From 08c733d75fd83fd5e32ced9712d41dd595e0f182 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 21 Apr 2012 17:26:18 -0400 Subject: Make krb5 wrapper library common so they can be used all over --- source3/libads/authdata.c | 1 + source3/libads/kerberos.c | 37 ++++++++++++++++++++++++++++++++++++- source3/libads/kerberos_proto.h | 14 +++++++++++--- 3 files changed, 48 insertions(+), 4 deletions(-) (limited to 'source3/libads') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 5a8ca28b14..cb218dd7b2 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -31,6 +31,7 @@ #include "librpc/crypto/gse.h" #include "auth/gensec/gensec.h" #include "../libcli/auth/spnego.h" +#include "auth/kerberos/pac_utils.h" #ifdef HAVE_KRB5 diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index f1df31ca4f..7e95380011 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -219,7 +219,8 @@ int kerberos_kinit_password_ext(const char *principal, } #endif if (add_netbios_addr) { - if ((code = smb_krb5_gen_netbios_krb5_address(&addr))) { + if ((code = smb_krb5_gen_netbios_krb5_address(&addr, + lp_netbios_name()))) { goto out; } krb5_get_init_creds_opt_set_address_list(opt, addr->addrs); @@ -407,6 +408,7 @@ bool kerberos_secrets_store_des_salt( const char* salt ) /************************************************************************ ************************************************************************/ +static char* kerberos_secrets_fetch_des_salt( void ) { char *salt, *key; @@ -430,6 +432,7 @@ char* kerberos_secrets_fetch_des_salt( void ) to look for the older tdb keys. Caller must free if return is not null. ************************************************************************/ +static krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, int enctype) @@ -462,6 +465,38 @@ krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, return ret_princ; } +int create_kerberos_key_from_string(krb5_context context, + krb5_principal host_princ, + krb5_data *password, + krb5_keyblock *key, + krb5_enctype enctype, + bool no_salt) +{ + krb5_principal salt_princ = NULL; + int ret; + /* + * Check if we've determined that the KDC is salting keys for this + * principal/enctype in a non-obvious way. If it is, try to match + * its behavior. + */ + if (no_salt) { + KRB5_KEY_DATA(key) = (KRB5_KEY_DATA_CAST *)SMB_MALLOC(password->length); + if (!KRB5_KEY_DATA(key)) { + return ENOMEM; + } + memcpy(KRB5_KEY_DATA(key), password->data, password->length); + KRB5_KEY_LENGTH(key) = password->length; + KRB5_KEY_TYPE(key) = enctype; + return 0; + } + salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype); + ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype); + if (salt_princ) { + krb5_free_principal(context, salt_princ); + } + return ret; +} + /************************************************************************ Routine to set the salting principal for this service. Active Directory may use a non-obvious principal name to generate the salt diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h index 50c56dc081..f7470d2f81 100644 --- a/source3/libads/kerberos_proto.h +++ b/source3/libads/kerberos_proto.h @@ -30,6 +30,8 @@ #ifndef _LIBADS_KERBEROS_PROTO_H_ #define _LIBADS_KERBEROS_PROTO_H_ +#include "system/kerberos.h" + struct PAC_LOGON_INFO; #include "libads/ads_status.h" @@ -49,9 +51,6 @@ int kerberos_kinit_password_ext(const char *principal, int ads_kdestroy(const char *cc_name); char* kerberos_standard_des_salt( void ); bool kerberos_secrets_store_des_salt( const char* salt ); -char* kerberos_secrets_fetch_des_salt( void ); -char *kerberos_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx); -char *kerberos_get_realm_from_hostname(TALLOC_CTX *mem_ctx, const char *hostname); bool kerberos_secrets_store_salting_principal(const char *service, int enctype, @@ -90,4 +89,13 @@ ADS_STATUS kerberos_set_password(const char *kpasswd_server, const char *target_principal, const char *new_password, int time_offset); +#ifdef HAVE_KRB5 +int create_kerberos_key_from_string(krb5_context context, + krb5_principal host_princ, + krb5_data *password, + krb5_keyblock *key, + krb5_enctype enctype, + bool no_salt); +#endif + #endif /* _LIBADS_KERBEROS_PROTO_H_ */ -- cgit