From 81f56139b6964ddbe2c03232475f87f474136490 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 11 Oct 2001 07:42:52 +0000 Subject: initial kerberos/ADS/SPNEGO support in libsmb and smbclient. To activate you need to: - install krb5 libraries - run configure - build smbclient - run kinit to get a TGT - run smbclient with the -k option to choose kerberos auth (This used to be commit d33057585644e1337bac743e25ed7653bfb39eef) --- source3/libsmb/clikrb5.c | 267 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 267 insertions(+) create mode 100644 source3/libsmb/clikrb5.c (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c new file mode 100644 index 0000000000..cd64dc8444 --- /dev/null +++ b/source3/libsmb/clikrb5.c @@ -0,0 +1,267 @@ +/* + Unix SMB/Netbios implementation. + Version 3.0 + simple kerberos5/SPNEGO routines + Copyright (C) Andrew Tridgell 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#if HAVE_KRB5 +#include + +#define OID_SPNEGO "1 3 6 1 5 5 2" +#define OID_KERBEROS5 "1 2 840 113554 1 2 2" + +static krb5_error_code krb5_mk_req2(krb5_context context, + krb5_auth_context *auth_context, + const krb5_flags ap_req_options, + const char *service, + krb5_data *in_data, + krb5_ccache ccache, + krb5_data *outbuf) +{ + krb5_error_code retval; + krb5_principal server; + krb5_creds * credsp; + krb5_creds creds; + char *realm; + + /* we should really get the realm from the negTargInit packet, + but this will do until I've done the asn1 decoder for that */ + if ((retval = krb5_get_default_realm(context, &realm))) { + return retval; + } + + retval = krb5_build_principal(context, &server, strlen(realm), + realm, service, NULL); + if (retval) + return retval; + + /* obtain ticket & session key */ + memset((char *)&creds, 0, sizeof(creds)); + if ((retval = krb5_copy_principal(context, server, &creds.server))) + goto cleanup_princ; + + if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) + goto cleanup_creds; + + if ((retval = krb5_get_credentials(context, 0, + ccache, &creds, &credsp))) + goto cleanup_creds; + + retval = krb5_mk_req_extended(context, auth_context, ap_req_options, + in_data, credsp, outbuf); + + krb5_free_creds(context, credsp); + +cleanup_creds: + krb5_free_cred_contents(context, &creds); + +cleanup_princ: + krb5_free_principal(context, server); + + return retval; +} + +/* + get a kerberos5 ticket for the given service +*/ +static DATA_BLOB krb5_get_ticket(char *service) +{ + krb5_error_code retval; + krb5_data packet, inbuf; + krb5_ccache ccdef; + krb5_context context; + krb5_auth_context auth_context = NULL; + DATA_BLOB ret; + + retval = krb5_init_context(&context); + if (retval) { + DEBUG(1,("krb5_init_context failed\n")); + goto failed; + } + + inbuf.length = 0; + + if ((retval = krb5_cc_default(context, &ccdef))) { + DEBUG(1,("krb5_cc_default failed\n")); + goto failed; + } + + if ((retval = krb5_mk_req2(context, + &auth_context, + AP_OPTS_MUTUAL_REQUIRED, + service, + &inbuf, ccdef, &packet))) { + DEBUG(1,("krb5_mk_req2 failed\n")); + goto failed; + } + + ret = data_blob(packet.data, packet.length); + /* XXX need to free up a bunch of krb5 stuff here */ + + return ret; + +failed: + return data_blob(NULL, 0); +} + + +/* + generate a negTokenInit packet given a GUID, a list of supported + OIDs (the mechanisms) and a principle name string +*/ +ASN1_DATA spnego_gen_negTokenInit(uint8 guid[16], + const char *OIDs[], + const char *principle) +{ + int i; + ASN1_DATA data; + + memset(&data, 0, sizeof(data)); + + asn1_write(&data, guid, 16); + asn1_push_tag(&data,ASN1_APPLICATION(0)); + asn1_write_OID(&data,OID_SPNEGO); + asn1_push_tag(&data,ASN1_CONTEXT(0)); + asn1_push_tag(&data,ASN1_SEQUENCE(0)); + + asn1_push_tag(&data,ASN1_CONTEXT(0)); + asn1_push_tag(&data,ASN1_SEQUENCE(0)); + for (i=0; OIDs[i]; i++) { + asn1_write_OID(&data,OIDs[i]); + } + asn1_pop_tag(&data); + asn1_pop_tag(&data); + + asn1_push_tag(&data, ASN1_CONTEXT(3)); + asn1_push_tag(&data, ASN1_SEQUENCE(0)); + asn1_push_tag(&data, ASN1_CONTEXT(0)); + asn1_write_GeneralString(&data,principle); + asn1_pop_tag(&data); + asn1_pop_tag(&data); + asn1_pop_tag(&data); + + asn1_pop_tag(&data); + asn1_pop_tag(&data); + + asn1_pop_tag(&data); + + asn1_check_empty(&data); + return data; +} + + +/* + generate a negTokenTarg packet given a list of OIDs and a security blob +*/ +static ASN1_DATA gen_negTokenTarg(const char *OIDs[], ASN1_DATA blob) +{ + int i; + ASN1_DATA data; + + memset(&data, 0, sizeof(data)); + + asn1_push_tag(&data, ASN1_APPLICATION(0)); + asn1_write_OID(&data,OID_SPNEGO); + asn1_push_tag(&data, ASN1_CONTEXT(0)); + asn1_push_tag(&data, ASN1_SEQUENCE(0)); + + asn1_push_tag(&data, ASN1_CONTEXT(0)); + asn1_push_tag(&data, ASN1_SEQUENCE(0)); + for (i=0; OIDs[i]; i++) { + asn1_write_OID(&data,OIDs[i]); + } + asn1_pop_tag(&data); + asn1_pop_tag(&data); + + asn1_push_tag(&data, ASN1_CONTEXT(2)); + asn1_write_OctetString(&data,blob.data,blob.length); + asn1_pop_tag(&data); + + asn1_pop_tag(&data); + asn1_pop_tag(&data); + + asn1_pop_tag(&data); + + asn1_check_empty(&data); + return data; +} + + +/* + generate a krb5 GSS-API wrapper packet given a ticket +*/ +static ASN1_DATA spnego_gen_krb5_wrap(DATA_BLOB ticket) +{ + ASN1_DATA data; + + memset(&data, 0, sizeof(data)); + + asn1_push_tag(&data, ASN1_APPLICATION(0)); + asn1_write_OID(&data, OID_KERBEROS5); + asn1_write_BOOLEAN(&data, 0); + asn1_write(&data, ticket.data, ticket.length); + asn1_pop_tag(&data); + + return data; +} + + +/* + generate a SPNEGO negTokenTarg packet, ready for a EXTENDED_SECURITY + kerberos session setup +*/ +DATA_BLOB spnego_gen_negTokenTarg(struct cli_state *cli) +{ + char *p; + fstring service; + DATA_BLOB tkt, ret; + ASN1_DATA tkt_wrapped, targ; + const char *krb_mechs[] = + {"1 2 840 48018 1 2 2", "1 3 6 1 4 1 311 2 2 10", NULL}; + + /* the service name is the WINS name of the server in lowercase with + a $ on the end */ + fstrcpy(service, cli->desthost); + p = strchr_m(service, '.'); + if (p) *p = 0; + fstrcat(service, "$"); + strlower(service); + + /* get a kerberos ticket for the service */ + tkt = krb5_get_ticket(service); + + /* wrap that up in a nice GSS-API wrapping */ + tkt_wrapped = spnego_gen_krb5_wrap(tkt); + + /* and wrap that in a shiny SPNEGO wrapper */ + targ = gen_negTokenTarg(krb_mechs, tkt_wrapped); + + ret = data_blob(targ.data, targ.length); + + asn1_free(&tkt_wrapped); + asn1_free(&targ); + data_blob_free(tkt); + + return ret; +} + +#else /* HAVE_KRB5 */ + void clikrb5_dummy(void) {} +#endif -- cgit From 8edc45ec4c467e5069875808d0abd9452e7b056c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 11 Oct 2001 10:29:17 +0000 Subject: fixed some memory leaks, started adding asn1 decoder for server side (This used to be commit 919734c1a6fd8b3bd0e12e96d878f47b6d6ff5e0) --- source3/libsmb/clikrb5.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index cd64dc8444..0e049c14a1 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -27,6 +27,9 @@ #define OID_SPNEGO "1 3 6 1 5 5 2" #define OID_KERBEROS5 "1 2 840 113554 1 2 2" +/* + we can't use krb5_mk_req because w2k wants the service to be in a particular format +*/ static krb5_error_code krb5_mk_req2(krb5_context context, krb5_auth_context *auth_context, const krb5_flags ap_req_options, @@ -113,11 +116,12 @@ static DATA_BLOB krb5_get_ticket(char *service) } ret = data_blob(packet.data, packet.length); - /* XXX need to free up a bunch of krb5 stuff here */ - + krb5_free_data_contents(context, &packet); + krb5_free_context(context); return ret; failed: + krb5_free_context(context); return data_blob(NULL, 0); } @@ -162,7 +166,6 @@ ASN1_DATA spnego_gen_negTokenInit(uint8 guid[16], asn1_pop_tag(&data); - asn1_check_empty(&data); return data; } @@ -199,7 +202,6 @@ static ASN1_DATA gen_negTokenTarg(const char *OIDs[], ASN1_DATA blob) asn1_pop_tag(&data); - asn1_check_empty(&data); return data; } -- cgit From 7cd9c611e2a1e0028081863a3678c47bc8af7b55 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 11 Oct 2001 13:13:06 +0000 Subject: added a ASN.1 parser, so now I can properly parse the negTokenInit packet which means I can extract the service and realm, so we should now work with realms other than the local realm. it also means we now check the list of OIDs given by the server just in case it says that it doesn't support kerberos. In that case we should fall back to NTLMSSP but that isn't written yet. (This used to be commit 395cfeea94febb5280ea57027e8a8a3c7c3f9291) --- source3/libsmb/clikrb5.c | 179 +++++++++++++++++++++++++++++++---------------- 1 file changed, 120 insertions(+), 59 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 0e049c14a1..fb442f7f09 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -27,6 +27,8 @@ #define OID_SPNEGO "1 3 6 1 5 5 2" #define OID_KERBEROS5 "1 2 840 113554 1 2 2" +#define CHECK_CALL(x) if (! x) goto failed + /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ @@ -34,60 +36,62 @@ static krb5_error_code krb5_mk_req2(krb5_context context, krb5_auth_context *auth_context, const krb5_flags ap_req_options, const char *service, - krb5_data *in_data, + const char *realm, krb5_ccache ccache, krb5_data *outbuf) { - krb5_error_code retval; - krb5_principal server; - krb5_creds * credsp; - krb5_creds creds; - char *realm; - - /* we should really get the realm from the negTargInit packet, - but this will do until I've done the asn1 decoder for that */ - if ((retval = krb5_get_default_realm(context, &realm))) { - return retval; - } - - retval = krb5_build_principal(context, &server, strlen(realm), - realm, service, NULL); - if (retval) - return retval; - - /* obtain ticket & session key */ - memset((char *)&creds, 0, sizeof(creds)); - if ((retval = krb5_copy_principal(context, server, &creds.server))) - goto cleanup_princ; - - if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) - goto cleanup_creds; - - if ((retval = krb5_get_credentials(context, 0, - ccache, &creds, &credsp))) - goto cleanup_creds; - - retval = krb5_mk_req_extended(context, auth_context, ap_req_options, - in_data, credsp, outbuf); + krb5_error_code retval; + krb5_principal server; + krb5_creds * credsp; + krb5_creds creds; + krb5_data in_data; + + retval = krb5_build_principal(context, &server, strlen(realm), + realm, service, NULL); + if (retval) { + DEBUG(1,("Failed to build principle for %s@%s\n", service, realm)); + return retval; + } + + /* obtain ticket & session key */ + memset((char *)&creds, 0, sizeof(creds)); + if ((retval = krb5_copy_principal(context, server, &creds.server))) + goto cleanup_princ; + + if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) + goto cleanup_creds; + + if ((retval = krb5_get_credentials(context, 0, + ccache, &creds, &credsp))) { + DEBUG(1,("krb5_get_credentials failed (%d)\n", retval)); + goto cleanup_creds; + } - krb5_free_creds(context, credsp); + in_data.length = 0; + retval = krb5_mk_req_extended(context, auth_context, ap_req_options, + &in_data, credsp, outbuf); + if (retval) { + DEBUG(1,("krb5_mk_req_extended failed (%d)\n", retval)); + } + + krb5_free_creds(context, credsp); cleanup_creds: - krb5_free_cred_contents(context, &creds); + krb5_free_cred_contents(context, &creds); cleanup_princ: - krb5_free_principal(context, server); + krb5_free_principal(context, server); - return retval; + return retval; } /* get a kerberos5 ticket for the given service */ -static DATA_BLOB krb5_get_ticket(char *service) +static DATA_BLOB krb5_get_ticket(char *service, char *realm) { krb5_error_code retval; - krb5_data packet, inbuf; + krb5_data packet; krb5_ccache ccdef; krb5_context context; krb5_auth_context auth_context = NULL; @@ -99,8 +103,6 @@ static DATA_BLOB krb5_get_ticket(char *service) goto failed; } - inbuf.length = 0; - if ((retval = krb5_cc_default(context, &ccdef))) { DEBUG(1,("krb5_cc_default failed\n")); goto failed; @@ -109,8 +111,8 @@ static DATA_BLOB krb5_get_ticket(char *service) if ((retval = krb5_mk_req2(context, &auth_context, AP_OPTS_MUTUAL_REQUIRED, - service, - &inbuf, ccdef, &packet))) { + service, realm, + ccdef, &packet))) { DEBUG(1,("krb5_mk_req2 failed\n")); goto failed; } @@ -139,16 +141,16 @@ ASN1_DATA spnego_gen_negTokenInit(uint8 guid[16], memset(&data, 0, sizeof(data)); - asn1_write(&data, guid, 16); - asn1_push_tag(&data,ASN1_APPLICATION(0)); - asn1_write_OID(&data,OID_SPNEGO); - asn1_push_tag(&data,ASN1_CONTEXT(0)); - asn1_push_tag(&data,ASN1_SEQUENCE(0)); + CHECK_CALL(asn1_write(&data, guid, 16)); + CHECK_CALL(asn1_push_tag(&data,ASN1_APPLICATION(0))); + CHECK_CALL(asn1_write_OID(&data,OID_SPNEGO)); + CHECK_CALL(asn1_push_tag(&data,ASN1_CONTEXT(0))); + CHECK_CALL(asn1_push_tag(&data,ASN1_SEQUENCE(0))); - asn1_push_tag(&data,ASN1_CONTEXT(0)); - asn1_push_tag(&data,ASN1_SEQUENCE(0)); + CHECK_CALL(asn1_push_tag(&data,ASN1_CONTEXT(0))); + CHECK_CALL(asn1_push_tag(&data,ASN1_SEQUENCE(0))); for (i=0; OIDs[i]; i++) { - asn1_write_OID(&data,OIDs[i]); + CHECK_CALL(asn1_write_OID(&data,OIDs[i])); } asn1_pop_tag(&data); asn1_pop_tag(&data); @@ -167,6 +169,62 @@ ASN1_DATA spnego_gen_negTokenInit(uint8 guid[16], asn1_pop_tag(&data); return data; + +failed: + DEBUG(1,("Failed to build negTokenInit at offset %d\n", (int)data.ofs)); + asn1_free(&data); + return data; +} + + +/* + parse a negTokenInit packet giving a GUID, a list of supported + OIDs (the mechanisms) and a principle name string +*/ +BOOL spnego_parse_negTokenInit(DATA_BLOB blob, + uint8 guid[16], + char *OIDs[ASN1_MAX_OIDS], + char **principle) +{ + int i; + BOOL ret; + ASN1_DATA data; + + asn1_load(&data, blob); + + asn1_read(&data, guid, 16); + asn1_start_tag(&data,ASN1_APPLICATION(0)); + asn1_check_OID(&data,OID_SPNEGO); + asn1_start_tag(&data,ASN1_CONTEXT(0)); + asn1_start_tag(&data,ASN1_SEQUENCE(0)); + + asn1_start_tag(&data,ASN1_CONTEXT(0)); + asn1_start_tag(&data,ASN1_SEQUENCE(0)); + for (i=0; asn1_tag_remaining(&data) > 0 && i < ASN1_MAX_OIDS; i++) { + char *oid = NULL; + asn1_read_OID(&data,&oid); + OIDs[i] = oid; + } + OIDs[i] = NULL; + asn1_end_tag(&data); + asn1_end_tag(&data); + + asn1_start_tag(&data, ASN1_CONTEXT(3)); + asn1_start_tag(&data, ASN1_SEQUENCE(0)); + asn1_start_tag(&data, ASN1_CONTEXT(0)); + asn1_read_GeneralString(&data,principle); + asn1_end_tag(&data); + asn1_end_tag(&data); + asn1_end_tag(&data); + + asn1_end_tag(&data); + asn1_end_tag(&data); + + asn1_end_tag(&data); + + ret = !data.has_error; + asn1_free(&data); + return ret; } @@ -229,25 +287,28 @@ static ASN1_DATA spnego_gen_krb5_wrap(DATA_BLOB ticket) generate a SPNEGO negTokenTarg packet, ready for a EXTENDED_SECURITY kerberos session setup */ -DATA_BLOB spnego_gen_negTokenTarg(struct cli_state *cli) +DATA_BLOB spnego_gen_negTokenTarg(struct cli_state *cli, char *principle) { char *p; fstring service; + char *realm; DATA_BLOB tkt, ret; ASN1_DATA tkt_wrapped, targ; const char *krb_mechs[] = {"1 2 840 48018 1 2 2", "1 3 6 1 4 1 311 2 2 10", NULL}; - /* the service name is the WINS name of the server in lowercase with - a $ on the end */ - fstrcpy(service, cli->desthost); - p = strchr_m(service, '.'); - if (p) *p = 0; - fstrcat(service, "$"); - strlower(service); + fstrcpy(service, principle); + p = strchr_m(service, '@'); + if (!p) { + DEBUG(1,("Malformed principle [%s] in spnego_gen_negTokenTarg\n", + principle)); + return data_blob(NULL, 0); + } + *p = 0; + realm = p+1; /* get a kerberos ticket for the service */ - tkt = krb5_get_ticket(service); + tkt = krb5_get_ticket(service, realm); /* wrap that up in a nice GSS-API wrapping */ tkt_wrapped = spnego_gen_krb5_wrap(tkt); -- cgit From 2b09ef2a2d8a94fb146a17a50604f0e0081fe09d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 11 Oct 2001 13:49:08 +0000 Subject: improve the error handling in the ASN1 code a bit (This used to be commit 8b692d8326a1548a7dbbd2cecee9ece6aa60473a) --- source3/libsmb/clikrb5.c | 36 ++++++++++++++++++++++-------------- 1 file changed, 22 insertions(+), 14 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index fb442f7f09..b4847e4c2a 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -27,8 +27,6 @@ #define OID_SPNEGO "1 3 6 1 5 5 2" #define OID_KERBEROS5 "1 2 840 113554 1 2 2" -#define CHECK_CALL(x) if (! x) goto failed - /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ @@ -141,16 +139,16 @@ ASN1_DATA spnego_gen_negTokenInit(uint8 guid[16], memset(&data, 0, sizeof(data)); - CHECK_CALL(asn1_write(&data, guid, 16)); - CHECK_CALL(asn1_push_tag(&data,ASN1_APPLICATION(0))); - CHECK_CALL(asn1_write_OID(&data,OID_SPNEGO)); - CHECK_CALL(asn1_push_tag(&data,ASN1_CONTEXT(0))); - CHECK_CALL(asn1_push_tag(&data,ASN1_SEQUENCE(0))); + asn1_write(&data, guid, 16); + asn1_push_tag(&data,ASN1_APPLICATION(0)); + asn1_write_OID(&data,OID_SPNEGO); + asn1_push_tag(&data,ASN1_CONTEXT(0)); + asn1_push_tag(&data,ASN1_SEQUENCE(0)); - CHECK_CALL(asn1_push_tag(&data,ASN1_CONTEXT(0))); - CHECK_CALL(asn1_push_tag(&data,ASN1_SEQUENCE(0))); + asn1_push_tag(&data,ASN1_CONTEXT(0)); + asn1_push_tag(&data,ASN1_SEQUENCE(0)); for (i=0; OIDs[i]; i++) { - CHECK_CALL(asn1_write_OID(&data,OIDs[i])); + asn1_write_OID(&data,OIDs[i]); } asn1_pop_tag(&data); asn1_pop_tag(&data); @@ -168,11 +166,11 @@ ASN1_DATA spnego_gen_negTokenInit(uint8 guid[16], asn1_pop_tag(&data); - return data; + if (data.has_error) { + DEBUG(1,("Failed to build negTokenInit at offset %d\n", (int)data.ofs)); + asn1_free(&data); + } -failed: - DEBUG(1,("Failed to build negTokenInit at offset %d\n", (int)data.ofs)); - asn1_free(&data); return data; } @@ -260,6 +258,11 @@ static ASN1_DATA gen_negTokenTarg(const char *OIDs[], ASN1_DATA blob) asn1_pop_tag(&data); + if (data.has_error) { + DEBUG(1,("Failed to build negTokenTarg at offset %d\n", (int)data.ofs)); + asn1_free(&data); + } + return data; } @@ -279,6 +282,11 @@ static ASN1_DATA spnego_gen_krb5_wrap(DATA_BLOB ticket) asn1_write(&data, ticket.data, ticket.length); asn1_pop_tag(&data); + if (data.has_error) { + DEBUG(1,("Failed to build krb5 wrapper at offset %d\n", (int)data.ofs)); + asn1_free(&data); + } + return data; } -- cgit From 9f7cb41f11c0d2fc09104f6998f75c59bc363b26 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 12 Oct 2001 04:49:42 +0000 Subject: added NTLMSSP authentication to libsmb. It seems to work well so I have enabled it by default if the server supports it. Let me know if this breaks anything. Choose kerberos with the -k flag to smbclient, otherwise it will use SPNEGO/NTLMSSP/NTLM (This used to be commit 