From 351e749246a278b60a7e18c1eeafdc8ec70efea2 Mon Sep 17 00:00:00 2001
From: Günther Deschner <gd@samba.org>
Date: Tue, 25 Apr 2006 12:24:25 +0000
Subject: r15240: Correctly disallow unauthorized access when logging on with
 the kerberized pam_winbind and workstation restrictions are in effect.

The krb5 AS-REQ needs to add the host netbios-name in the address-list.

We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from
the edata of the KRB_ERROR but the login at least fails when the local
machine is not in the workstation list on the DC.

Guenther
(This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176)
---
 source3/libsmb/clikrb5.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 98 insertions(+)

(limited to 'source3/libsmb/clikrb5.c')

diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index d3da25760b..40ffec6f53 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -1205,6 +1205,104 @@ done:
     
 }
 
+ krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr)
+{
+	krb5_error_code ret = 0;
+#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
+	krb5_free_addresses(context, addr->addrs);
+#elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */
+	ret = krb5_free_addresses(context, addr->addrs);
+	SAFE_FREE(addr->addrs);
+#endif
+	SAFE_FREE(addr);
+	addr = NULL;
+	return ret;
+}
+
+ krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr)
+{
+	krb5_error_code ret = 0;
+	nstring buf;
+#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
+	krb5_address **addrs = NULL;
+#elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */
+	krb5_addresses *addrs = NULL;
+#endif
+
+	*kerb_addr = (smb_krb5_addresses *)SMB_MALLOC(sizeof(smb_krb5_addresses));
+	if (*kerb_addr == NULL) {
+		return ENOMEM;
+	}
+
+	put_name(buf, global_myname(), ' ', 0x20);
+
+#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
+	{
+		int num_addr = 2;
+
+		addrs = (krb5_address **)SMB_MALLOC(sizeof(krb5_address *) * num_addr);
+		if (addrs == NULL) {
+			return ENOMEM;
+		}
+
+		memset(addrs, 0, sizeof(krb5_address *) * num_addr);
+
+		addrs[0] = (krb5_address *)SMB_MALLOC(sizeof(krb5_address));
+		if (addrs[0] == NULL) {
+			SAFE_FREE(addrs);
+			return ENOMEM;
+		}
+
+		addrs[0]->magic = KV5M_ADDRESS;
+		addrs[0]->addrtype = KRB5_ADDR_NETBIOS;
+		addrs[0]->length = MAX_NETBIOSNAME_LEN;
+		addrs[0]->contents = (unsigned char *)SMB_MALLOC(addrs[0]->length);
+		if (addrs[0]->contents == NULL) {
+			SAFE_FREE(addrs[0]);
+			SAFE_FREE(addrs);
+			return ENOMEM;
+		}
+
+		memcpy(addrs[0]->contents, buf, addrs[0]->length);
+
+		addrs[1] = NULL;
+	}
+#elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */
+	{
+		addrs = (krb5_addresses *)SMB_MALLOC(sizeof(krb5_addresses));
+		if (addrs == NULL) {
+			return ENOMEM;
+		}
+
+		memset(addrs, 0, sizeof(krb5_addresses));
+
+		addrs->len = 1;
+		addrs->val = (krb5_address *)SMB_MALLOC(sizeof(krb5_address));
+		if (addrs->val == NULL) {
+			SAFE_FREE(addrs);
+			return ENOMEM;
+		}
+
+		addrs->val[0].addr_type = KRB5_ADDR_NETBIOS;
+		addrs->val[0].address.length = MAX_NETBIOSNAME_LEN;
+		addrs->val[0].address.data = (unsigned char *)SMB_MALLOC(addrs->val[0].address.length);
+		if (addrs->val[0].address.data == NULL) {
+			SAFE_FREE(addrs->val);
+			SAFE_FREE(addrs);
+			return ENOMEM;
+		}
+
+		memcpy(addrs->val[0].address.data, buf, addrs->val[0].address.length);
+	}
+#else
+#error UNKNOWN_KRB5_ADDRESS_FORMAT
+#endif
+	(*kerb_addr)->addrs = addrs;
+
+	return ret;
+}
+				
+
 #else /* HAVE_KRB5 */
  /* this saves a few linking headaches */
  int cli_krb5_get_ticket(const char *principal, time_t time_offset, 
-- 
cgit