (%s)\n",
- error_message(ret)));
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+ ret, mem_ctx)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ ret = principal_from_credentials(mem_ctx, machine_account, smb_krb5_context, &princ);
+ if (ret) {
+ DEBUG(1,("create_memory_keytab: maksing krb5 principal failed (%s)\n",
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+ ret, mem_ctx)));
+ talloc_free(mem_ctx);
return NT_STATUS_INTERNAL_ERROR;
}
@@ -243,7 +292,7 @@ static int free_keytab(void *ptr) {
return NT_STATUS_INTERNAL_ERROR;
}
- entry.principal = salt_princ;
+ entry.principal = princ;
entry.vno = cli_credentials_get_kvno(machine_account);
ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry);
if (ret) {
@@ -283,7 +332,7 @@ static int free_keytab(void *ptr) {
return NT_STATUS_INTERNAL_ERROR;
}
- entry.principal = salt_princ;
+ entry.principal = princ;
entry.vno = cli_credentials_get_kvno(machine_account);
ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry);
if (ret) {
diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c
index 62fb92d666..4d6eae2b24 100644
--- a/source4/heimdal/lib/krb5/context.c
+++ b/source4/heimdal/lib/krb5/context.c
@@ -231,7 +231,6 @@ krb5_init_context(krb5_context *context)
krb5_kt_register (p, &krb5_wrfkt_ops);
krb5_kt_register (p, &krb5_javakt_ops);
krb5_kt_register (p, &krb5_mkt_ops);
- krb5_kt_register (p, &krb5_mktw_ops);
krb5_kt_register (p, &krb5_akf_ops);
krb5_kt_register (p, &krb4_fkt_ops);
krb5_kt_register (p, &krb5_srvtab_fkt_ops);
diff --git a/source4/heimdal/lib/krb5/keytab_memory.c b/source4/heimdal/lib/krb5/keytab_memory.c
index 3dca5154e3..1d866fa11e 100644
--- a/source4/heimdal/lib/krb5/keytab_memory.c
+++ b/source4/heimdal/lib/krb5/keytab_memory.c
@@ -174,56 +174,3 @@ const krb5_kt_ops krb5_mkt_ops = {
mkt_add_entry,
mkt_remove_entry
};
-
-static krb5_error_code
-mktw_get_entry(krb5_context context,
- krb5_keytab id,
- krb5_const_principal principal,
- krb5_kvno kvno,
- krb5_enctype enctype,
- krb5_keytab_entry *entry)
-{
- krb5_keytab_entry tmp;
- krb5_error_code ret;
- krb5_kt_cursor cursor;
-
- ret = krb5_kt_start_seq_get (context, id, &cursor);
- if (ret)
- return KRB5_KT_NOTFOUND; /* XXX i.e. file not found */
-
- entry->vno = 0;
- while (krb5_kt_next_entry(context, id, &tmp, &cursor) == 0) {
- if (krb5_kt_compare(context, &tmp, NULL, 0, enctype)) {
- if (kvno == tmp.vno) {
- krb5_kt_copy_entry_contents (context, &tmp, entry);
- krb5_kt_free_entry (context, &tmp);
- krb5_kt_end_seq_get(context, id, &cursor);
- return 0;
- } else if (kvno == 0 && tmp.vno > entry->vno) {
- if (entry->vno)
- krb5_kt_free_entry (context, entry);
- krb5_kt_copy_entry_contents (context, &tmp, entry);
- }
- }
- krb5_kt_free_entry(context, &tmp);
- }
- krb5_kt_end_seq_get (context, id, &cursor);
- if (entry->vno) {
- return 0;
- } else {
- return KRB5_KT_NOTFOUND;
- }
-};
-
-const krb5_kt_ops krb5_mktw_ops = {
- "MEMORY_WILDCARD",
- mkt_resolve,
- mkt_get_name,
- mkt_close,
- mktw_get_entry, /* get */
- mkt_start_seq_get,
- mkt_next_entry,
- mkt_end_seq_get,
- mkt_add_entry,
- mkt_remove_entry
-};
diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h
index 5789bff205..c47c4450f1 100644
--- a/source4/heimdal/lib/krb5/krb5.h
+++ b/source4/heimdal/lib/krb5/krb5.h
@@ -698,7 +698,6 @@ extern const krb5_kt_ops krb5_fkt_ops;
extern const krb5_kt_ops krb5_wrfkt_ops;
extern const krb5_kt_ops krb5_javakt_ops;
extern const krb5_kt_ops krb5_mkt_ops;
-extern const krb5_kt_ops krb5_mktw_ops;
extern const krb5_kt_ops krb5_akf_ops;
extern const krb5_kt_ops krb4_fkt_ops;
extern const krb5_kt_ops krb5_srvtab_fkt_ops;