From 351e749246a278b60a7e18c1eeafdc8ec70efea2 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 25 Apr 2006 12:24:25 +0000 Subject: r15240: Correctly disallow unauthorized access when logging on with the kerberized pam_winbind and workstation restrictions are in effect. The krb5 AS-REQ needs to add the host netbios-name in the address-list. We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from the edata of the KRB_ERROR but the login at least fails when the local machine is not in the workstation list on the DC. Guenther (This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176) --- source3/include/ads.h | 12 ++++++++++++ source3/include/includes.h | 2 ++ 2 files changed, 14 insertions(+) (limited to 'source3/include') diff --git a/source3/include/ads.h b/source3/include/ads.h index 2c7999e24f..711dd2aa70 100644 --- a/source3/include/ads.h +++ b/source3/include/ads.h @@ -266,3 +266,15 @@ typedef void **ADS_MODLIST; #define WELL_KNOWN_GUID_COMPUTERS "AA312825768811D1ADED00C04FD8D5CD" #define WELL_KNOWN_GUID_USERS "A9D1CA15768811D1ADED00C04FD8D5CD" + +#ifndef KRB5_ADDR_NETBIOS +#define KRB5_ADDR_NETBIOS 0x14 +#endif + +typedef struct { +#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */ + krb5_address **addrs; +#else /* Heimdal has the krb5_addresses type */ + krb5_addresses *addrs; +#endif +} smb_krb5_addresses; diff --git a/source3/include/includes.h b/source3/include/includes.h index 944d1b43c0..0eb2ba83aa 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -1538,6 +1538,8 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, PAC_LOGON_INFO *get_logon_info_from_pac(PAC_DATA *pac_data); krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *new_start_time); krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code); +krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr); +krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr); NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error); krb5_error_code nt_status_to_krb5(NTSTATUS nt_status); #endif /* HAVE_KRB5 */ -- cgit