076aa97bee54d182288d9e93ae160ae22a5f7757) --- source3/libsmb/clikrb5.c | 221 ++--------------------------------------------- 1 file changed, 8 insertions(+), 213 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index b4847e4c2a..59a547b171 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1,7 +1,7 @@ /* Unix SMB/Netbios implementation. Version 3.0 - simple kerberos5/SPNEGO routines + simple kerberos5 routines for active directory Copyright (C) Andrew Tridgell 2001 This program is free software; you can redistribute it and/or modify @@ -24,9 +24,6 @@ #if HAVE_KRB5 #include -#define OID_SPNEGO "1 3 6 1 5 5 2" -#define OID_KERBEROS5 "1 2 840 113554 1 2 2" - /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ @@ -86,7 +83,7 @@ cleanup_princ: /* get a kerberos5 ticket for the given service */ -static DATA_BLOB krb5_get_ticket(char *service, char *realm) +DATA_BLOB krb5_get_ticket(char *service, char *realm) { krb5_error_code retval; krb5_data packet; @@ -126,213 +123,11 @@ failed: } -/* - generate a negTokenInit packet given a GUID, a list of supported - OIDs (the mechanisms) and a principle name string -*/ -ASN1_DATA spnego_gen_negTokenInit(uint8 guid[16], - const char *OIDs[], - const char *principle) -{ - int i; - ASN1_DATA data; - - memset(&data, 0, sizeof(data)); - - asn1_write(&data, guid, 16); - asn1_push_tag(&data,ASN1_APPLICATION(0)); - asn1_write_OID(&data,OID_SPNEGO); - asn1_push_tag(&data,ASN1_CONTEXT(0)); - asn1_push_tag(&data,ASN1_SEQUENCE(0)); - - asn1_push_tag(&data,ASN1_CONTEXT(0)); - asn1_push_tag(&data,ASN1_SEQUENCE(0)); - for (i=0; OIDs[i]; i++) { - asn1_write_OID(&data,OIDs[i]); - } - asn1_pop_tag(&data); - asn1_pop_tag(&data); - - asn1_push_tag(&data, ASN1_CONTEXT(3)); - asn1_push_tag(&data, ASN1_SEQUENCE(0)); - asn1_push_tag(&data, ASN1_CONTEXT(0)); - asn1_write_GeneralString(&data,principle); - asn1_pop_tag(&data); - asn1_pop_tag(&data); - asn1_pop_tag(&data); - - asn1_pop_tag(&data); - asn1_pop_tag(&data); - - asn1_pop_tag(&data); - - if (data.has_error) { - DEBUG(1,("Failed to build negTokenInit at offset %d\n", (int)data.ofs)); - asn1_free(&data); - } - - return data; -} - - -/* - parse a negTokenInit packet giving a GUID, a list of supported - OIDs (the mechanisms) and a principle name string -*/ -BOOL spnego_parse_negTokenInit(DATA_BLOB blob, - uint8 guid[16], - char *OIDs[ASN1_MAX_OIDS], - char **principle) -{ - int i; - BOOL ret; - ASN1_DATA data; - - asn1_load(&data, blob); - - asn1_read(&data, guid, 16); - asn1_start_tag(&data,ASN1_APPLICATION(0)); - asn1_check_OID(&data,OID_SPNEGO); - asn1_start_tag(&data,ASN1_CONTEXT(0)); - asn1_start_tag(&data,ASN1_SEQUENCE(0)); - - asn1_start_tag(&data,ASN1_CONTEXT(0)); - asn1_start_tag(&data,ASN1_SEQUENCE(0)); - for (i=0; asn1_tag_remaining(&data) > 0 && i < ASN1_MAX_OIDS; i++) { - char *oid = NULL; - asn1_read_OID(&data,&oid); - OIDs[i] = oid; - } - OIDs[i] = NULL; - asn1_end_tag(&data); - asn1_end_tag(&data); - - asn1_start_tag(&data, ASN1_CONTEXT(3)); - asn1_start_tag(&data, ASN1_SEQUENCE(0)); - asn1_start_tag(&data, ASN1_CONTEXT(0)); - asn1_read_GeneralString(&data,principle); - asn1_end_tag(&data); - asn1_end_tag(&data); - asn1_end_tag(&data); - - asn1_end_tag(&data); - asn1_end_tag(&data); - - asn1_end_tag(&data); - - ret = !data.has_error; - asn1_free(&data); - return ret; -} - - -/* - generate a negTokenTarg packet given a list of OIDs and a security blob -*/ -static ASN1_DATA gen_negTokenTarg(const char *OIDs[], ASN1_DATA blob) -{ - int i; - ASN1_DATA data; - - memset(&data, 0, sizeof(data)); - - asn1_push_tag(&data, ASN1_APPLICATION(0)); - asn1_write_OID(&data,OID_SPNEGO); - asn1_push_tag(&data, ASN1_CONTEXT(0)); - asn1_push_tag(&data, ASN1_SEQUENCE(0)); - - asn1_push_tag(&data, ASN1_CONTEXT(0)); - asn1_push_tag(&data, ASN1_SEQUENCE(0)); - for (i=0; OIDs[i]; i++) { - asn1_write_OID(&data,OIDs[i]); - } - asn1_pop_tag(&data); - asn1_pop_tag(&data); - - asn1_push_tag(&data, ASN1_CONTEXT(2)); - asn1_write_OctetString(&data,blob.data,blob.length); - asn1_pop_tag(&data); - - asn1_pop_tag(&data); - asn1_pop_tag(&data); - - asn1_pop_tag(&data); - - if (data.has_error) { - DEBUG(1,("Failed to build negTokenTarg at offset %d\n", (int)data.ofs)); - asn1_free(&data); - } - - return data; -} - - -/* - generate a krb5 GSS-API wrapper packet given a ticket -*/ -static ASN1_DATA spnego_gen_krb5_wrap(DATA_BLOB ticket) -{ - ASN1_DATA data; - - memset(&data, 0, sizeof(data)); - - asn1_push_tag(&data, ASN1_APPLICATION(0)); - asn1_write_OID(&data, OID_KERBEROS5); - asn1_write_BOOLEAN(&data, 0); - asn1_write(&data, ticket.data, ticket.length); - asn1_pop_tag(&data); - - if (data.has_error) { - DEBUG(1,("Failed to build krb5 wrapper at offset %d\n", (int)data.ofs)); - asn1_free(&data); - } - - return data; -} - - -/* - generate a SPNEGO negTokenTarg packet, ready for a EXTENDED_SECURITY - kerberos session setup -*/ -DATA_BLOB spnego_gen_negTokenTarg(struct cli_state *cli, char *principle) -{ - char *p; - fstring service; - char *realm; - DATA_BLOB tkt, ret; - ASN1_DATA tkt_wrapped, targ; - const char *krb_mechs[] = - {"1 2 840 48018 1 2 2", "1 3 6 1 4 1 311 2 2 10", NULL}; - - fstrcpy(service, principle); - p = strchr_m(service, '@'); - if (!p) { - DEBUG(1,("Malformed principle [%s] in spnego_gen_negTokenTarg\n", - principle)); - return data_blob(NULL, 0); - } - *p = 0; - realm = p+1; - - /* get a kerberos ticket for the service */ - tkt = krb5_get_ticket(service, realm); - - /* wrap that up in a nice GSS-API wrapping */ - tkt_wrapped = spnego_gen_krb5_wrap(tkt); - - /* and wrap that in a shiny SPNEGO wrapper */ - targ = gen_negTokenTarg(krb_mechs, tkt_wrapped); - - ret = data_blob(targ.data, targ.length); - - asn1_free(&tkt_wrapped); - asn1_free(&targ); - data_blob_free(tkt); - - return ret; -} - #else /* HAVE_KRB5 */ - void clikrb5_dummy(void) {} + /* this saves a few linking headaches */ + DATA_BLOB krb5_get_ticket(char *service, char *realm) + { + DEBUG(0,("NO KERBEROS SUPPORT\n")); + return data_blob(NULL, 0); + } #endif -- cgit From b886c3b3fa5866ac6f82a25e11c6f4ed954085dc Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 16 Oct 2001 12:02:18 +0000 Subject: fix heimdal compilation (This used to be commit 888183a17cfb12c0cbf7d1ed515064d6f1716114) --- source3/libsmb/clikrb5.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 59a547b171..68e941f2aa 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -113,7 +113,8 @@ DATA_BLOB krb5_get_ticket(char *service, char *realm) } ret = data_blob(packet.data, packet.length); - krb5_free_data_contents(context, &packet); +/* Hmm, heimdal dooesn't have this - what's the correct call? */ +/* krb5_free_data_contents(context, &packet); */ krb5_free_context(context); return ret; -- cgit From 5ad7448359c7bc1d3b1579f105b7324290bf21ec Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 18 Oct 2001 10:26:06 +0000 Subject: the beginnings of kerberos support in smbd. It doesn't work yet, but it should give something for others to hack on and possibly find what I'm doing wrong. (This used to be commit 353c290f059347265b9be2aa1010c2956da06485) --- source3/libsmb/clikrb5.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 68e941f2aa..51b6e6e8cf 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -22,8 +22,6 @@ #include "includes.h" #if HAVE_KRB5 -#include - /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ @@ -105,7 +103,7 @@ DATA_BLOB krb5_get_ticket(char *service, char *realm) if ((retval = krb5_mk_req2(context, &auth_context, - AP_OPTS_MUTUAL_REQUIRED, + 0, service, realm, ccdef, &packet))) { DEBUG(1,("krb5_mk_req2 failed\n")); -- cgit From 93645be91f7fd12dfee75b6f09dda6799f0ac902 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 20 Oct 2001 06:50:24 +0000 Subject: better krb5 error handling (thanks andrewb!) (This used to be commit fd3a3daef3b8f7140e7006d30d23d739ac3aad2f) --- source3/libsmb/clikrb5.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 51b6e6e8cf..5fef97c571 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -48,15 +48,22 @@ static krb5_error_code krb5_mk_req2(krb5_context context, /* obtain ticket & session key */ memset((char *)&creds, 0, sizeof(creds)); - if ((retval = krb5_copy_principal(context, server, &creds.server))) + if ((retval = krb5_copy_principal(context, server, &creds.server))) { + DEBUG(1,("krb5_copy_principal failed (%s)\n", + error_message(retval))); goto cleanup_princ; + } - if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) + if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) { + DEBUG(1,("krb5_cc_get_principal failed (%s)\n", + error_message(retval))); goto cleanup_creds; + } if ((retval = krb5_get_credentials(context, 0, ccache, &creds, &credsp))) { - DEBUG(1,("krb5_get_credentials failed (%d)\n", retval)); + DEBUG(1,("krb5_get_credentials failed (%s)\n", + error_message(retval))); goto cleanup_creds; } @@ -64,7 +71,8 @@ static krb5_error_code krb5_mk_req2(krb5_context context, retval = krb5_mk_req_extended(context, auth_context, ap_req_options, &in_data, credsp, outbuf); if (retval) { - DEBUG(1,("krb5_mk_req_extended failed (%d)\n", retval)); + DEBUG(1,("krb5_mk_req_extended failed (%s)\n", + error_message(retval))); } krb5_free_creds(context, credsp); @@ -92,12 +100,14 @@ DATA_BLOB krb5_get_ticket(char *service, char *realm) retval = krb5_init_context(&context); if (retval) { - DEBUG(1,("krb5_init_context failed\n")); + DEBUG(1,("krb5_init_context failed (%s)\n", + error_message(retval))); goto failed; } if ((retval = krb5_cc_default(context, &ccdef))) { - DEBUG(1,("krb5_cc_default failed\n")); + DEBUG(1,("krb5_cc_default failed (%s)\n", + error_message(retval))); goto failed; } @@ -106,7 +116,6 @@ DATA_BLOB krb5_get_ticket(char *service, char *realm) 0, service, realm, ccdef, &packet))) { - DEBUG(1,("krb5_mk_req2 failed\n")); goto failed; } -- cgit From bbcd9deb07fe0cfcb2911093e1c99d30b210e7d2 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 21 Oct 2001 03:25:34 +0000 Subject: made smbclient cope better with arbitrary principle forms (This used to be commit d1341d74b7aa5f6b3f72e5409b245f87f1ad670b) --- source3/libsmb/clikrb5.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 5fef97c571..98e27fb9c4 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -28,8 +28,7 @@ static krb5_error_code krb5_mk_req2(krb5_context context, krb5_auth_context *auth_context, const krb5_flags ap_req_options, - const char *service, - const char *realm, + const char *principle, krb5_ccache ccache, krb5_data *outbuf) { @@ -39,10 +38,9 @@ static krb5_error_code krb5_mk_req2(krb5_context context, krb5_creds creds; krb5_data in_data; - retval = krb5_build_principal(context, &server, strlen(realm), - realm, service, NULL); + retval = krb5_parse_name(context, principle, &server); if (retval) { - DEBUG(1,("Failed to build principle for %s@%s\n", service, realm)); + DEBUG(1,("Failed to parse principle %s\n", principle)); return retval; } @@ -89,7 +87,7 @@ cleanup_princ: /* get a kerberos5 ticket for the given service */ -DATA_BLOB krb5_get_ticket(char *service, char *realm) +DATA_BLOB krb5_get_ticket(char *principle) { krb5_error_code retval; krb5_data packet; @@ -114,7 +112,7 @@ DATA_BLOB krb5_get_ticket(char *service, char *realm) if ((retval = krb5_mk_req2(context, &auth_context, 0, - service, realm, + principle, ccdef, &packet))) { goto failed; } -- cgit From c41b64d81408e252a2cf5bc52d5ca5e07120a9c7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 21 Oct 2001 04:08:15 +0000 Subject: Fix for compilation on non-krb5 systems (This used to be commit 44bdb8b12b3d6a7bf3148c2ac651a79f10776db6) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 98e27fb9c4..5641692f2e 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -131,7 +131,7 @@ failed: #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ - DATA_BLOB krb5_get_ticket(char *service, char *realm) + DATA_BLOB krb5_get_ticket(char *principle) { DEBUG(0,("NO KERBEROS SUPPORT\n")); return data_blob(NULL, 0); -- cgit From cfd68eaac48a29dec245dc6de03aae0d58698862 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 21 Oct 2001 20:51:27 +0000 Subject: Ok, I know it's a language thing and it shouldn't matter.... but a kerberos name is a "principal", not a principle. English majors will complain :-). Jeremy. (This used to be commit b668d7d656cdd066820fb8044f24bcd4fda29524) --- source3/libsmb/clikrb5.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 5641692f2e..b4ce271235 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -28,7 +28,7 @@ static krb5_error_code krb5_mk_req2(krb5_context context, krb5_auth_context *auth_context, const krb5_flags ap_req_options, - const char *principle, + const char *principal, krb5_ccache ccache, krb5_data *outbuf) { @@ -38,9 +38,9 @@ static krb5_error_code krb5_mk_req2(krb5_context context, krb5_creds creds; krb5_data in_data; - retval = krb5_parse_name(context, principle, &server); + retval = krb5_parse_name(context, principal, &server); if (retval) { - DEBUG(1,("Failed to parse principle %s\n", principle)); + DEBUG(1,("Failed to parse principal %s\n", principal)); return retval; } @@ -87,7 +87,7 @@ cleanup_princ: /* get a kerberos5 ticket for the given service */ -DATA_BLOB krb5_get_ticket(char *principle) +DATA_BLOB krb5_get_ticket(char *principal) { krb5_error_code retval; krb5_data packet; @@ -112,7 +112,7 @@ DATA_BLOB krb5_get_ticket(char *principle) if ((retval = krb5_mk_req2(context, &auth_context, 0, - principle, + principal, ccdef, &packet))) { goto failed; } @@ -131,7 +131,7 @@ failed: #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ - DATA_BLOB krb5_get_ticket(char *principle) + DATA_BLOB krb5_get_ticket(char *principal) { DEBUG(0,("NO KERBEROS SUPPORT\n")); return data_blob(NULL, 0); -- cgit From ad2974cd05b4d08c8b92f505bf95aa8e8533235f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 24 Nov 2001 14:16:41 +0000 Subject: added "net join" command this completes the first stage of the smbd ADS support (This used to be commit 058a5aee901e6609969ef7e1d482a720a84a4a12) --- source3/libsmb/clikrb5.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index b4ce271235..37b92b8d99 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -95,6 +95,7 @@ DATA_BLOB krb5_get_ticket(char *principal) krb5_context context; krb5_auth_context auth_context = NULL; DATA_BLOB ret; + krb5_enctype enc_types[] = {ENCTYPE_DES_CBC_MD5, ENCTYPE_NULL}; retval = krb5_init_context(&context); if (retval) { @@ -109,6 +110,12 @@ DATA_BLOB krb5_get_ticket(char *principal) goto failed; } + if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) { + DEBUG(1,("krb5_set_default_tgs_ktypes failed (%s)\n", + error_message(retval))); + goto failed; + } + if ((retval = krb5_mk_req2(context, &auth_context, 0, -- cgit From f6b962fba37a1ac105301d699708e541ce34d3b4 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 28 Nov 2001 23:54:07 +0000 Subject: fixed some krb5 ifdefs (This used to be commit 23ef22f11700bbaa5778a9678a990a2b041fcefe) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 37b92b8d99..03fb6a5669 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -21,7 +21,7 @@ #include "includes.h" -#if HAVE_KRB5 +#ifdef HAVE_KRB5 /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ -- cgit From 9126a40e2c33e0eb4cd57ab381634e08fa59e7a7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 19 Dec 2001 09:53:30 +0000 Subject: added trusted realm support to ADS authentication the method used for checking if a domain is a trusted domain is very crude, we should really call a backend fn of some sort. For now I'm using winbindd to do the dirty work. (This used to be commit adf44a9bd0d997ba4dcfadc564a29149531525af) --- source3/libsmb/clikrb5.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 03fb6a5669..cc77c08d26 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -60,8 +60,8 @@ static krb5_error_code krb5_mk_req2(krb5_context context, if ((retval = krb5_get_credentials(context, 0, ccache, &creds, &credsp))) { - DEBUG(1,("krb5_get_credentials failed (%s)\n", - error_message(retval))); + DEBUG(1,("krb5_get_credentials failed for %s (%s)\n", + principal, error_message(retval))); goto cleanup_creds; } -- cgit From cd68afe31256ad60748b34f7318a180cfc2127cc Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 30 Jan 2002 06:08:46 +0000 Subject: Removed version number from file header. Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa) --- source3/libsmb/clikrb5.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index cc77c08d26..685c4a25e0 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 3.0 + Unix SMB/CIFS implementation. simple kerberos5 routines for active directory Copyright (C) Andrew Tridgell 2001 -- cgit From a834a73e341059be154426390304a42e4a011f72 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 25 Sep 2002 15:19:00 +0000 Subject: sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139) --- source3/libsmb/clikrb5.c | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 685c4a25e0..e7143d065d 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -64,6 +64,14 @@ static krb5_error_code krb5_mk_req2(krb5_context context, goto cleanup_creds; } + /* cope with the ticket being in the future due to clock skew */ + if ((unsigned)credsp->times.starttime > time(NULL)) { + time_t t = time(NULL); + int time_offset = (unsigned)credsp->times.starttime - t; + DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset)); + krb5_set_real_time(context, t + time_offset + 1, 0); + } + in_data.length = 0; retval = krb5_mk_req_extended(context, auth_context, ap_req_options, &in_data, credsp, outbuf); @@ -86,7 +94,7 @@ cleanup_princ: /* get a kerberos5 ticket for the given service */ -DATA_BLOB krb5_get_ticket(char *principal) +DATA_BLOB krb5_get_ticket(char *principal, time_t time_offset) { krb5_error_code retval; krb5_data packet; @@ -94,7 +102,12 @@ DATA_BLOB krb5_get_ticket(char *principal) krb5_context context; krb5_auth_context auth_context = NULL; DATA_BLOB ret; - krb5_enctype enc_types[] = {ENCTYPE_DES_CBC_MD5, ENCTYPE_NULL}; + krb5_enctype enc_types[] = { +#ifdef ENCTYPE_ARCFOUR_HMAC + ENCTYPE_ARCFOUR_HMAC, +#endif + ENCTYPE_DES_CBC_MD5, + ENCTYPE_NULL}; retval = krb5_init_context(&context); if (retval) { @@ -103,6 +116,10 @@ DATA_BLOB krb5_get_ticket(char *principal) goto failed; } + if (time_offset != 0) { + krb5_set_real_time(context, time(NULL) + time_offset, 0); + } + if ((retval = krb5_cc_default(context, &ccdef))) { DEBUG(1,("krb5_cc_default failed (%s)\n", error_message(retval))); @@ -137,7 +154,7 @@ failed: #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ - DATA_BLOB krb5_get_ticket(char *principal) + DATA_BLOB krb5_get_ticket(char *principal, time_t time_offset) { DEBUG(0,("NO KERBEROS SUPPORT\n")); return data_blob(NULL, 0); -- cgit From f2e3b68ce6db8b06f5ea4c8cc969cc1b8e4d9bd9 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 15 Nov 2002 17:57:25 +0000 Subject: fix segfault (This used to be commit 36bcb312e95f46d196575ed3535679deeddd89b0) --- source3/libsmb/clikrb5.