From d412f66cd82d8b14c8bd8d97f0235296bc8b2d23 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Thu, 6 Dec 2001 05:41:53 +0000
Subject: added a propoer kerberos_kinit_password call contribution from
 remus@snapserver.com

thanks!
(This used to be commit 3ace8f1fcc27492d26f5ad0c3cdfc63235ca0609)
---
 source3/libads/kerberos.c | 76 ++++++++++++++++++++++++++++++++++++++++-------
 source3/libads/ldap.c     |  2 +-
 2 files changed, 66 insertions(+), 12 deletions(-)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 1b0de382bd..c494016f98 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -23,25 +23,79 @@
 
 #ifdef HAVE_KRB5
 
+/*
+  simulate a kinit, putting the tgt in the default cache location
+  remus@snapserver.com
+*/
+int kerberos_kinit_password(const char *principal, const char *password)
+{
+	krb5_context ctx;
+	krb5_error_code code = 0;
+	krb5_ccache cc;
+	krb5_principal me;
+	krb5_creds my_creds;
+	
+	if ((code = krb5_init_context(&ctx)))
+		return code;
+	
+	if ((code = krb5_cc_default(ctx, &cc))) {
+		krb5_free_context(ctx);
+		return code;
+	}
+	
+	if ((code = krb5_parse_name(ctx, principal, &me))) {
+		krb5_free_context(ctx);	
+		return code;
+	}
+	
+	if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, password, NULL, 
+						NULL, 0, NULL, NULL))) {
+		krb5_free_principal(ctx, me);
+		krb5_free_context(ctx);		
+		return code;
+	}
+	
+	if ((code = krb5_cc_initialize(ctx, cc, me))) {
+		krb5_free_cred_contents(ctx, &my_creds);
+		krb5_free_principal(ctx, me);
+		krb5_free_context(ctx);		
+		return code;
+	}
+	
+	if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
+		krb5_cc_close(ctx, cc);
+		krb5_free_cred_contents(ctx, &my_creds);
+		krb5_free_principal(ctx, me);
+		krb5_free_context(ctx);		
+		return code;
+	}
+	
+	krb5_cc_close(ctx, cc);
+	krb5_free_cred_contents(ctx, &my_creds);
+	krb5_free_principal(ctx, me);
+	krb5_free_context(ctx);		
+	
+	return 0;
+}
+
 
-/* VERY nasty hack until we have proper kerberos code for this */
-void kerberos_kinit_password(ADS_STRUCT *ads)
+
+/* run kinit to setup our ccache */
+int ads_kinit_password(ADS_STRUCT *ads)
 {
 	char *s;
-	FILE *f;
+	int ret;
 	extern pstring global_myname;
 	fstring myname;
 	fstrcpy(myname, global_myname);
 	strlower(myname);
-	asprintf(&s, "kinit 'HOST/%s@%s'", global_myname, ads->realm);
-	DEBUG(0,("HACK!! Running %s\n", s));
-	f = popen(s, "w");
-	if (f) {
-		fprintf(f,"%s\n", ads->password);
-		fflush(f);
-		fclose(f);
-	}
+	asprintf(&s, "HOST/%s@%s", global_myname, ads->realm);
+	ret = kerberos_kinit_password(s, ads->password);
 	free(s);
+	if (ret) {
+		DEBUG(1,("kerberos_kinit_password failed: %s\n", error_message(ret)));
+	}
+	return ret;
 }
 
 /*
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 60f620d2f4..a7c9265b18 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -74,7 +74,7 @@ int ads_connect(ADS_STRUCT *ads)
 		/* the machine acct password might have changed */
 		free(ads->password);
 		ads->password = secrets_fetch_machine_password();
-		kerberos_kinit_password(ads);
+		ads_kinit_password(ads);
 	}
 
 	rc = ldap_sasl_interactive_bind_s(ads->ld, NULL, NULL, NULL, NULL, 
-- 
cgit