From d820c353dc45970d4648d9ff0b909366f8f00812 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Oct 2005 10:21:04 +0000 Subject: r11218: Always return the mutual authentication reply (needed for kpasswd), and remove now duplicated unwrap_pac(). Andrew Bartlett (This used to be commit 90642d54e02e09edc96b9498e66befda20dbb68d) --- source4/auth/kerberos/kerberos_verify.c | 57 +++++++-------------------------- source4/setup/secrets.ldif | 1 + 2 files changed, 13 insertions(+), 45 deletions(-) diff --git a/source4/auth/kerberos/kerberos_verify.c b/source4/auth/kerberos/kerberos_verify.c index 13d2c9fc26..020b63478e 100644 --- a/source4/auth/kerberos/kerberos_verify.c +++ b/source4/auth/kerberos/kerberos_verify.c @@ -33,36 +33,6 @@ #ifdef HAVE_KRB5 -DATA_BLOB unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data) -{ - DATA_BLOB out; - DATA_BLOB pac_contents = data_blob(NULL, 0); - struct asn1_data data; - int data_type; - if (!auth_data->length) { - return data_blob(NULL, 0); - } - - asn1_load(&data, *auth_data); - asn1_start_tag(&data, ASN1_SEQUENCE(0)); - asn1_start_tag(&data, ASN1_SEQUENCE(0)); - asn1_start_tag(&data, ASN1_CONTEXT(0)); - asn1_read_Integer(&data, &data_type); - asn1_end_tag(&data); - asn1_start_tag(&data, ASN1_CONTEXT(1)); - asn1_read_OctetString(&data, &pac_contents); - asn1_end_tag(&data); - asn1_end_tag(&data); - asn1_end_tag(&data); - asn1_free(&data); - - out = data_blob_talloc(mem_ctx, pac_contents.data, pac_contents.length); - - data_blob_free(&pac_contents); - - return out; -} - /********************************************************************************** Verify an incoming ticket and parse out the principal name and authorization_data if available. @@ -83,6 +53,7 @@ DATA_BLOB unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data) int ret; krb5_flags ap_req_options = 0; krb5_principal server; + krb5_data packet_out; struct keytab_container *keytab_container; @@ -119,23 +90,19 @@ DATA_BLOB unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data) return NT_STATUS_LOGON_FAILURE; } *keyblock = local_keyblock; - - if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED) { - krb5_data packet_out; - ret = krb5_mk_rep(smb_krb5_context->krb5_context, *auth_context, &packet_out); - if (ret) { - krb5_free_ticket(smb_krb5_context->krb5_context, *tkt); - - DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); - return NT_STATUS_LOGON_FAILURE; - } + + + ret = krb5_mk_rep(smb_krb5_context->krb5_context, *auth_context, &packet_out); + if (ret) { + krb5_free_ticket(smb_krb5_context->krb5_context, *tkt); - *ap_rep = data_blob_talloc(mem_ctx, packet_out.data, packet_out.length); - krb5_free_data_contents(smb_krb5_context->krb5_context, &packet_out); - } else { - *ap_rep = data_blob(NULL, 0); + DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); + return NT_STATUS_LOGON_FAILURE; } + + *ap_rep = data_blob_talloc(mem_ctx, packet_out.data, packet_out.length); + krb5_free_data_contents(smb_krb5_context->krb5_context, &packet_out); return NT_STATUS_OK; } diff --git a/source4/setup/secrets.ldif b/source4/setup/secrets.ldif index eccb768db5..c573ad3b56 100644 --- a/source4/setup/secrets.ldif +++ b/source4/setup/secrets.ldif @@ -48,3 +48,4 @@ whenChanged: ${LDAPTIME} msDS-KeyVersionNumber: 1 objectSid: ${DOMAINSID} servicePrincipalName: kadmin/changepw +saltPrincipal: krbtgt@${REALM} -- cgit