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index e7143d065d..54a8a6ffe8 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -147,7 +147,9 @@ DATA_BLOB krb5_get_ticket(char *principal, time_t time_offset) return ret; failed: - krb5_free_context(context); + if ( context ) + krb5_free_context(context); + return data_blob(NULL, 0); } -- cgit From 634c54310c92c48dd4eceec602e230a021bdcfc5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 3 Jan 2003 08:28:12 +0000 Subject: Merge from HEAD - make Samba compile with -Wwrite-strings without additional warnings. (Adds a lot of const). Andrew Bartlett (This used to be commit 3a7458f9472432ef12c43008414925fd1ce8ea0c) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 54a8a6ffe8..a7b11d777e 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -94,7 +94,7 @@ cleanup_princ: /* get a kerberos5 ticket for the given service */ -DATA_BLOB krb5_get_ticket(char *principal, time_t time_offset) +DATA_BLOB krb5_get_ticket(const char *principal, time_t time_offset) { krb5_error_code retval; krb5_data packet; -- cgit From 48dc324cd1a477454ea2fb79a3711e031617a5b6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 4 Jan 2003 09:06:46 +0000 Subject: Merge from HEAD - vl's fix to my const patch. Also update the 'not have_krb5' case. Andrew Bartlett (This used to be commit 8129529c4faec5ea630acf70b7514a3efc0fbdcf) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index a7b11d777e..cca2a9cd3a 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -156,7 +156,7 @@ failed: #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ - DATA_BLOB krb5_get_ticket(char *principal, time_t time_offset) + DATA_BLOB krb5_get_ticket(const char *principal, time_t time_offset) { DEBUG(0,("NO KERBEROS SUPPORT\n")); return data_blob(NULL, 0); -- cgit From 812e093f026a3575f00633c8d4d63b8bdb8a1bcb Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 19 Jan 2003 22:27:32 +0000 Subject: Merge in more of the SuSE patches for Heimdal. These changes show how to add a function without an explicit #ifdef HEIMDAL which I'm trying to avoid. Jeremy. (This used to be commit 92ecd0bf0fe2cc4f6c86ca48e6e458e726470a50) --- source3/libsmb/clikrb5.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index cca2a9cd3a..20d0906e71 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -2,6 +2,7 @@ Unix SMB/CIFS implementation. simple kerberos5 routines for active directory Copyright (C) Andrew Tridgell 2001 + Copyright (C) Luke Howard 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -21,6 +22,34 @@ #include "includes.h" #ifdef HAVE_KRB5 + +#ifndef KRB5_SET_REAL_TIME +/* + * This function is not in the Heimdal mainline. + */ +krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds) +{ + krb5_error_code ret; + int32_t sec, usec; + + ret = krb5_us_timeofday(context, &sec, &usec); + if (ret) + return ret; + + context->kdc_sec_offset = seconds - sec; + context->kdc_usec_offset = microseconds - usec; + + return 0; +} +#endif + +#if defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES) && !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES) +krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc) +{ + return krb5_set_default_in_tkt_etypes(ctx, enc); +} +#endif + /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ -- cgit From 51d3f6175041a3bf2d292997f137f129aaca83fb Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Mon, 20 Jan 2003 19:37:11 +0000 Subject: should be HAVE_KRB5_SET_REAL_TIME (HAVE_ was missing)...fix the build (This used to be commit 9f1f3cb8bb3d7d9b4fb414b06ad10356f775bb28) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 20d0906e71..8b89763c3f 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -23,7 +23,7 @@ #ifdef HAVE_KRB5 -#ifndef KRB5_SET_REAL_TIME +#ifndef HAVE_KRB5_SET_REAL_TIME /* * This function is not in the Heimdal mainline. */ -- cgit From b0aadff2020886cbc2a35bf115e6c359ff28d870 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 21 Jan 2003 06:23:49 +0000 Subject: More fixes getting us closer to full Heimdal compile.... Jeremy. (This used to be commit a7ee6ed64500a0d949849da6996b7dc837518f00) --- source3/libsmb/clikrb5.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 8b89763c3f..b56de62730 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -50,6 +50,26 @@ krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype } #endif +#if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) +/* HEIMDAL */ +void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr) +{ + pkaddr->addr_type = KRB5_ADDRESS_INET; + pkaddr->address.length = sizeof(((struct sockaddr_in *)paddr)->sin_addr); + pkaddr->address.data = (char *)&(((struct sockaddr_in *)paddr)->sin_addr); +} +#elif defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) +/* MIT */ +void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr) +{ + pkaddr->addrtype = ADDRTYPE_INET; + pkaddr->length = sizeof(((struct sockaddr_in *)paddr)->sin_addr); + pkaddr->contents = (char *)&(((struct sockaddr_in *)paddr)->sin_addr); +} +#else +__ERROR__XX__UNKNOWN_ADDRTYPE +#endif + /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ -- cgit From 18c2948bc536552ed2949f8fe1d06a72b9cc66dd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 21 Jan 2003 13:33:31 +0000 Subject: Fixup proto generation to not include krb5 specific symbols if no kerberos selected. Noticed by Metze. Jeremy. (This used to be commit 0c98f779f05431ac4d298c9f021fca85d16aebae) --- source3/libsmb/clikrb5.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index b56de62730..2047efd704 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -27,7 +27,7 @@ /* * This function is not in the Heimdal mainline. */ -krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds) + krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds) { krb5_error_code ret; int32_t sec, usec; @@ -44,7 +44,7 @@ krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_ #endif #if defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES) && !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES) -krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc) + krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc) { return krb5_set_default_in_tkt_etypes(ctx, enc); } @@ -52,7 +52,7 @@ krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype #if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* HEIMDAL */ -void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr) + void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr) { pkaddr->addr_type = KRB5_ADDRESS_INET; pkaddr->address.length = sizeof(((struct sockaddr_in *)paddr)->sin_addr); @@ -60,14 +60,14 @@ void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr) } #elif defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */ -void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr) + void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr) { pkaddr->addrtype = ADDRTYPE_INET; pkaddr->length = sizeof(((struct sockaddr_in *)paddr)->sin_addr); pkaddr->contents = (char *)&(((struct sockaddr_in *)paddr)->sin_addr); } #else -__ERROR__XX__UNKNOWN_ADDRTYPE + __ERROR__XX__UNKNOWN_ADDRTYPE #endif /* -- cgit From e545fe3c0aa1901026d5d11fa48d084e4cecde40 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 21 Jan 2003 20:43:26 +0000 Subject: Get closer to Heimdal compile... Damn. HEAD has different code in kerberos_verify... Jeremy. (This used to be commit e8c4098da619a1429cc4c8251761333a7c0f3458) --- source3/libsmb/clikrb5.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 2047efd704..c948431509 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -70,6 +70,54 @@ __ERROR__XX__UNKNOWN_ADDRTYPE #endif +#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) + int create_kerberos_key_from_string(krb5_context context, + krb5_principal host_princ, + krb5_data *password, + krb5_keyblock *key) +{ + int ret; + krb5_data salt, + krb5_encrypt_block eblock; + + ret = krb5_principal2salt(context, host_princ, &salt); + if (ret) { + DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); + return ret; + } + krb5_use_enctype(context, &eblock, ENCTYPE_DES_CBC_MD5); + return krb5_string_to_key(context, &eblock, key, password, &salt); +} +#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT) + int create_kerberos_key_from_string(krb5_context context, + krb5_principal host_princ, + krb5_data *password, + krb5_keyblock *key) +{ + int ret; + krb5_salt salt; + + ret = krb5_get_pw_salt(context, host_princ, &salt); + if (ret) { + DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret))); + return ret; + } + return krb5_string_to_key_salt(context, ENCTYPE_DES_CBC_MD5, password->data, + salt, key); +} +#else + __ERROR_XX_UNKNOWN_CREATE_KEY_FUNCTIONS +#endif + +#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) + krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, + krb5_auth_context auth_context, + krb5_keyblock *keyblock) +{ + return krb5_auth_con_setkey(context, auth_context, keyblock); +} +#endif + /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ -- cgit From c79eccad91705526c69ff6bca14060718138c570 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 22 Jan 2003 23:32:33 +0000 Subject: Merge of kerberos changes to make this branch build again! (This used to be commit 51b319f57f28e3993919d7f3db0251a724902332) --- source3/libsmb/clikrb5.c | 48 ------------------------------------------------ 1 file changed, 48 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index c948431509..2047efd704 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -70,54 +70,6 @@ __ERROR__XX__UNKNOWN_ADDRTYPE #endif -#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) - int create_kerberos_key_from_string(krb5_context context, - krb5_principal host_princ, - krb5_data *password, - krb5_keyblock *key) -{ - int ret; - krb5_data salt, - krb5_encrypt_block eblock; - - ret = krb5_principal2salt(context, host_princ, &salt); - if (ret) { - DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); - return ret; - } - krb5_use_enctype(context, &eblock, ENCTYPE_DES_CBC_MD5); - return krb5_string_to_key(context, &eblock, key, password, &salt); -} -#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT) - int create_kerberos_key_from_string(krb5_context context, - krb5_principal host_princ, - krb5_data *password, - krb5_keyblock *key) -{ - int ret; - krb5_salt salt; - - ret = krb5_get_pw_salt(context, host_princ, &salt); - if (ret) { - DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret))); - return ret; - } - return krb5_string_to_key_salt(context, ENCTYPE_DES_CBC_MD5, password->data, - salt, key); -} -#else - __ERROR_XX_UNKNOWN_CREATE_KEY_FUNCTIONS -#endif - -#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) - krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, - krb5_auth_context auth_context, - krb5_keyblock *keyblock) -{ - return krb5_auth_con_setkey(context, auth_context, keyblock); -} -#endif - /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ -- cgit From 6cf8ac019ec5022455de7ec80e798baf552e291f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 23 Jan 2003 18:15:18 +0000 Subject: Thanks Meeester Potter, for reverting *all* my Heimdal changes because I mistyped a comma :-). Jeremy. (This used to be commit 04cc149c756c396012cfa321a74724b077302b95) --- source3/libsmb/clikrb5.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 2047efd704..663f6a8454 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -70,6 +70,54 @@ __ERROR__XX__UNKNOWN_ADDRTYPE #endif +#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) + int create_kerberos_key_from_string(krb5_context context, + krb5_principal host_princ, + krb5_data *password, + krb5_keyblock *key) +{ + int ret; + krb5_data salt; + krb5_encrypt_block eblock; + + ret = krb5_principal2salt(context, host_princ, &salt); + if (ret) { + DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); + return ret; + } + krb5_use_enctype(context, &eblock, ENCTYPE_DES_CBC_MD5); + return krb5_string_to_key(context, &eblock, key, password, &salt); +} +#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT) + int create_kerberos_key_from_string(krb5_context context, + krb5_principal host_princ, + krb5_data *password, + krb5_keyblock *key) +{ + int ret; + krb5_salt salt; + + ret = krb5_get_pw_salt(context, host_princ, &salt); + if (ret) { + DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret))); + return ret; + } + return krb5_string_to_key_salt(context, ENCTYPE_DES_CBC_MD5, password->data, + salt, key); +} +#else + __ERROR_XX_UNKNOWN_CREATE_KEY_FUNCTIONS +#endif + +#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) + krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, + krb5_auth_context auth_context, + krb5_keyblock *keyblock) +{ + return krb5_auth_con_setkey(context, auth_context, keyblock); +} +#endif + /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ -- cgit From 755e33ee3f25884096d3fa2ac4bd4cf64a794903 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 28 Jan 2003 00:33:21 +0000 Subject: Get smbd to link with Heimdal. Still missing some client progs... Jeremy. (This used to be commit 85dda434763bbcea260c800599e4b6b73afcf174) --- source3/libsmb/clikrb5.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 663f6a8454..24a24c66a6 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -118,6 +118,28 @@ } #endif + void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt) +{ +#if defined(HAVE_KRB5_TKT_ENC_PART2) + if (tkt->enc_part2) + *auth_data = data_blob(tkt->enc_part2->authorization_data[0]->contents, + tkt->enc_part2->authorization_data[0]->length); +#else + if (tkt->ticket.authorization_data && tkt->ticket.authorization_data->len) + *auth_data = data_blob(tkt->ticket.authorization_data->val->ad_data.data, + tkt->ticket.authorization_data->val->ad_data.length); +#endif +} + + krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt) +{ +#if defined(HAVE_KRB5_TKT_ENC_PART2) + return tkt->enc_part2->client; +#else + return tkt->client; +#endif +} + /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ -- cgit From b1bce451411486525e72ec71c5fd37fc0b463add Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 28 Jan 2003 03:31:33 +0000 Subject: Finally we compile with Heimdal as well as MIT ! Wonder if it works... :-). Jeremy. (This used to be commit 1b71786c161cd8ec4c3c0c6b178370ed50feeef4) --- source3/libsmb/clikrb5.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 24a24c66a6..203d9d874b 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -140,6 +140,58 @@ #endif } +#if !defined(HAVE_KRB5_LOCATE_KDC) + krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters) +{ + krb5_krbhst_handle hnd; + krb5_krbhst_info *hinfo; + krb5_error_code rc; + int num_kdcs, i; + struct sockaddr *sa; + + *addr_pp = NULL; + *naddrs = 0; + + rc = krb5_krbhst_init(ctx, realm->data, KRB5_KRBHST_KDC, &hnd); + if (rc) { + DEBUG(0, ("krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc))); + return rc; + } + + for ( num_kdcs = 0; (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); num_kdcs++) + ; + + krb5_krbhst_reset(ctx, hnd); + + if (!num_kdcs) { + DEBUG(0, ("krb5_locate_kdc: zero kdcs found !\n")); + krb5_krbhst_free(ctx, hnd); + return -1; + } + + sa = malloc( sizeof(struct sockaddr) * num_kdcs ); + if (!sa) { + DEBUG(0, ("krb5_locate_kdc: malloc failed\n")); + krb5_krbhst_free(ctx, hnd); + naddrs = 0; + return -1; + } + + memset(*addr_pp, '\0', sizeof(struct sockaddr) * num_kdcs ); + + for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) { + if (hinfo->ai->ai_family == AF_INET) + memcpy(&sa[i], hinfo->ai->ai_addr, sizeof(struct sockaddr)); + } + + krb5_krbhst_free(ctx, hnd); + + *naddrs = num_kdcs; + *addr_pp = sa; + return 0; +} +#endif + /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ -- cgit From cf292aead6bdcced9deac62c50b25e83779d9741 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 30 Jan 2003 04:40:12 +0000 Subject: Sync of Heimdal kerberos stuff with HEAD. If this breaks I'm blaming the dog again. (This used to be commit 6f89ee2c9dc7f03e3dbe7aa734bf67c6a434d135) --- source3/libsmb/clikrb5.c | 122 ----------------------------------------------- 1 file changed, 122 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 203d9d874b..2047efd704 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -70,128 +70,6 @@ __ERROR__XX__UNKNOWN_ADDRTYPE #endif -#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) - int create_kerberos_key_from_string(krb5_context context, - krb5_principal host_princ, - krb5_data *password, - krb5_keyblock *key) -{ - int ret; - krb5_data salt; - krb5_encrypt_block eblock; - - ret = krb5_principal2salt(context, host_princ, &salt); - if (ret) { - DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); - return ret; - } - krb5_use_enctype(context, &eblock, ENCTYPE_DES_CBC_MD5); - return krb5_string_to_key(context, &eblock, key, password, &salt); -} -#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT) - int create_kerberos_key_from_string(krb5_context context, - krb5_principal host_princ, - krb5_data *password, - krb5_keyblock *key) -{ - int ret; - krb5_salt salt; - - ret = krb5_get_pw_salt(context, host_princ, &salt); - if (ret) { - DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret))); - return ret; - } - return krb5_string_to_key_salt(context, ENCTYPE_DES_CBC_MD5, password->data, - salt, key); -} -#else - __ERROR_XX_UNKNOWN_CREATE_KEY_FUNCTIONS -#endif - -#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) - krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, - krb5_auth_context auth_context, - krb5_keyblock *keyblock) -{ - return krb5_auth_con_setkey(context, auth_context, keyblock); -} -#endif - - void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt) -{ -#if defined(HAVE_KRB5_TKT_ENC_PART2) - if (tkt->enc_part2) - *auth_data = data_blob(tkt->enc_part2->authorization_data[0]->contents, - tkt->enc_part2->authorization_data[0]->length); -#else - if (tkt->ticket.authorization_data && tkt->ticket.authorization_data->len) - *auth_data = data_blob(tkt->ticket.authorization_data->val->ad_data.data, - tkt->ticket.authorization_data->val->ad_data.length); -#endif -} - - krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt) -{ -#if defined(HAVE_KRB5_TKT_ENC_PART2) - return tkt->enc_part2->client; -#else - return tkt->client; -#endif -} - -#if !defined(HAVE_KRB5_LOCATE_KDC) - krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters) -{ - krb5_krbhst_handle hnd; - krb5_krbhst_info *hinfo; - krb5_error_code rc; - int num_kdcs, i; - struct sockaddr *sa; - - *addr_pp = NULL; - *naddrs = 0; - - rc = krb5_krbhst_init(ctx, realm->data, KRB5_KRBHST_KDC, &hnd); - if (rc) { - DEBUG(0, ("krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc))); - return rc; - } - - for ( num_kdcs = 0; (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); num_kdcs++) - ; - - krb5_krbhst_reset(ctx, hnd); - - if (!num_kdcs) { - DEBUG(0, ("krb5_locate_kdc: zero kdcs found !\n")); - krb5_krbhst_free(ctx, hnd); - return -1; - } - - sa = malloc( sizeof(struct sockaddr) * num_kdcs ); - if (!sa) { - DEBUG(0, ("krb5_locate_kdc: malloc failed\n")); - krb5_krbhst_free(ctx, hnd); - naddrs = 0; - return -1; - } - - memset(*addr_pp, '\0', sizeof(struct sockaddr) * num_kdcs ); - - for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) { - if (hinfo->ai->ai_family == AF_INET) - memcpy(&sa[i], hinfo->ai->ai_addr, sizeof(struct sockaddr)); - } - - krb5_krbhst_free(ctx, hnd); - - *naddrs = num_kdcs; - *addr_pp = sa; - return 0; -} -#endif - /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ -- cgit From f6fbf0c9dbe859603ed7bc5d08844dda195d3b98 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 30 Jan 2003 18:01:03 +0000 Subject: Revert tpot's breakage of the Heimdal fixes. Jeremy. (This used to be commit 90336900ad2a6d50e1d42f7bc59fdc7c762187d3) --- source3/libsmb/clikrb5.c | 122 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 122 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 2047efd704..203d9d874b 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -70,6 +70,128 @@ __ERROR__XX__UNKNOWN_ADDRTYPE #endif +#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) + int create_kerberos_key_from_string(krb5_context context, + krb5_principal host_princ, + krb5_data *password, + krb5_keyblock *key) +{ + int ret; + krb5_data salt; + krb5_encrypt_block eblock; + + ret = krb5_principal2salt(context, host_princ, &salt); + if (ret) { + DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); + return ret; + } + krb5_use_enctype(context, &eblock, ENCTYPE_DES_CBC_MD5); + return krb5_string_to_key(context, &eblock, key, password, &salt); +} +#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT) + int create_kerberos_key_from_string(krb5_context context, + krb5_principal host_princ, + krb5_data *password, + krb5_keyblock *key) +{ + int ret; + krb5_salt salt; + + ret = krb5_get_pw_salt(context, host_princ, &salt); + if (ret) { + DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret))); + return ret; + } + return krb5_string_to_key_salt(context, ENCTYPE_DES_CBC_MD5, password->data, + salt, key); +} +#else + __ERROR_XX_UNKNOWN_CREATE_KEY_FUNCTIONS +#endif + +#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) + krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, + krb5_auth_context auth_context, + krb5_keyblock *keyblock) +{ + return krb5_auth_con_setkey(context, auth_context, keyblock); +} +#endif + + void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt) +{ +#if defined(HAVE_KRB5_TKT_ENC_PART2) + if (tkt->enc_part2) + *auth_data = data_blob(tkt->enc_part2->authorization_data[0]->contents, + tkt->enc_part2->authorization_data[0]->length); +#else + if (tkt->ticket.authorization_data && tkt->ticket.authorization_data->len) + *auth_data = data_blob(tkt->ticket.authorization_data->val->ad_data.data, + tkt->ticket.authorization_data->val->ad_data.length); +#endif +} + + krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt) +{ +#if defined(HAVE_KRB5_TKT_ENC_PART2) + return tkt->enc_part2->client; +#else + return tkt->client; +#endif +} + +#if !defined(HAVE_KRB5_LOCATE_KDC) + krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters) +{ + krb5_krbhst_handle hnd; + krb5_krbhst_info *hinfo; + krb5_error_code rc; + int num_kdcs, i; + struct sockaddr *sa; + + *addr_pp = NULL; + *naddrs = 0; + + rc = krb5_krbhst_init(ctx, realm->data, KRB5_KRBHST_KDC, &hnd); + if (rc) { + DEBUG(0, ("krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc))); + return rc; + } + + for ( num_kdcs = 0; (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); num_kdcs++) + ; + + krb5_krbhst_reset(ctx, hnd); + + if (!num_kdcs) { + DEBUG(0, ("krb5_locate_kdc: zero kdcs found !\n")); + krb5_krbhst_free(ctx, hnd); + return -1; + } + + sa = malloc( sizeof(struct sockaddr) * num_kdcs ); + if (!sa) { + DEBUG(0, ("krb5_locate_kdc: malloc failed\n")); + krb5_krbhst_free(ctx, hnd); + naddrs = 0; + return -1; + } + + memset(*addr_pp, '\0', sizeof(struct sockaddr) * num_kdcs ); + + for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) { + if (hinfo->ai->ai_family == AF_INET) + memcpy(&sa[i], hinfo->ai->ai_addr, sizeof(struct sockaddr)); + } + + krb5_krbhst_free(ctx, hnd); + + *naddrs = num_kdcs; + *addr_pp = sa; + return 0; +} +#endif + /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ -- cgit From d08116ffcbe51c51c338f044e4f9389d3e4c10d5 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Tue, 18 Feb 2003 20:57:29 +0000 Subject: Sync w/HEAD - add DES_CBC_CRC encryption type (This used to be commit c7934f5cb56d54a90c9ffdbe2f7429a3c9227abe) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 203d9d874b..e380d80bcc 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -278,6 +278,7 @@ DATA_BLOB krb5_get_ticket(const char *principal, time_t time_offset) ENCTYPE_ARCFOUR_HMAC, #endif ENCTYPE_DES_CBC_MD5, + ENCTYPE_DES_CBC_CRC, ENCTYPE_NULL}; retval = krb5_init_context(&context); @@ -324,7 +325,6 @@ failed: return data_blob(NULL, 0); } - #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ DATA_BLOB krb5_get_ticket(const char *principal, time_t time_offset) -- cgit From 83a11f7f0e4331602acefcb3324be6f35f1fef0e Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Wed, 19 Feb 2003 15:48:12 +0000 Subject: Sync with HEAD for verifying kerberos tickets. (This used to be commit 77e1178a888f0d380a5ef94911a8f07bf04a7ba3) --- source3/libsmb/clikrb5.c | 37 +++++++++++++++++++++++++++++++++---- 1 file changed, 33 insertions(+), 4 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index e380d80bcc..96e737166c 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -74,7 +74,8 @@ int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, - krb5_keyblock *key) + krb5_keyblock *key, + krb5_enctype enctype) { int ret; krb5_data salt; @@ -85,14 +86,15 @@ DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); return ret; } - krb5_use_enctype(context, &eblock, ENCTYPE_DES_CBC_MD5); + krb5_use_enctype(context, &eblock, enctype); return krb5_string_to_key(context, &eblock, key, password, &salt); } #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT) int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, - krb5_keyblock *key) + krb5_keyblock *key, + krb5_enctype enctype) { int ret; krb5_salt salt; @@ -102,13 +104,40 @@ DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret))); return ret; } - return krb5_string_to_key_salt(context, ENCTYPE_DES_CBC_MD5, password->data, + return krb5_string_to_key_salt(context, enctype, password->data, salt, key); } #else __ERROR_XX_UNKNOWN_CREATE_KEY_FUNCTIONS #endif +#if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES) +krb5_error_code get_kerberos_allowed_etypes(krb5_context context, + krb5_enctype **enctypes) +{ + return krb5_get_permitted_enctypes(context, enctypes); +} +#elif defined(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES) +krb5_error_code get_kerberos_allowed_etypes(krb5_context context, + krb5_enctype **enctypes) +{ + return krb5_get_default_in_tkt_etypes(context, enctypes); +} +#else + __ERROR_XX_UNKNOWN_GET_ENCTYPES_FUNCTIONS +#endif + + void free_kerberos_etypes(krb5_context context, + krb5_enctype *enctypes) +{ +#if defined(HAVE_KRB5_FREE_KTYPES) + return krb5_free_ktypes(context, enctypes); +#else + SAFE_FREE(enctypes); + return; +#endif +} + #if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, -- cgit From 217945cfc824ac0209738246d48ef2ece487f59b Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Fri, 21 Feb 2003 14:38:14 +0000 Subject: Fix IRIX build...void fn can't return another void fn (This used to be commit e0c1f9ef61a0ec4f06a0b0e257497943195b5297) --- source3/libsmb/clikrb5.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 96e737166c..bef6998a49 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -131,7 +131,8 @@ krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype *enctypes) { #if defined(HAVE_KRB5_FREE_KTYPES) - return krb5_free_ktypes(context, enctypes); + krb5_free_ktypes(context, enctypes); + return; #else SAFE_FREE(enctypes); return; -- cgit From ec458fa87e3ee858be39671f575e21a9350674b6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 17 Mar 2003 22:45:16 +0000 Subject: Merge from HEAD - sync up SessionSetup code to HEAD, including Luke Howard's session key and auth verifier patches. Andrew Bartlett (This used to be commit 3f9616a68a855acbae3f405c27ee2358fbe7ba2c) --- source3/libsmb/clikrb5.c | 52 +++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 43 insertions(+), 9 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index bef6998a49..5edc56daa9 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -2,7 +2,7 @@ Unix SMB/CIFS implementation. simple kerberos5 routines for active directory Copyright (C) Andrew Tridgell 2001 - Copyright (C) Luke Howard 2002 + Copyright (C) Luke Howard 2002-2003 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -23,6 +23,16 @@ #ifdef HAVE_KRB5 +#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE +#define KRB5_KEY_TYPE(k) ((k)->keytype) +#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length) +#define KRB5_KEY_DATA(k) ((k)->keyvalue.data) +#else +#define KRB5_KEY_TYPE(k) ((k)->enctype) +#define KRB5_KEY_LENGTH(k) ((k)->length) +#define KRB5_KEY_DATA(k) ((k)->contents) +#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */ + #ifndef HAVE_KRB5_SET_REAL_TIME /* * This function is not in the Heimdal mainline. @@ -124,7 +134,7 @@ krb5_error_code get_kerberos_allowed_etypes(krb5_context context, return krb5_get_default_in_tkt_etypes(context, enctypes); } #else - __ERROR_XX_UNKNOWN_GET_ENCTYPES_FUNCTIONS +#error UNKNOWN_GET_ENCTYPES_FUNCTIONS #endif void free_kerberos_etypes(krb5_context context, @@ -305,12 +315,12 @@ DATA_BLOB krb5_get_ticket(const char *principal, time_t time_offset) DATA_BLOB ret; krb5_enctype enc_types[] = { #ifdef ENCTYPE_ARCFOUR_HMAC - ENCTYPE_ARCFOUR_HMAC, -#endif - ENCTYPE_DES_CBC_MD5, - ENCTYPE_DES_CBC_CRC, - ENCTYPE_NULL}; - + ENCTYPE_ARCFOUR_HMAC, +#endif + ENCTYPE_DES_CBC_MD5, + ENCTYPE_DES_CBC_CRC, + ENCTYPE_NULL}; + retval = krb5_init_context(&context); if (retval) { DEBUG(1,("krb5_init_context failed (%s)\n", @@ -355,11 +365,35 @@ failed: return data_blob(NULL, 0); } + BOOL krb5_get_smb_session_key(krb5_context context, krb5_auth_context auth_context, uint8 session_key[16]) + { +#ifdef ENCTYPE_ARCFOUR_HMAC + krb5_keyblock *skey; +#endif + BOOL ret = False; + + memset(session_key, 0, 16); + +#ifdef ENCTYPE_ARCFOUR_HMAC + if (krb5_auth_con_getremotesubkey(context, auth_context, &skey) == 0 && skey != NULL) { + if (KRB5_KEY_TYPE(skey) == + ENCTYPE_ARCFOUR_HMAC + && KRB5_KEY_LENGTH(skey) == 16) { + memcpy(session_key, KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey)); + ret = True; + } + krb5_free_keyblock(context, skey); + } +#endif /* ENCTYPE_ARCFOUR_HMAC */ + + return ret; + } #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ - DATA_BLOB krb5_get_ticket(const char *principal, time_t time_offset) +DATA_BLOB krb5_get_ticket(const char *principal, time_t time_offset) { DEBUG(0,("NO KERBEROS SUPPORT\n")); return data_blob(NULL, 0); } + #endif -- cgit From 4f276f969633f3c39e3ffc609b167930ff7fd42c Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Fri, 30 May 2003 20:11:34 +0000 Subject: More on bug 137: rename more of krb5_xxx functions to not start with krb5_ (This used to be commit 10f1da3f4a9680a039a2aa26301b97e31c06c38d) --- source3/libsmb/clikrb5.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 5edc56daa9..df6043a618 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -235,12 +235,12 @@ krb5_error_code get_kerberos_allowed_etypes(krb5_context context, /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ -static krb5_error_code krb5_mk_req2(krb5_context context, - krb5_auth_context *auth_context, - const krb5_flags ap_req_options, - const char *principal, - krb5_ccache ccache, - krb5_data *outbuf) +static krb5_error_code ads_krb5_mk_req(krb5_context context, + krb5_auth_context *auth_context, + const krb5_flags ap_req_options, + const char *principal, + krb5_ccache ccache, + krb5_data *outbuf) { krb5_error_code retval; krb5_principal server; @@ -305,7 +305,7 @@ cleanup_princ: /* get a kerberos5 ticket for the given service */ -DATA_BLOB krb5_get_ticket(const char *principal, time_t time_offset) +DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset) { krb5_error_code retval; krb5_data packet; @@ -344,11 +344,11 @@ DATA_BLOB krb5_get_ticket(const char *principal, time_t time_offset) goto failed; } - if ((retval = krb5_mk_req2(context, - &auth_context, - 0, - principal, - ccdef, &packet))) { + if ((retval = ads_krb5_mk_req(context, + &auth_context, + 0, + principal, + ccdef, &packet))) { goto failed; } @@ -365,7 +365,7 @@ failed: return data_blob(NULL, 0); } - BOOL krb5_get_smb_session_key(krb5_context context, krb5_auth_context auth_context, uint8 session_key[16]) + BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, uint8 session_key[16]) { #ifdef ENCTYPE_ARCFOUR_HMAC krb5_keyblock *skey; @@ -390,7 +390,7 @@ failed: } #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ -DATA_BLOB krb5_get_ticket(const char *principal, time_t time_offset) +DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset) { DEBUG(0,("NO KERBEROS SUPPORT\n")); return data_blob(NULL, 0); -- cgit From 1d008cd2cb2bf1821bca72328ef33aa76318e282 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jun 2003 03:48:09 +0000 Subject: use ZERO_STRUCT() instead of memset (This used to be commit 082084042307f5f7d532b28debdeac11753a05f9) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index df6043a618..fd5dd91325 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -255,7 +255,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, } /* obtain ticket & session key */ - memset((char *)&creds, 0, sizeof(creds)); + ZERO_STRUCT(creds); if ((retval = krb5_copy_principal(context, server, &creds.server))) { DEBUG(1,("krb5_copy_principal failed (%s)\n", error_message(retval))); -- cgit From 8c38bb75b74ef7a4f40a5490102c77ab7d5fa0ac Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 16 Jul 2003 19:17:33 +0000 Subject: Add krb5_princ_component to Heimdal. Remove cli_ from mark packet signed. Jeremy. (This used to be commit dd46f8b22d6e8411081a1279e1cd32929e40370b) --- source3/libsmb/clikrb5.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index fd5dd91325..ba8ba11368 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -388,6 +388,19 @@ failed: return ret; } + + +#if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) && !defined(HAVE_KRB5_PRINC_COMPONENT) + const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i ) +{ + static krb5_data kdata; + + kdata.data = krb5_principal_get_comp_string(context, principal, i); + kdata.length = strlen(kdata.data); + return &kdata; +} +#endif + #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset) -- cgit From 4632786cfb193dd80ce04206912297186e871814 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 25 Jul 2003 23:15:30 +0000 Subject: W00t! Client smb signing is now working correctly with krb5 and w2k server. Server code *should* also work (I'll check shortly). May be the odd memory leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup code (b) we need to ask for a subkey... (c). The client and server need to ask for local and remote subkeys respectively. Thanks to Paul Nelson @ Thursby for some sage advice on this :-). Jeremy. (This used to be commit 3f9e3b60709df5ab755045a093e642510d4cde00) --- source3/libsmb/clikrb5.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index ba8ba11368..beac8cb2c1 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -305,7 +305,7 @@ cleanup_princ: /* get a kerberos5 ticket for the given service */ -DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset) +DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset, unsigned char session_key_krb5[16]) { krb5_error_code retval; krb5_data packet; @@ -345,13 +345,15 @@ DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset) } if ((retval = ads_krb5_mk_req(context, - &auth_context, - 0, - principal, - ccdef, &packet))) { + &auth_context, + AP_OPTS_USE_SUBKEY, + principal, + ccdef, &packet))) { goto failed; } + get_krb5_smb_session_key(context, auth_context, session_key_krb5, False); + ret = data_blob(packet.data, packet.length); /* Hmm, heimdal dooesn't have this - what's the correct call? */ /* krb5_free_data_contents(context, &packet); */ @@ -365,17 +367,22 @@ failed: return data_blob(NULL, 0); } - BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, uint8 session_key[16]) + BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, uint8 session_key[16], BOOL remote) { #ifdef ENCTYPE_ARCFOUR_HMAC krb5_keyblock *skey; #endif BOOL ret = False; + krb5_error_code err; memset(session_key, 0, 16); #ifdef ENCTYPE_ARCFOUR_HMAC - if (krb5_auth_con_getremotesubkey(context, auth_context, &skey) == 0 && skey != NULL) { + if (remote) + err = krb5_auth_con_getremotesubkey(context, auth_context, &skey); + else + err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey); + if (err == 0 && skey != NULL) { if (KRB5_KEY_TYPE(skey) == ENCTYPE_ARCFOUR_HMAC && KRB5_KEY_LENGTH(skey) == 16) { @@ -403,7 +410,7 @@ failed: #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ -DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset) +DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset, unsigned char session_key_krb5[16]) { DEBUG(0,("NO KERBEROS SUPPORT\n")); return data_blob(NULL, 0); -- cgit From 05540b48f0dc6209bb67db62ba6d7a1f9c33b4de Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 4 Aug 2003 06:16:03 +0000 Subject: Fix unused variable warning. (This used to be commit 73d02e3a2b0f9e84ab6d8685e4ad6a03ef9249b2) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index beac8cb2c1..3fe6d6457a 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -371,9 +371,9 @@ failed: { #ifdef ENCTYPE_ARCFOUR_HMAC krb5_keyblock *skey; + krb5_error_code err; #endif BOOL ret = False; - krb5_error_code err; memset(session_key, 0, 16); -- cgit From 172766eea7a374e910ea91c857fcce45996783a2 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 14 Aug 2003 01:08:00 +0000 Subject: Change Samba to always use extended security for it's guest logins, (ie, NTLMSSP with "" username, NULL password), and add --machine-pass (-P) to all of Samba's clients. When connecting to an Active Directory DC, you must initiate the CIFS level session setup with Kerberos, not a guest login. If you don't, your machine account is demoted to NT4. Andrew Bartlett (This used to be commit 3547cb3def45a90f99f67829a533eac1ccba5e77) --- source3/libsmb/clikrb5.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 3fe6d6457a..a18852a691 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -369,29 +369,27 @@ failed: BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, uint8 session_key[16], BOOL remote) { -#ifdef ENCTYPE_ARCFOUR_HMAC krb5_keyblock *skey; krb5_error_code err; -#endif BOOL ret = False; memset(session_key, 0, 16); -#ifdef ENCTYPE_ARCFOUR_HMAC if (remote) err = krb5_auth_con_getremotesubkey(context, auth_context, &skey); else err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey); if (err == 0 && skey != NULL) { - if (KRB5_KEY_TYPE(skey) == - ENCTYPE_ARCFOUR_HMAC - && KRB5_KEY_LENGTH(skey) == 16) { + DEBUG(10, ("Got KRB5 session key of length %d\n", KRB5_KEY_LENGTH(skey))); + if (KRB5_KEY_LENGTH(skey) == 16) { memcpy(session_key, KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey)); + dump_data_pw("KRB5 Session Key:\n", session_key, 16); ret = True; } krb5_free_keyblock(context, skey); + } else { + DEBUG(10, ("KRB5 error getting session key %d\n", err)); } -#endif /* ENCTYPE_ARCFOUR_HMAC */ return ret; } -- cgit From 062f89bc2833bf49f873a7fd5c2624babd702db0 Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Fri, 15 Aug 2003 01:42:30 +0000 Subject: get rid of some sompiler warnings on IRIX (This used to be commit a6a39c61e8228c8b3b7552ab3c61ec3a6a639143) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index a18852a691..7e1801f555 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -74,7 +74,7 @@ { pkaddr->addrtype = ADDRTYPE_INET; pkaddr->length = sizeof(((struct sockaddr_in *)paddr)->sin_addr); - pkaddr->contents = (char *)&(((struct sockaddr_in *)paddr)->sin_addr); + pkaddr->contents = (krb5_octet *)&(((struct sockaddr_in *)paddr)->sin_addr); } #else __ERROR__XX__UNKNOWN_ADDRTYPE -- cgit From c9aa836204eb722890cbd4d64248ff7ef1a50e60 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 15 Aug 2003 01:46:09 +0000 Subject: Fix memleaks. Currently I'm compiling against MIT Kerberos 1.2.8. Anthony, you said you have a heimdal installation available. Could you please compile this stuff with krb and check it with valgrind? Thanks, Volker (This used to be commit d8ab44685994b302bb46eed9001c72c194d13dc8) --- source3/libsmb/clikrb5.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 7e1801f555..1fccc04a01 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -97,7 +97,9 @@ return ret; } krb5_use_enctype(context, &eblock, enctype); - return krb5_string_to_key(context, &eblock, key, password, &salt); + ret = krb5_string_to_key(context, &eblock, key, password, &salt); + SAFE_FREE(salt.data); + return ret; } #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT) int create_kerberos_key_from_string(krb5_context context, -- cgit From fcbfc7ad0669009957c65fa61bb20df75a9701b4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 22 Nov 2003 13:19:38 +0000 Subject: Changes all over the shop, but all towards: - NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc) --- source3/libsmb/clikrb5.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 1fccc04a01..5568b5e033 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -307,7 +307,7 @@ cleanup_princ: /* get a kerberos5 ticket for the given service */ -DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset, unsigned char session_key_krb5[16]) +DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BLOB *session_key_krb5) { krb5_error_code retval; krb5_data packet; @@ -369,7 +369,7 @@ failed: return data_blob(NULL, 0); } - BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, uint8 session_key[16], BOOL remote) + BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote) { krb5_keyblock *skey; krb5_error_code err; @@ -383,11 +383,11 @@ failed: err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey); if (err == 0 && skey != NULL) { DEBUG(10, ("Got KRB5 session key of length %d\n", KRB5_KEY_LENGTH(skey))); - if (KRB5_KEY_LENGTH(skey) == 16) { - memcpy(session_key, KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey)); - dump_data_pw("KRB5 Session Key:\n", session_key, 16); - ret = True; - } + *session_key = data_blob(KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey)); + dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length); + + ret = True; + krb5_free_keyblock(context, skey); } else { DEBUG(10, ("KRB5 error getting session key %d\n", err)); @@ -410,7 +410,7 @@ failed: #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ -DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset, unsigned char session_key_krb5[16]) +DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BLOB *session_key_krb5) { DEBUG(0,("NO KERBEROS SUPPORT\n")); return data_blob(NULL, 0); -- cgit From 7d068355aae99060acac03c6633509545aa782a4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 8 Jan 2004 08:19:18 +0000 Subject: This merges in my 'always use ADS' patch. Tested on a mix of NT and ADS domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d) --- source3/libsmb/clikrb5.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 5568b5e033..15b244a83d 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -307,14 +307,14 @@ cleanup_princ: /* get a kerberos5 ticket for the given service */ -DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BLOB *session_key_krb5) +int cli_krb5_get_ticket(const char *principal, time_t time_offset, + DATA_BLOB *ticket, DATA_BLOB *session_key_krb5) { krb5_error_code retval; krb5_data packet; krb5_ccache ccdef; krb5_context context; krb5_auth_context auth_context = NULL; - DATA_BLOB ret; krb5_enctype enc_types[] = { #ifdef ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC, @@ -356,17 +356,18 @@ DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BL get_krb5_smb_session_key(context, auth_context, session_key_krb5, False); - ret = data_blob(packet.data, packet.length); + *ticket = data_blob(packet.data, packet.length); + /* Hmm, heimdal dooesn't have this - what's the correct call? */ -/* krb5_free_data_contents(context, &packet); */ - krb5_free_context(context); - return ret; +#ifdef HAVE_KRB5_FREE_DATA_CONTENTS + krb5_free_data_contents(context, &packet); +#endif failed: if ( context ) krb5_free_context(context); - return data_blob(NULL, 0); + return retval; } BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote) @@ -410,10 +411,11 @@ failed: #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ -DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BLOB *session_key_krb5) - { +int cli_krb5_get_ticket(const char *principal, time_t time_offset, + DATA_BLOB *ticket, DATA_BLOB *session_key_krb5) +{ DEBUG(0,("NO KERBEROS SUPPORT\n")); - return data_blob(NULL, 0); - } + return 1; +} #endif -- cgit From 0859a89166089b505e447034e119a9bb0eba7ba8 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Wed, 14 Apr 2004 17:34:48 +0000 Subject: r219: Obtain new tickets if current ones are expired. Next part of fix for bug 1208. Based on a fix from Guether Deschener. Outstanding pieces: - Heimdal FILE-based ccaches don't actually remove creds properly, so we need to code a check for this - what if ticket expires between our check and when we use it? Guenther has coded up fixes for these parts, but I still need to review them, as I'm not totally comfortable with the solutions. (This used to be commit ef008b9710e682f87f0bbf526d30eb5114264233) --- source3/libsmb/clikrb5.c | 48 ++++++++++++++++++++++++++++++++++++------------ 1 file changed, 36 insertions(+), 12 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 15b244a83d..e957cbc91f 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -249,6 +249,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, krb5_creds * credsp; krb5_creds creds; krb5_data in_data; + BOOL have_creds = False; retval = krb5_parse_name(context, principal, &server); if (retval) { @@ -270,20 +271,43 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, goto cleanup_creds; } - if ((retval = krb5_get_credentials(context, 0, - ccache, &creds, &credsp))) { - DEBUG(1,("krb5_get_credentials failed for %s (%s)\n", - principal, error_message(retval))); - goto cleanup_creds; + while(!have_creds) { + if ((retval = krb5_get_credentials(context, 0, ccache, + &creds, &credsp))) { + DEBUG(1,("krb5_get_credentials failed for %s (%s)\n", + principal, error_message(retval))); + goto cleanup_creds; + } + + /* cope with ticket being in the future due to clock skew */ + if ((unsigned)credsp->times.starttime > time(NULL)) { + time_t t = time(NULL); + int time_offset =(unsigned)credsp->times.starttime-t; + DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset)); + krb5_set_real_time(context, t + time_offset + 1, 0); + } + + /* cope with expired tickets */ + if ((unsigned)credsp->times.endtime < time(NULL)) { + DEBUG(3,("Ticket (%s) in ccache (%s) has expired (%s - %d). Obtaining new ticket.\n", + principal, krb5_cc_default_name(context), + http_timestring( + (unsigned)credsp->times.endtime), + (unsigned)credsp->times.endtime)); + if ((retval = krb5_cc_remove_cred(context, ccache, 0, + credsp))) { + DEBUG(1,("krb5_cc_remove_cred failed for %s (%s)\n", + principal, error_message(retval))); + } + } else { + have_creds = True; + } } - /* cope with the ticket being in the future due to clock skew */ - if ((unsigned)credsp->times.starttime > time(NULL)) { - time_t t = time(NULL); - int time_offset = (unsigned)credsp->times.starttime - t; - DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset)); - krb5_set_real_time(context, t + time_offset + 1, 0); - } + DEBUG(10,("Ticket (%s) in ccache (%s) is valid until: (%s - %d)\n", + principal, krb5_cc_default_name(context), + http_timestring((unsigned)credsp->times.endtime), + (unsigned)credsp->times.endtime)); in_data.length = 0; retval = krb5_mk_req_extended(context, auth_context, ap_req_options, -- cgit From 3c62df47809865daf80c215135d46c722992134b Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Wed, 14 Apr 2004 19:06:45 +0000 Subject: r221: Remainder of bug 1208. We do not remove creds from _any_ FILE ccache, because not only does it not work on Heimdal, but also since ccaches created within samba are memory-based, so we shouldn't touch a FILE-based one (it was probably created via kinit or similar). (This used to be commit 5971b0980ca8abae2208f22485c5af4c0dde0459) --- source3/libsmb/clikrb5.c | 57 +++++++++++++++++++++++++++++++++--------------- 1 file changed, 40 insertions(+), 17 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index e957cbc91f..81797a7bfc 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -234,6 +234,42 @@ krb5_error_code get_kerberos_allowed_etypes(krb5_context context, } #endif +static BOOL ads_cleanup_expired_creds(krb5_context context, + krb5_ccache ccache, + krb5_creds *credsp) +{ + krb5_error_code retval; + + DEBUG(3, ("Ticket in ccache[%s] expiration %s\n", + krb5_cc_default_name(context), + http_timestring(credsp->times.endtime))); + + /* we will probably need new tickets if the current ones + will expire within 10 seconds. + */ + if (credsp->times.endtime >= (time(NULL) + 10)) + return False; + + /* heimdal won't remove creds from a file ccache, and + perhaps we shouldn't anyway, since internally we + use memory ccaches, and a FILE one probably means that + we're using creds obtained outside of our exectuable + */ + if (StrCaseCmp(krb5_cc_get_type(context, ccache), "FILE") == 0) { + DEBUG(5, ("We do not remove creds from a FILE ccache\n")); + return False; + } + + retval = krb5_cc_remove_cred(context, ccache, 0, credsp); + if (retval) { + DEBUG(1, ("krb5_cc_remove_cred failed, err %s\n", + error_message(retval))); + /* If we have an error in this, we want to display it, + but continue as though we deleted it */ + } + return True; +} + /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ @@ -249,7 +285,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, krb5_creds * credsp; krb5_creds creds; krb5_data in_data; - BOOL have_creds = False; + BOOL creds_ready = False; retval = krb5_parse_name(context, principal, &server); if (retval) { @@ -271,7 +307,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, goto cleanup_creds; } - while(!have_creds) { + while(!creds_ready) { if ((retval = krb5_get_credentials(context, 0, ccache, &creds, &credsp))) { DEBUG(1,("krb5_get_credentials failed for %s (%s)\n", @@ -287,21 +323,8 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, krb5_set_real_time(context, t + time_offset + 1, 0); } - /* cope with expired tickets */ - if ((unsigned)credsp->times.endtime < time(NULL)) { - DEBUG(3,("Ticket (%s) in ccache (%s) has expired (%s - %d). Obtaining new ticket.\n", - principal, krb5_cc_default_name(context), - http_timestring( - (unsigned)credsp->times.endtime), - (unsigned)credsp->times.endtime)); - if ((retval = krb5_cc_remove_cred(context, ccache, 0, - credsp))) { - DEBUG(1,("krb5_cc_remove_cred failed for %s (%s)\n", - principal, error_message(retval))); - } - } else { - have_creds = True; - } + if (!ads_cleanup_expired_creds(context, ccache, credsp)) + creds_ready = True; } DEBUG(10,("Ticket (%s) in ccache (%s) is valid until: (%s - %d)\n", -- cgit From 33ebb4bee57603288c37aa7f02a923b3d2804382 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 6 May 2004 18:23:01 +0000 Subject: r527: More memory leak fixes in error paths from kawasa_r@itg.hitachi.co.jp. Jeremy. (This used to be commit b2ba4d5c1be6089e3818a20c68e3894432b53d87) --- source3/libsmb/clikrb5.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 81797a7bfc..e688ad608c 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -359,8 +359,8 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, { krb5_error_code retval; krb5_data packet; - krb5_ccache ccdef; krb5_context context; + krb5_ccache ccdef = NULL; krb5_auth_context auth_context = NULL; krb5_enctype enc_types[] = { #ifdef ENCTYPE_ARCFOUR_HMAC @@ -411,8 +411,14 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, #endif failed: - if ( context ) + + if ( context ) { + if (ccdef) + krb5_cc_close(context, ccdef); + if (auth_context) + krb5_auth_con_free(context, auth_context); krb5_free_context(context); + } return retval; } -- cgit From 63378d6f0efa4612da1aecb5dee14992ac069d0f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 7 May 2004 02:48:03 +0000 Subject: r541: fixing segfault in winbindd caused -r527 -- looks like a bug in heimdal; also initialize some pointers (This used to be commit be74e88d9a4b74fcaf25b0816e3fa8a487c91ab5) --- source3/libsmb/clikrb5.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index e688ad608c..9027f192ef 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -359,7 +359,7 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, { krb5_error_code retval; krb5_data packet; - krb5_context context; + krb5_context context = NULL; krb5_ccache ccdef = NULL; krb5_auth_context auth_context = NULL; krb5_enctype enc_types[] = { @@ -413,8 +413,11 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, failed: if ( context ) { +#if 0 /* JERRY -- disabled since it causes heimdal 0.6.1rc3 to die + SuSE 9.1 Pro */ if (ccdef) krb5_cc_close(context, ccdef); +#endif if (auth_context) krb5_auth_con_free(context, auth_context); krb5_free_context(context); -- cgit From 59d179452780dae847281a85d52d8e6e20575747 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 19 Jun 2004 00:55:29 +0000 Subject: r1194: Definition of krb5_free_unparsed_name() if we do't have it. Jeremy. (This used to be commit 82c219ea023dd546fcde29569725865a42e4198e) --- source3/libsmb/clikrb5.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 9027f192ef..01fcfcc3dd 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -234,6 +234,13 @@ krb5_error_code get_kerberos_allowed_etypes(krb5_context context, } #endif +#if !defined(HAVE_KRB5_FREE_UNPARSED_NAME) + void krb5_free_unparsed_name(krb5_context context, char *val) +{ + SAFE_FREE(val); +} +#endif + static BOOL ads_cleanup_expired_creds(krb5_context context, krb5_ccache ccache, krb5_creds *credsp) -- cgit From 7825677b862bb62b8350b6fee458fbbecc53893f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 23 Jun 2004 00:20:31 +0000 Subject: r1222: Valgrind memory leak fixes. Still tracking down a strange one... Can't fix the krb5 memory leaks inside that library :-(. Jeremy. (This used to be commit ad440213aaae58fb5bff6e8a6fcf811c5ba83669) --- source3/libsmb/clikrb5.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 01fcfcc3dd..ab9bc28fe5 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -420,11 +420,12 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, failed: if ( context ) { -#if 0 /* JERRY -- disabled since it causes heimdal 0.6.1rc3 to die - SuSE 9.1 Pro */ +/* Removed by jra. They really need to fix their kerberos so we don't leak memory. + JERRY -- disabled since it causes heimdal 0.6.1rc3 to die + SuSE 9.1 Pro +*/ if (ccdef) krb5_cc_close(context, ccdef); -#endif if (auth_context) krb5_auth_con_free(context, auth_context); krb5_free_context(context); -- cgit From 2b76b28932d9d1ed714e79579414f630966342e7 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 24 Jun 2004 05:56:44 +0000 Subject: r1236: Heimdal fixes from Guenther Deschner , more to come before it compiles with Heimdal. Jeremy. (This used to be commit dd07278b892770ac51750b87a4ab902d4de3a960) --- source3/libsmb/clikrb5.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index ab9bc28fe5..e7db33a1e8 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -473,6 +473,17 @@ failed: } #endif +krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry) +{ +#if defined(HAVE_KRB5_KT_FREE_ENTRY) + return krb5_kt_free_entry(context, kt_entry); +#elif defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS) + return krb5_free_keytab_entry_contents(context, kt_entry); +#else +#error UNKNOWN_KT_FREE_FUNCTION +#endif +} + #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ int cli_krb5_get_ticket(const char *principal, time_t time_offset, -- cgit From d095357d08e3944a7b2e490b2a809cc200f85995 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 28 Jun 2004 11:12:43 +0000 Subject: r1287: Attempt to fix the build for systems without kerberos headers. Volker (This used to be commit 43020cf459da24a915a39b770cec95a524d487c7) --- source3/libsmb/clikrb5.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index e7db33a1e8..4929bd63ef 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -124,13 +124,13 @@ #endif #if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES) -krb5_error_code get_kerberos_allowed_etypes(krb5_context context, + krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes) { return krb5_get_permitted_enctypes(context, enctypes); } #elif defined(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES) -krb5_error_code get_kerberos_allowed_etypes(krb5_context context, + krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes) { return krb5_get_default_in_tkt_etypes(context, enctypes); @@ -473,7 +473,7 @@ failed: } #endif -krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry) + krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry) { #if defined(HAVE_KRB5_KT_FREE_ENTRY) return krb5_kt_free_entry(context, kt_entry); -- cgit From 824bc32be71afafdbaaea94a6cf104a1b3d329ec Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 8 Jul 2004 15:36:23 +0000 Subject: r1399: applying heimdal krb5 fixes from Guenther and fixing compile warnings in libadskerberos_keyatb.c (This used to be commit 837f56ec8bc171497fb84d332002776313c26305) --- source3/libsmb/clikrb5.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 4929bd63ef..abb1eb4acb 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -425,7 +425,9 @@ failed: SuSE 9.1 Pro */ if (ccdef) +#if 0 /* redisabled by gd :) at least until any official heimdal version has it fixed. */ krb5_cc_close(context, ccdef); +#endif if (auth_context) krb5_auth_con_free(context, auth_context); krb5_free_context(context); @@ -473,7 +475,7 @@ failed: } #endif - krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry) +krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry) { #if defined(HAVE_KRB5_KT_FREE_ENTRY) return krb5_kt_free_entry(context, kt_entry); -- cgit From 0122d4ef5e441e5470e190b77567d00b703e549e Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 8 Jul 2004 18:14:07 +0000 Subject: r1407: revert change that broke the build on systems w/o krb5 files (This used to be commit 89a11b5d7c0939c9344115ef509cbb0567d7524a) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index abb1eb4acb..b9a3dda494 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -475,7 +475,7 @@ failed: } #endif -krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry) + krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry) { #if defined(HAVE_KRB5_KT_FREE_ENTRY) return krb5_kt_free_entry(context, kt_entry); -- cgit From 608172ebe31abd4ffa9584fd3fe411cb0955f5fa Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 10 Jul 2004 03:26:43 +0000 Subject: r1428: Remove *completly bogus* memset. (No doubt my bug, too...). This memset could well have clobbered bits of the stack, because session_key changed from char session_key[16]; to DATA_BLOB session_key Andrew Bartlett (This used to be commit 54248a405c9459f93f4200ebb0dc71748ae2fc83) --- source3/libsmb/clikrb5.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index b9a3dda494..5fcde4654a 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -442,8 +442,6 @@ failed: krb5_error_code err; BOOL ret = False; - memset(session_key, 0, 16); - if (remote) err = krb5_auth_con_getremotesubkey(context, auth_context, &skey); else -- cgit From 77cc4121cf0a31a6594bccd1f86351aee785eb96 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 25 Aug 2004 07:52:23 +0000 Subject: r2057: Although rarely used, prevent "net lookup kdc" from segfaulting when using our own implementation of krb5_lookup_kdc with heimdal. Also, heimdals krb5_krbhst_next() obviously does not retrieve the struct addrinfo in the krb5_krbhst_info-struct, using krb5_krbhst_get_addrinfo() instead. Guenther (This used to be commit cca660e109cc94b49ac6bf1f2802235d1d4d4383) --- source3/libsmb/clikrb5.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 5fcde4654a..de2f0cec18 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -190,6 +190,7 @@ krb5_error_code rc; int num_kdcs, i; struct sockaddr *sa; + struct addrinfo **ai; *addr_pp = NULL; *naddrs = 0; @@ -219,10 +220,19 @@ return -1; } + *addr_pp = malloc(sizeof(struct sockaddr) * num_kdcs); memset(*addr_pp, '\0', sizeof(struct sockaddr) * num_kdcs ); for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) { - if (hinfo->ai->ai_family == AF_INET) + +#if defined(HAVE_KRB5_KRBHST_GET_ADDRINFO) + rc = krb5_krbhst_get_addrinfo(ctx, hinfo, ai); + if (rc) { + DEBUG(0,("krb5_krbhst_get_addrinfo failed: %s\n", error_message(rc))); + return rc; + } +#endif + if (hinfo->ai && hinfo->ai->ai_family == AF_INET) memcpy(&sa[i], hinfo->ai->ai_addr, sizeof(struct sockaddr)); } -- cgit From 83d5892eab7662053ca9ce3711d60760aadf6084 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 21 Sep 2004 10:40:45 +0000 Subject: r2472: Fixed krb5_krbhost_get_addrinfo()-parameters and make failure of this call non-critical. Thanks to Love for the patch and explaining the inner workings of heimdal. Guenther (This used to be commit 4bd9d8240b571fdd8546af4eea3f4f148987d57c) --- source3/libsmb/clikrb5.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index de2f0cec18..2b0c054493 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -190,7 +190,7 @@ krb5_error_code rc; int num_kdcs, i; struct sockaddr *sa; - struct addrinfo **ai; + struct addrinfo *ai; *addr_pp = NULL; *naddrs = 0; @@ -226,10 +226,10 @@ for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) { #if defined(HAVE_KRB5_KRBHST_GET_ADDRINFO) - rc = krb5_krbhst_get_addrinfo(ctx, hinfo, ai); + rc = krb5_krbhst_get_addrinfo(ctx, hinfo, &ai); if (rc) { DEBUG(0,("krb5_krbhst_get_addrinfo failed: %s\n", error_message(rc))); - return rc; + continue; } #endif if (hinfo->ai && hinfo->ai->ai_family == AF_INET) -- cgit From a71c7b4e173a9f99d470c4be2c6ecc2989d34486 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 21 Sep 2004 12:50:04 +0000 Subject: r2474: (re-)fix memleak (initially found by jra). heimdal 0.6.1rc3 had a bug causing winbindd to die, heimdal version 0.6.1 and higher have that fixed (thanks to Love from Heimdal). SuSE has been informed about this possible pitfall, any other vendors that ship with heimdal-0.6.1rc3 to be notified ? Guenther (This used to be commit 6239a5bec99c62032e0cde20679a71622dd7a059) --- source3/libsmb/clikrb5.c | 6 ------ 1 file changed, 6 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 2b0c054493..f7f84f1e29 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -430,14 +430,8 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, failed: if ( context ) { -/* Removed by jra. They really need to fix their kerberos so we don't leak memory. - JERRY -- disabled since it causes heimdal 0.6.1rc3 to die - SuSE 9.1 Pro -*/ if (ccdef) -#if 0 /* redisabled by gd :) at least until any official heimdal version has it fixed. */ krb5_cc_close(context, ccdef); -#endif if (auth_context) krb5_auth_con_free(context, auth_context); krb5_free_context(context); -- cgit From 13542c7b5058d1fa0817ae9f371e013157b471d0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 28 Oct 2004 23:50:14 +0000 Subject: r3342: More MIT/Heimdal fixes to allow an enctype to be explicitly set in a krb5_creds struct. Jeremy. (This used to be commit c9b80490128e09442a01dd8ec6f4b453769e82c1) --- source3/libsmb/clikrb5.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index f7f84f1e29..291aa13de0 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -251,6 +251,17 @@ } #endif +void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype) +{ +#if defined(HAVE_KRB5_KEYBLOCK_IN_CREDS) + KRB5_KEY_TYPE((&pcreds->keyblock)) = enctype; +#elif defined(HAVE_KRB5_SESSION_IN_CREDS) + KRB5_KEY_TYPE((&pcreds->session)) = enctype; +#else +#error UNKNOWN_KEYBLOCK_MEMBER_IN_KRB5_CREDS_STRUCT +#endif +} + static BOOL ads_cleanup_expired_creds(krb5_context context, krb5_ccache ccache, krb5_creds *credsp) -- cgit From b57feea6d312de778e232f478d768ac5f3552b3e Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 29 Oct 2004 00:02:32 +0000 Subject: r3345: More MIT/Heimdal tests for comparing enctypes now. Jeremy. (This used to be commit eefb911d0c66bdee586a86446e16723013f84101) --- source3/libsmb/clikrb5.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 291aa13de0..5aa1668705 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -262,6 +262,20 @@ void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype) #endif } +krb5_boolean kerberos_compatible_enctypes(krb5_context context, + krb5_enctype enctype1, + krb5_enctype enctype2) +{ +#if defined(HAVE_KRB5_C_ENCTYPE_COMPARE) + krb5_boolean similar = 0; + + krb5_c_enctype_compare(context, enctype1, enctype2, &similar); + return similar; +#elif defined(HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS) + return krb5_enctypes_compatible_keys(context, enctype1, enctype2); +#endif +} + static BOOL ads_cleanup_expired_creds(krb5_context context, krb5_ccache ccache, krb5_creds *credsp) -- cgit From 0772ddbae1be394c538f1d3529ea84434eadcf97 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 29 Oct 2004 22:38:10 +0000 Subject: r3377: Merge in first part of modified patch from Nalin Dahyabhai for bug #1717.The rest of the code needed to call this patch has not yet been checked in (that's my next task). This has not yet been tested - I'll do this once the rest of the patch is integrated. Jeremy. (This used to be commit 7565019286cf44f43c8066c005b1cd5c1556435f) --- source3/libsmb/clikrb5.c | 47 ++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 38 insertions(+), 9 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 5aa1668705..32a50464e0 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -81,7 +81,7 @@ #endif #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) - int create_kerberos_key_from_string(krb5_context context, + int create_kerberos_key_from_string_direct(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, @@ -102,7 +102,7 @@ return ret; } #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT) - int create_kerberos_key_from_string(krb5_context context, + int create_kerberos_key_from_string_direct(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, @@ -123,6 +123,27 @@ __ERROR_XX_UNKNOWN_CREATE_KEY_FUNCTIONS #endif +int create_kerberos_key_from_string(krb5_context context, + krb5_principal host_princ, + krb5_data *password, + krb5_keyblock *key, + krb5_enctype enctype) +{ + krb5_principal salt_princ = NULL; + int ret; + /* + * Check if we've determined that the KDC is salting keys for this + * principal/enctype in a non-obvious way. If it is, try to match + * its behavior. + */ + salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype); + ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype); + if (salt_princ) { + krb5_free_principal(context, salt_princ); + } + return ret; +} + #if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES) krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes) @@ -251,6 +272,17 @@ } #endif +void kerberos_free_data_contents(krb5_context context, krb5_data *pdata) +{ +#if !defined(HAVE_KRB5_FREE_DATA_CONTENTS) + if (pdata->data) { + krb5_free_data_contents(context, pdata); + } +#else + SAFE_FREE(pdata->data); +#endif +} + void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype) { #if defined(HAVE_KRB5_KEYBLOCK_IN_CREDS) @@ -262,7 +294,7 @@ void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype) #endif } -krb5_boolean kerberos_compatible_enctypes(krb5_context context, +BOOL kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2) { @@ -270,9 +302,9 @@ krb5_boolean kerberos_compatible_enctypes(krb5_context context, krb5_boolean similar = 0; krb5_c_enctype_compare(context, enctype1, enctype2, &similar); - return similar; + return similar ? True : False; #elif defined(HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS) - return krb5_enctypes_compatible_keys(context, enctype1, enctype2); + return krb5_enctypes_compatible_keys(context, enctype1, enctype2) ? True : False; #endif } @@ -447,10 +479,7 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, *ticket = data_blob(packet.data, packet.length); -/* Hmm, heimdal dooesn't have this - what's the correct call? */ -#ifdef HAVE_KRB5_FREE_DATA_CONTENTS - krb5_free_data_contents(context, &packet); -#endif + kerberos_free_data_contents(context, &packet); failed: -- cgit From cf47845b1c2e83d49f32bdfc455cd9114a234df8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 30 Oct 2004 00:34:58 +0000 Subject: r3379: More merging of kerberos keytab and salting fixes from Nalin Dahyabhai (bugid #1717). Jeremy. (This used to be commit 30b8807cf6d5c3c5b9947a7e841d69f0b22eb019) --- source3/libsmb/clikrb5.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 32a50464e0..f81e86abf4 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -77,7 +77,7 @@ pkaddr->contents = (krb5_octet *)&(((struct sockaddr_in *)paddr)->sin_addr); } #else - __ERROR__XX__UNKNOWN_ADDRTYPE +#error UNKNOWN_ADDRTYPE #endif #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) @@ -120,7 +120,7 @@ salt, key); } #else - __ERROR_XX_UNKNOWN_CREATE_KEY_FUNCTIONS +#error UNKNOWN_CREATE_KEY_FUNCTIONS #endif int create_kerberos_key_from_string(krb5_context context, -- cgit From c64df4d7466811b4083827e512e94e1a4cc44900 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 31 Oct 2004 11:20:07 +0000 Subject: r3407: Fix the build (This used to be commit b144ce557f516f62ab802fbb277799b10153c8fb) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index f81e86abf4..af0273853f 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -274,7 +274,7 @@ int create_kerberos_key_from_string(krb5_context context, void kerberos_free_data_contents(krb5_context context, krb5_data *pdata) { -#if !defined(HAVE_KRB5_FREE_DATA_CONTENTS) +#if defined(HAVE_KRB5_FREE_DATA_CONTENTS) if (pdata->data) { krb5_free_data_contents(context, pdata); } -- cgit From 3688bb079e8d817dcfc3b9e5eb9d07e7b95a806f Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 1 Nov 2004 19:35:55 +0000 Subject: r3439: Finally fix build for platforms without kerberos. Guenther (This used to be commit 05619cfdbf814e5c79e65934b82424eca00c76c4) --- source3/libsmb/clikrb5.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index af0273853f..5c5584763c 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -123,7 +123,7 @@ #error UNKNOWN_CREATE_KEY_FUNCTIONS #endif -int create_kerberos_key_from_string(krb5_context context, + int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, @@ -272,7 +272,7 @@ int create_kerberos_key_from_string(krb5_context context, } #endif -void kerberos_free_data_contents(krb5_context context, krb5_data *pdata) + void kerberos_free_data_contents(krb5_context context, krb5_data *pdata) { #if defined(HAVE_KRB5_FREE_DATA_CONTENTS) if (pdata->data) { @@ -283,7 +283,7 @@ void kerberos_free_data_contents(krb5_context context, krb5_data *pdata) #endif } -void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype) + void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype) { #if defined(HAVE_KRB5_KEYBLOCK_IN_CREDS) KRB5_KEY_TYPE((&pcreds->keyblock)) = enctype; @@ -294,7 +294,7 @@ void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype) #endif } -BOOL kerberos_compatible_enctypes(krb5_context context, + BOOL kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2) { -- cgit From e73d23d1badbf76b6f53007fd48105b4e9f39eb1 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 4 Nov 2004 23:56:23 +0000 Subject: r3535: Tidy up error reporting. Memory leak with MIT krb5 1.3.5 turns out to be in the kerberos libraries, not in Samba. Now to test with Heimdal. Jeremy (This used to be commit b08e3bf6fb1052285e4efd669d9717d3a617499d) --- source3/libsmb/clikrb5.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 5c5584763c..bc52805dff 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -330,13 +330,13 @@ static BOOL ads_cleanup_expired_creds(krb5_context context, we're using creds obtained outside of our exectuable */ if (StrCaseCmp(krb5_cc_get_type(context, ccache), "FILE") == 0) { - DEBUG(5, ("We do not remove creds from a FILE ccache\n")); + DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a FILE ccache\n")); return False; } retval = krb5_cc_remove_cred(context, ccache, 0, credsp); if (retval) { - DEBUG(1, ("krb5_cc_remove_cred failed, err %s\n", + DEBUG(1, ("ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err %s\n", error_message(retval))); /* If we have an error in this, we want to display it, but continue as though we deleted it */ @@ -363,7 +363,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, retval = krb5_parse_name(context, principal, &server); if (retval) { - DEBUG(1,("Failed to parse principal %s\n", principal)); + DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal)); return retval; } @@ -376,7 +376,9 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, } if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) { - DEBUG(1,("krb5_cc_get_principal failed (%s)\n", + /* This can commonly fail on smbd startup with no ticket in the cache. + * Report at higher level than 1. */ + DEBUG(3,("ads_krb5_mk_req: krb5_cc_get_principal failed (%s)\n", error_message(retval))); goto cleanup_creds; } @@ -384,7 +386,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, while(!creds_ready) { if ((retval = krb5_get_credentials(context, 0, ccache, &creds, &credsp))) { - DEBUG(1,("krb5_get_credentials failed for %s (%s)\n", + DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n", principal, error_message(retval))); goto cleanup_creds; } @@ -393,7 +395,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, if ((unsigned)credsp->times.starttime > time(NULL)) { time_t t = time(NULL); int time_offset =(unsigned)credsp->times.starttime-t; - DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset)); + DEBUG(4,("ads_krb5_mk_req: Advancing clock by %d seconds to cope with clock skew\n", time_offset)); krb5_set_real_time(context, t + time_offset + 1, 0); } @@ -401,7 +403,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, creds_ready = True; } - DEBUG(10,("Ticket (%s) in ccache (%s) is valid until: (%s - %d)\n", + DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s) is valid until: (%s - %d)\n", principal, krb5_cc_default_name(context), http_timestring((unsigned)credsp->times.endtime), (unsigned)credsp->times.endtime)); @@ -410,7 +412,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, retval = krb5_mk_req_extended(context, auth_context, ap_req_options, &in_data, credsp, outbuf); if (retval) { - DEBUG(1,("krb5_mk_req_extended failed (%s)\n", + DEBUG(1,("ads_krb5_mk_req: krb5_mk_req_extended failed (%s)\n", error_message(retval))); } @@ -446,7 +448,7 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, retval = krb5_init_context(&context); if (retval) { - DEBUG(1,("krb5_init_context failed (%s)\n", + DEBUG(1,("cli_krb5_get_ticket: krb5_init_context failed (%s)\n", error_message(retval))); goto failed; } @@ -456,13 +458,13 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, } if ((retval = krb5_cc_default(context, &ccdef))) { - DEBUG(1,("krb5_cc_default failed (%s)\n", + DEBUG(1,("cli_krb5_get_ticket: krb5_cc_default failed (%s)\n", error_message(retval))); goto failed; } if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) { - DEBUG(1,("krb5_set_default_tgs_ktypes failed (%s)\n", + DEBUG(1,("cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (%s)\n", error_message(retval))); goto failed; } -- cgit From 8ea9237d82857ecd6111c37d1ce6b9122ff50f44 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 5 Nov 2004 00:57:29 +0000 Subject: r3538: Fix the build with the latest Heimdal code. Jeremy. (This used to be commit 34275bae787762646f02ea1dec19d7b3a9a733a3) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index bc52805dff..068e782207 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -80,7 +80,7 @@ #error UNKNOWN_ADDRTYPE #endif -#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) +#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK) int create_kerberos_key_from_string_direct(krb5_context context, krb5_principal host_princ, krb5_data *password, -- cgit From e7a0aabc2e50306983794c79e23daaf92993db7b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 30 Nov 2004 18:58:58 +0000 Subject: r4020: Fix for crash reported by Bård Kalbakk . Don't go fishing for the authorisation data unless we know it's there. Jeremy. (This used to be commit 6f6b4c61e03afb4d35bf6b3ea468fb211d703aa7) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 068e782207..15be8967b8 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -184,7 +184,7 @@ void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt) { #if defined(HAVE_KRB5_TKT_ENC_PART2) - if (tkt->enc_part2) + if (tkt->enc_part2 && tkt->enc_part2->authorization_data && tkt->enc_part2->authorization_data[0] && tkt->enc_part2->authorization_data[0]->length) *auth_data = data_blob(tkt->enc_part2->authorization_data[0]->contents, tkt->enc_part2->authorization_data[0]->length); #else -- cgit From b46913fb95d59f3ec8e7e71da758cd16cda05f2c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 20 Dec 2004 21:14:28 +0000 Subject: r4291: More *alloc fixes inspired by Albert Chin (china@thewrittenword.com). Jeremy (This used to be commit efc1b688cf9b1a17f1a6bf46d481280ed8bd0c46) --- source3/libsmb/clikrb5.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 15be8967b8..66c16b69ae 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -233,7 +233,7 @@ return -1; } - sa = malloc( sizeof(struct sockaddr) * num_kdcs ); + sa = SMB_MALLOC_ARRAY( struct sockaddr, num_kdcs ); if (!sa) { DEBUG(0, ("krb5_locate_kdc: malloc failed\n")); krb5_krbhst_free(ctx, hnd); @@ -241,8 +241,7 @@ return -1; } - *addr_pp = malloc(sizeof(struct sockaddr) * num_kdcs); - memset(*addr_pp, '\0', sizeof(struct sockaddr) * num_kdcs ); + memset(sa, '\0', sizeof(struct sockaddr) * num_kdcs ); for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) { -- cgit From 9840db418bad5a39edc4a32a1786f5e2d2c9dff8 Mon Sep 17 00:00:00 2001 From: Derrell Lipman Date: Thu, 31 Mar 2005 05:06:04 +0000 Subject: r6149: Fixes bugs #2498 and 2484. 1. using smbc_getxattr() et al, one may now request all access control entities in the ACL without getting all other NT attributes. 2. added the ability to exclude specified attributes from the result set provided by smbc_getxattr() et al, when requesting all attributes, all NT attributes, or all DOS attributes. 3. eliminated all compiler warnings, including when --enable-developer compiler flags are in use. removed -Wcast-qual flag from list, as that is specifically to force warnings in the case of casting away qualifiers. Note: In the process of eliminating compiler warnings, a few nasties were discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED kerberos interfaces are being used. Someone who knows kerberos should look at these and determine if there is an alternate method of accomplishing the task. (This used to be commit 994694f7f26da5099f071e1381271a70407f33bb) --- source3/libsmb/clikrb5.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 66c16b69ae..c35b53a9dd 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -19,6 +19,9 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ +#define KRB5_PRIVATE 1 /* this file uses PRIVATE interfaces! */ +#define KRB5_DEPRECATED 1 /* this file uses DEPRECATED interfaces! */ + #include "includes.h" #ifdef HAVE_KRB5 -- cgit From 1d08b9013a67184b0ecfe8b013926128719b68a6 Mon Sep 17 00:00:00 2001 From: Derrell Lipman Date: Tue, 19 Apr 2005 19:23:49 +0000 Subject: r6392: - Fixes bug 2564: when smbc_opendir() was called with a file rather than a directory, the errno returned could end up as ENOENT rather than ENOTDIR. - Fixes some compiler warnings which showed up on IRIX, as reported by James Peach. (This used to be commit 615a62b21f8d2f7f97bde2f166ddd6849d39b95c) --- source3/libsmb/clikrb5.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index c35b53a9dd..43252b94d8 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -396,7 +396,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, /* cope with ticket being in the future due to clock skew */ if ((unsigned)credsp->times.starttime > time(NULL)) { time_t t = time(NULL); - int time_offset =(unsigned)credsp->times.starttime-t; + int time_offset =(int)((unsigned)credsp->times.starttime-t); DEBUG(4,("ads_krb5_mk_req: Advancing clock by %d seconds to cope with clock skew\n", time_offset)); krb5_set_real_time(context, t + time_offset + 1, 0); } @@ -405,7 +405,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, creds_ready = True; } - DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s) is valid until: (%s - %d)\n", + DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s) is valid until: (%s - %u)\n", principal, krb5_cc_default_name(context), http_timestring((unsigned)credsp->times.endtime), (unsigned)credsp->times.endtime)); -- cgit From 1c4bbe06549d86614318718a45b9bc48e3bfc81f Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Mon, 2 May 2005 17:49:43 +0000 Subject: r6586: get rid of a few more compiler warnings (This used to be commit 173375f8d88bf8e8db8d60e5d5f0e5dcc28767d9) --- source3/libsmb/clikrb5.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 43252b94d8..e70c2b8bec 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -525,11 +525,13 @@ failed: #if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) && !defined(HAVE_KRB5_PRINC_COMPONENT) + const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i ); + const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i ) { static krb5_data kdata; - kdata.data = krb5_principal_get_comp_string(context, principal, i); + kdata.data = (char *)krb5_principal_get_comp_string(context, principal, i); kdata.length = strlen(kdata.data); return &kdata; } -- cgit From 2d878a4b6d66663938e3540b9726ce158ec9a253 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 13 Sep 2005 21:21:43 +0000 Subject: r10210: Fix memleak. Guenther (This used to be commit 10358d16d7946f6b0c989db8bc26f8840144389b) --- source3/libsmb/clikrb5.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index e70c2b8bec..1741c1db3c 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -119,8 +119,10 @@ DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret))); return ret; } - return krb5_string_to_key_salt(context, enctype, password->data, - salt, key); + + ret = krb5_string_to_key_salt(context, enctype, password->data, salt, key); + krb5_free_salt(context, salt); + return ret; } #else #error UNKNOWN_CREATE_KEY_FUNCTIONS -- cgit From 54abd2aa66069e6baf7769c496f46d9dba18db39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 30 Sep 2005 17:13:37 +0000 Subject: r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3) --- source3/libsmb/clikrb5.c | 451 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 441 insertions(+), 10 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 1741c1db3c..e3ad5f17cb 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -3,6 +3,8 @@ simple kerberos5 routines for active directory Copyright (C) Andrew Tridgell 2001 Copyright (C) Luke Howard 2002-2003 + Copyright (C) Andrew Bartlett 2005 + Copyright (C) Guenther Deschner 2005 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -186,17 +188,107 @@ } #endif - void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt) +BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_pac_data) { + DATA_BLOB pac_contents; + ASN1_DATA data; + int data_type; + + if (!auth_data->length) { + return False; + } + + asn1_load(&data, *auth_data); + asn1_start_tag(&data, ASN1_SEQUENCE(0)); + asn1_start_tag(&data, ASN1_SEQUENCE(0)); + asn1_start_tag(&data, ASN1_CONTEXT(0)); + asn1_read_Integer(&data, &data_type); + + if (data_type != KRB5_AUTHDATA_WIN2K_PAC ) { + DEBUG(10,("authorization data is not a Windows PAC (type: %d)\n", data_type)); + asn1_free(&data); + return False; + } + + asn1_end_tag(&data); + asn1_start_tag(&data, ASN1_CONTEXT(1)); + asn1_read_OctetString(&data, &pac_contents); + asn1_end_tag(&data); + asn1_end_tag(&data); + asn1_end_tag(&data); + asn1_free(&data); + + *unwrapped_pac_data = data_blob_talloc(mem_ctx, pac_contents.data, pac_contents.length); + + data_blob_free(&pac_contents); + + return True; +} + + BOOL get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt) +{ + DATA_BLOB auth_data_wrapped; + BOOL got_auth_data_pac = False; + int i; + #if defined(HAVE_KRB5_TKT_ENC_PART2) - if (tkt->enc_part2 && tkt->enc_part2->authorization_data && tkt->enc_part2->authorization_data[0] && tkt->enc_part2->authorization_data[0]->length) - *auth_data = data_blob(tkt->enc_part2->authorization_data[0]->contents, - tkt->enc_part2->authorization_data[0]->length); + if (tkt->enc_part2 && tkt->enc_part2->authorization_data && + tkt->enc_part2->authorization_data[0] && + tkt->enc_part2->authorization_data[0]->length) + { + for (i = 0; tkt->enc_part2->authorization_data[i] != NULL; i++) { + + if (tkt->enc_part2->authorization_data[i]->ad_type != + KRB5_AUTHDATA_IF_RELEVANT) { + DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n", + tkt->enc_part2->authorization_data[i]->ad_type)); + continue; + } + + auth_data_wrapped = data_blob(tkt->enc_part2->authorization_data[i]->contents, + tkt->enc_part2->authorization_data[i]->length); + + /* check if it is a PAC */ + got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data); + data_blob_free(&auth_data_wrapped); + + if (!got_auth_data_pac) { + continue; + } + } + + return got_auth_data_pac; + } + #else - if (tkt->ticket.authorization_data && tkt->ticket.authorization_data->len) - *auth_data = data_blob(tkt->ticket.authorization_data->val->ad_data.data, - tkt->ticket.authorization_data->val->ad_data.length); + if (tkt->ticket.authorization_data && + tkt->ticket.authorization_data->len) + { + for (i = 0; i < tkt->ticket.authorization_data->len; i++) { + + if (tkt->ticket.authorization_data->val[i].ad_type != + KRB5_AUTHDATA_IF_RELEVANT) { + DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n", + tkt->ticket.authorization_data->val[i].ad_type)); + continue; + } + + auth_data_wrapped = data_blob(tkt->ticket.authorization_data->val[i].ad_data.data, + tkt->ticket.authorization_data->val[i].ad_data.length); + + /* check if it is a PAC */ + got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data); + data_blob_free(&auth_data_wrapped); + + if (!got_auth_data_pac) { + continue; + } + } + + return got_auth_data_pac; + } #endif + return False; } krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt) @@ -435,7 +527,7 @@ cleanup_princ: get a kerberos5 ticket for the given service */ int cli_krb5_get_ticket(const char *principal, time_t time_offset, - DATA_BLOB *ticket, DATA_BLOB *session_key_krb5) + DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts) { krb5_error_code retval; krb5_data packet; @@ -475,7 +567,7 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, if ((retval = ads_krb5_mk_req(context, &auth_context, - AP_OPTS_USE_SUBKEY, + AP_OPTS_USE_SUBKEY | (krb5_flags)extra_ap_opts, principal, ccdef, &packet))) { goto failed; @@ -550,10 +642,349 @@ failed: #endif } +void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum, + PAC_SIGNATURE_DATA *sig) +{ +#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM + cksum->cksumtype = (krb5_cksumtype)sig->type; + cksum->checksum.length = sig->signature.buf_len; + cksum->checksum.data = sig->signature.buffer; +#else + cksum->checksum_type = (krb5_cksumtype)sig->type; + cksum->length = sig->signature.buf_len; + cksum->contents = sig->signature.buffer; +#endif +} + +krb5_error_code smb_krb5_verify_checksum(krb5_context context, + krb5_keyblock *keyblock, + krb5_keyusage usage, + krb5_checksum *cksum, + uint8 *data, + size_t length) +{ + krb5_error_code ret; + + /* verify the checksum */ + + /* welcome to the wonderful world of samba's kerberos abstraction layer: + * + * function heimdal 0.6.1rc3 heimdal 0.7 MIT krb 1.4.2 + * ----------------------------------------------------------------------------- + * krb5_c_verify_checksum - works works + * krb5_verify_checksum works (6 args) works (6 args) broken (7 args) + */ + +#if defined(HAVE_KRB5_C_VERIFY_CHECKSUM) + { + krb5_boolean checksum_valid = False; + krb5_data input; + + input.data = (char *)data; + input.length = length; + + ret = krb5_c_verify_checksum(context, + keyblock, + usage, + &input, + cksum, + &checksum_valid); + if (!checksum_valid) + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + } + +#elif KRB5_VERIFY_CHECKSUM_ARGS == 6 && defined(HAVE_KRB5_CRYPTO_INIT) && defined(HAVE_KRB5_CRYPTO) && defined(HAVE_KRB5_CRYPTO_DESTROY) + + /* Warning: MIT's krb5_verify_checksum cannot be used as it will use a key + * without enctype and it ignores any key_usage types - Guenther */ + + { + + krb5_crypto crypto; + ret = krb5_crypto_init(context, + keyblock, + 0, + &crypto); + if (ret) { + DEBUG(0,("smb_krb5_verify_checksum: krb5_crypto_init() failed: %s\n", + error_message(ret))); + return ret; + } + + ret = krb5_verify_checksum(context, + crypto, + usage, + data, + length, + cksum); + + krb5_crypto_destroy(context, crypto); + } + +#else +#error UNKNOWN_KRB5_VERIFY_CHECKSUM_FUNCTION +#endif + + return ret; +} + +time_t get_authtime_from_tkt(krb5_ticket *tkt) +{ +#if defined(HAVE_KRB5_TKT_ENC_PART2) + return tkt->enc_part2->times.authtime; +#else + return tkt->ticket.authtime; +#endif +} + +static int get_kvno_from_ap_req(krb5_ap_req *ap_req) +{ +#ifdef HAVE_TICKET_POINTER_IN_KRB5_AP_REQ /* MIT */ + if (ap_req->ticket->enc_part.kvno) + return ap_req->ticket->enc_part.kvno; +#else /* Heimdal */ + if (ap_req->ticket.enc_part.kvno) + return *ap_req->ticket.enc_part.kvno; +#endif + return 0; +} + +static krb5_enctype get_enctype_from_ap_req(krb5_ap_req *ap_req) +{ +#ifdef HAVE_ETYPE_IN_ENCRYPTEDDATA /* Heimdal */ + return ap_req->ticket.enc_part.etype; +#else /* MIT */ + return ap_req->ticket->enc_part.enctype; +#endif +} + +static krb5_error_code +get_key_from_keytab(krb5_context context, + krb5_keytab keytab, + krb5_const_principal server, + krb5_enctype enctype, + krb5_kvno kvno, + krb5_keyblock **out_key) +{ + krb5_keytab_entry entry; + krb5_error_code ret; + krb5_keytab real_keytab; + char *name = NULL; + + if (keytab == NULL) { + krb5_kt_default(context, &real_keytab); + } else { + real_keytab = keytab; + } + + if ( DEBUGLEVEL >= 10 ) { + krb5_unparse_name(context, server, &name); + DEBUG(10,("get_key_from_keytab: will look for kvno %d, enctype %d and name: %s\n", + kvno, enctype, name)); + krb5_free_unparsed_name(context, name); + } + + ret = krb5_kt_get_entry(context, + real_keytab, + server, + kvno, + enctype, + &entry); + + if (ret) { + DEBUG(0,("get_key_from_keytab: failed to retrieve key: %s\n", error_message(ret))); + goto out; + } + +#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */ + ret = krb5_copy_keyblock(context, &entry.keyblock, out_key); +#elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) /* MIT */ + ret = krb5_copy_keyblock(context, &entry.key, out_key); +#else +#error UNKNOWN_KRB5_KEYTAB_ENTRY_FORMAT +#endif + + if (ret) { + DEBUG(0,("get_key_from_keytab: failed to copy key: %s\n", error_message(ret))); + goto out; + } + + smb_krb5_kt_free_entry(context, &entry); + +out: + if (keytab == NULL) { + krb5_kt_close(context, real_keytab); + } + + return ret; +} + +void smb_krb5_free_ap_req(krb5_context context, + krb5_ap_req *ap_req) +{ +#ifdef HAVE_KRB5_FREE_AP_REQ /* MIT */ + krb5_free_ap_req(context, ap_req); +#elif defined(HAVE_FREE_AP_REQ) /* Heimdal */ + free_AP_REQ(ap_req); +#else +#error UNKNOWN_KRB5_AP_REQ_FREE_FUNCTION +#endif +} + +/* Prototypes */ +#if defined(HAVE_DECODE_KRB5_AP_REQ) /* MIT */ +krb5_error_code decode_krb5_ap_req(const krb5_data *code, krb5_ap_req **rep); +#endif + +krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context, + const krb5_data *inbuf, + krb5_kvno *kvno, + krb5_enctype *enctype) +{ + krb5_error_code ret; +#ifdef HAVE_KRB5_DECODE_AP_REQ /* Heimdal */ + { + krb5_ap_req ap_req; + + ret = krb5_decode_ap_req(context, inbuf, &ap_req); + if (ret) + return ret; + + *kvno = get_kvno_from_ap_req(&ap_req); + *enctype = get_enctype_from_ap_req(&ap_req); + + smb_krb5_free_ap_req(context, &ap_req); + } +#elif defined(HAVE_DECODE_KRB5_AP_REQ) /* MIT */ + { + krb5_ap_req *ap_req = NULL; + + ret = decode_krb5_ap_req(inbuf, &ap_req); + if (ret) + return ret; + + *kvno = get_kvno_from_ap_req(ap_req); + *enctype = get_enctype_from_ap_req(ap_req); + + smb_krb5_free_ap_req(context, ap_req); + } +#else +#error UNKOWN_KRB5_AP_REQ_DECODING_FUNCTION +#endif + return ret; +} + +krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context, + krb5_auth_context *auth_context, + const krb5_data *inbuf, + krb5_const_principal server, + krb5_keytab keytab, + krb5_flags *ap_req_options, + krb5_ticket **ticket, + krb5_keyblock **keyblock) +{ + krb5_error_code ret; + krb5_ap_req *ap_req = NULL; + krb5_kvno kvno; + krb5_enctype enctype; + krb5_keyblock *local_keyblock; + + ret = krb5_rd_req(context, + auth_context, + inbuf, + server, + keytab, + ap_req_options, + ticket); + if (ret) { + return ret; + } + + ret = smb_krb5_get_keyinfo_from_ap_req(context, inbuf, &kvno, &enctype); + if (ret) { + return ret; + } + + ret = get_key_from_keytab(context, + keytab, + server, + enctype, + kvno, + &local_keyblock); + if (ret) { + DEBUG(0,("krb5_rd_req_return_keyblock_from_keytab: failed to call get_key_from_keytab\n")); + goto out; + } + +out: + if (ap_req) { + smb_krb5_free_ap_req(context, ap_req); + } + + if (ret && local_keyblock != NULL) { + krb5_free_keyblock(context, local_keyblock); + } else { + *keyblock = local_keyblock; + } + + return ret; +} + +krb5_error_code smb_krb5_parse_name_norealm(krb5_context context, + const char *name, + krb5_principal *principal) +{ +#ifdef HAVE_KRB5_PARSE_NAME_NOREALM + return krb5_parse_name_norealm(context, name, principal); +#endif + + /* we are cheating here because parse_name will in fact set the realm. + * We don't care as the only caller of smb_krb5_parse_name_norealm + * ignores the realm anyway when calling + * smb_krb5_principal_compare_any_realm later - Guenther */ + + return krb5_parse_name(context, name, principal); +} + +BOOL smb_krb5_principal_compare_any_realm(krb5_context context, + krb5_const_principal princ1, + krb5_const_principal princ2) +{ +#ifdef HAVE_KRB5_PRINCIPAL_COMPARE_ANY_REALM + + return krb5_principal_compare_any_realm(context, princ1, princ2); + +/* krb5_princ_size is a macro in MIT */ +#elif defined(HAVE_KRB5_PRINC_SIZE) || defined(krb5_princ_size) + + int i, len1, len2; + const krb5_data *p1, *p2; + + len1 = krb5_princ_size(context, princ1); + len2 = krb5_princ_size(context, princ2); + + if (len1 != len2) + return False; + + for (i = 0; i < len1; i++) { + + p1 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ1), i); + p2 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ2), i); + + if (p1->length != p2->length || memcmp(p1->data, p2->data, p1->length)) + return False; + } + + return True; +#else +#error NO_SUITABLE_PRINCIPAL_COMPARE_FUNCTION +#endif +} + #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ int cli_krb5_get_ticket(const char *principal, time_t time_offset, - DATA_BLOB *ticket, DATA_BLOB *session_key_krb5) + DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts) { DEBUG(0,("NO KERBEROS SUPPORT\n")); return 1; -- cgit From aa0dff680d2ea351a0a21cb86a51cd99887237c4 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 1 Oct 2005 09:43:53 +0000 Subject: r10671: Attempt to fix the build on machines without kerberos headers. Volker (This used to be commit cb816e65a95802d5172c410d1acda2da070b871d) --- source3/libsmb/clikrb5.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index e3ad5f17cb..df5ad867da 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -642,7 +642,7 @@ failed: #endif } -void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum, + void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum, PAC_SIGNATURE_DATA *sig) { #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM @@ -656,7 +656,7 @@ void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum, #endif } -krb5_error_code smb_krb5_verify_checksum(krb5_context context, + krb5_error_code smb_krb5_verify_checksum(krb5_context context, krb5_keyblock *keyblock, krb5_keyusage usage, krb5_checksum *cksum, @@ -728,7 +728,7 @@ krb5_error_code smb_krb5_verify_checksum(krb5_context context, return ret; } -time_t get_authtime_from_tkt(krb5_ticket *tkt) + time_t get_authtime_from_tkt(krb5_ticket *tkt) { #if defined(HAVE_KRB5_TKT_ENC_PART2) return tkt->enc_part2->times.authtime; @@ -819,7 +819,7 @@ out: return ret; } -void smb_krb5_free_ap_req(krb5_context context, + void smb_krb5_free_ap_req(krb5_context context, krb5_ap_req *ap_req) { #ifdef HAVE_KRB5_FREE_AP_REQ /* MIT */ @@ -836,7 +836,7 @@ void smb_krb5_free_ap_req(krb5_context context, krb5_error_code decode_krb5_ap_req(const krb5_data *code, krb5_ap_req **rep); #endif -krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context, + krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context, const krb5_data *inbuf, krb5_kvno *kvno, krb5_enctype *enctype) @@ -874,7 +874,7 @@ krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context, return ret; } -krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context, + krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context, krb5_auth_context *auth_context, const krb5_data *inbuf, krb5_const_principal server, @@ -930,7 +930,7 @@ out: return ret; } -krb5_error_code smb_krb5_parse_name_norealm(krb5_context context, + krb5_error_code smb_krb5_parse_name_norealm(krb5_context context, const char *name, krb5_principal *principal) { @@ -946,7 +946,7 @@ krb5_error_code smb_krb5_parse_name_norealm(krb5_context context, return krb5_parse_name(context, name, principal); } -BOOL smb_krb5_principal_compare_any_realm(krb5_context context, + BOOL smb_krb5_principal_compare_any_realm(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) { @@ -983,7 +983,7 @@ BOOL smb_krb5_principal_compare_any_realm(krb5_context context, #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ -int cli_krb5_get_ticket(const char *principal, time_t time_offset, + int cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts) { DEBUG(0,("NO KERBEROS SUPPORT\n")); -- cgit From 879eb0933efedd900aba336024ebfec75407d373 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 11 Oct 2005 16:27:05 +0000 Subject: r10907: Handle the case when we can't verify the PAC signature because the ticket was encrypted using a DES key (and the Windows KDC still puts CKSUMTYPE_HMAC_MD5_ARCFOUR in the PAC). In that case, return to old behaviour and ignore the PAC. Thanks to Chengjie Liu . Guenther (This used to be commit 48d8a9dd9f573d0d913a26a62e4ad3d224731343) --- source3/libsmb/clikrb5.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index df5ad867da..e87ec32197 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -689,6 +689,12 @@ failed: &input, cksum, &checksum_valid); + if (ret) { + DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n", + error_message(ret))); + return ret; + } + if (!checksum_valid) ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; } -- cgit From f99b429446595944991bd2b3e9f4e6a9dd2c13cb Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 7 Nov 2005 14:16:50 +0000 Subject: r11551: Add a few more initialize_krb5_error_table (This used to be commit d92c83aa42fe64a0e996094d1a983f0279c7c707) --- source3/libsmb/clikrb5.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index e87ec32197..67e9f539ad 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -542,6 +542,7 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, ENCTYPE_DES_CBC_CRC, ENCTYPE_NULL}; + initialize_krb5_error_table(); retval = krb5_init_context(&context); if (retval) { DEBUG(1,("cli_krb5_get_ticket: krb5_init_context failed (%s)\n", -- cgit From 90372e1e9372ccce8e08dbe3d816d8e69b62a4f5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 18 Jan 2006 19:25:18 +0000 Subject: r13012: Fix #3421 - it turns out krb5_kt_get_entry() on MIT does an implicit open/read/close and blows away an open keytab handle - so make sure we use a new handle. Wonderful analysis from Luke helped fix this. Jeremy. (This used to be commit 9d2f2385ad68cbe11bdfb82b5f2d016626f6e679) --- source3/libsmb/clikrb5.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 67e9f539ad..6e87f73df1 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -767,7 +767,6 @@ static krb5_enctype get_enctype_from_ap_req(krb5_ap_req *ap_req) static krb5_error_code get_key_from_keytab(krb5_context context, - krb5_keytab keytab, krb5_const_principal server, krb5_enctype enctype, krb5_kvno kvno, @@ -775,13 +774,18 @@ get_key_from_keytab(krb5_context context, { krb5_keytab_entry entry; krb5_error_code ret; - krb5_keytab real_keytab; + krb5_keytab keytab; char *name = NULL; - if (keytab == NULL) { - krb5_kt_default(context, &real_keytab); - } else { - real_keytab = keytab; + /* We have to open a new keytab handle here, as MIT does + an implicit open/getnext/close on krb5_kt_get_entry. We + may be in the middle of a keytab enumeration when this is + called. JRA. */ + + ret = krb5_kt_default(context, &keytab); + if (ret) { + DEBUG(0,("get_key_from_keytab: failed to open keytab: %s\n", error_message(ret))); + return ret; } if ( DEBUGLEVEL >= 10 ) { @@ -792,7 +796,7 @@ get_key_from_keytab(krb5_context context, } ret = krb5_kt_get_entry(context, - real_keytab, + keytab, server, kvno, enctype, @@ -819,10 +823,7 @@ get_key_from_keytab(krb5_context context, smb_krb5_kt_free_entry(context, &entry); out: - if (keytab == NULL) { - krb5_kt_close(context, real_keytab); - } - + krb5_kt_close(context, keytab); return ret; } @@ -913,7 +914,6 @@ krb5_error_code decode_krb5_ap_req(const krb5_data *code, krb5_ap_req **rep); } ret = get_key_from_keytab(context, - keytab, server, enctype, kvno, -- cgit From 8a30b3226d97bd43549971a4708afa79432b6d25 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 18 Jan 2006 22:40:00 +0000 Subject: r13020: Prevent cli_krb5_get_ticket of getting into an infite loop. This whole area of code needs to be reworked later on. Guenther (This used to be commit 088abfcdd1d6b28409d4b2917bc2aeb5d371f675) --- source3/libsmb/clikrb5.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 6e87f73df1..e0dcefeb1d 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -456,6 +456,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, krb5_creds creds; krb5_data in_data; BOOL creds_ready = False; + int i = 0, maxtries = 3; retval = krb5_parse_name(context, principal, &server); if (retval) { @@ -479,7 +480,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, goto cleanup_creds; } - while(!creds_ready) { + while (!creds_ready && (i < maxtries)) { if ((retval = krb5_get_credentials(context, 0, ccache, &creds, &credsp))) { DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n", @@ -497,6 +498,8 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, if (!ads_cleanup_expired_creds(context, ccache, credsp)) creds_ready = True; + + i++; } DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s) is valid until: (%s - %u)\n", -- cgit From 0af1500fc0bafe61019f1b2ab1d9e1d369221240 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 3 Feb 2006 22:19:41 +0000 Subject: r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f) --- source3/libsmb/clikrb5.c | 171 +++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 159 insertions(+), 12 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index e0dcefeb1d..55a705d7f0 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -409,9 +409,10 @@ static BOOL ads_cleanup_expired_creds(krb5_context context, krb5_creds *credsp) { krb5_error_code retval; + const char *cc_type = krb5_cc_get_type(context, ccache); - DEBUG(3, ("Ticket in ccache[%s] expiration %s\n", - krb5_cc_default_name(context), + DEBUG(3, ("ads_cleanup_expired_creds: Ticket in ccache[%s:%s] expiration %s\n", + cc_type, krb5_cc_get_name(context, ccache), http_timestring(credsp->times.endtime))); /* we will probably need new tickets if the current ones @@ -425,11 +426,11 @@ static BOOL ads_cleanup_expired_creds(krb5_context context, use memory ccaches, and a FILE one probably means that we're using creds obtained outside of our exectuable */ - if (StrCaseCmp(krb5_cc_get_type(context, ccache), "FILE") == 0) { - DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a FILE ccache\n")); + if (strequal(cc_type, "KCM") || strequal(cc_type, "FILE")) { + DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a %s ccache\n", cc_type)); return False; } - + retval = krb5_cc_remove_cred(context, ccache, 0, credsp); if (retval) { DEBUG(1, ("ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err %s\n", @@ -467,7 +468,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, /* obtain ticket & session key */ ZERO_STRUCT(creds); if ((retval = krb5_copy_principal(context, server, &creds.server))) { - DEBUG(1,("krb5_copy_principal failed (%s)\n", + DEBUG(1,("ads_krb5_mk_req: krb5_copy_principal failed (%s)\n", error_message(retval))); goto cleanup_princ; } @@ -502,8 +503,8 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, i++; } - DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s) is valid until: (%s - %u)\n", - principal, krb5_cc_default_name(context), + DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s:%s) is valid until: (%s - %u)\n", + principal, krb5_cc_get_type(context, ccache), krb5_cc_get_name(context, ccache), http_timestring((unsigned)credsp->times.endtime), (unsigned)credsp->times.endtime)); @@ -530,7 +531,8 @@ cleanup_princ: get a kerberos5 ticket for the given service */ int cli_krb5_get_ticket(const char *principal, time_t time_offset, - DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts) + DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, + uint32 extra_ap_opts, const char *ccname) { krb5_error_code retval; krb5_data packet; @@ -544,7 +546,7 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_CRC, ENCTYPE_NULL}; - + initialize_krb5_error_table(); retval = krb5_init_context(&context); if (retval) { @@ -557,7 +559,8 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, krb5_set_real_time(context, time(NULL) + time_offset, 0); } - if ((retval = krb5_cc_default(context, &ccdef))) { + if ((retval = krb5_cc_resolve(context, ccname ? + ccname : krb5_cc_default_name(context), &ccdef))) { DEBUG(1,("cli_krb5_get_ticket: krb5_cc_default failed (%s)\n", error_message(retval))); goto failed; @@ -989,12 +992,156 @@ out: #else #error NO_SUITABLE_PRINCIPAL_COMPARE_FUNCTION #endif +} + + krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, /* FILE:/tmp/krb5cc_0 */ + const char *client_string, /* gd@BER.SUSE.DE */ + const char *service_string, /* krbtgt/BER.SUSE.DE@BER.SUSE.DE */ + time_t *new_start_time) +{ + krb5_error_code ret; + krb5_context context = NULL; + krb5_ccache ccache = NULL; + krb5_principal client = NULL; + + initialize_krb5_error_table(); + ret = krb5_init_context(&context); + if (ret) { + goto done; + } + + if (!ccache_string) { + ccache_string = krb5_cc_default_name(context); + } + + DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string)); + + /* FIXME: we should not fall back to defaults */ + ret = krb5_cc_resolve(context, CONST_DISCARD(char *, ccache_string), &ccache); + if (ret) { + goto done; + } + +#ifdef HAVE_KRB5_GET_RENEWED_CREDS /* MIT */ + { + krb5_creds creds; + + if (client_string) { + ret = krb5_parse_name(context, client_string, &client); + if (ret) { + goto done; + } + } else { + ret = krb5_cc_get_principal(context, ccache, &client); + if (ret) { + goto done; + } + } + + ret = krb5_get_renewed_creds(context, &creds, client, ccache, CONST_DISCARD(char *, service_string)); + if (ret) { + DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret))); + goto done; + } + + /* hm, doesn't that create a new one if the old one wasn't there? - Guenther */ + ret = krb5_cc_initialize(context, ccache, client); + if (ret) { + goto done; + } + + ret = krb5_cc_store_cred(context, ccache, &creds); + + if (new_start_time) { + *new_start_time = (time_t) creds.times.renew_till; + } + + krb5_free_cred_contents(context, &creds); + } +#elif defined(HAVE_KRB5_GET_KDC_CRED) /* Heimdal */ + { + krb5_kdc_flags flags; + krb5_creds creds_in; + krb5_realm *client_realm; + krb5_creds *creds; + + memset(&creds_in, 0, sizeof(creds_in)); + + if (client_string) { + ret = krb5_parse_name(context, client_string, &creds_in.client); + if (ret) { + goto done; + } + } else { + ret = krb5_cc_get_principal(context, ccache, &creds_in.client); + if (ret) { + goto done; + } + } + + if (service_string) { + ret = krb5_parse_name(context, service_string, &creds_in.server); + if (ret) { + goto done; + } + } else { + /* build tgt service by default */ + client_realm = krb5_princ_realm(context, client); + ret = krb5_make_principal(context, &creds_in.server, *client_realm, KRB5_TGS_NAME, *client_realm, NULL); + if (ret) { + goto done; + } + } + + flags.i = 0; + flags.b.renewable = flags.b.renew = True; + + ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &creds_in, &creds); + if (ret) { + DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret))); + goto done; + } + + /* hm, doesn't that create a new one if the old one wasn't there? - Guenther */ + ret = krb5_cc_initialize(context, ccache, creds_in.client); + if (ret) { + goto done; + } + + ret = krb5_cc_store_cred(context, ccache, creds); + + if (new_start_time) { + *new_start_time = (time_t) creds->times.renew_till; + } + + krb5_free_cred_contents(context, &creds_in); + krb5_free_creds(context, creds); + } +#else +#error No suitable krb5 ticket renew function available +#endif + + +done: + if (client) { + krb5_free_principal(context, client); + } + if (context) { + krb5_free_context(context); + } + if (ccache) { + krb5_cc_close(context, ccache); + } + + return ret; + } #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ int cli_krb5_get_ticket(const char *principal, time_t time_offset, - DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts) + DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, + const char *ccname) { DEBUG(0,("NO KERBEROS SUPPORT\n")); return 1; -- cgit From 6c3519d0af8fa14eb8dce4bd7afa0dcff6c9ddfc Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 11 Mar 2006 23:10:31 +0000 Subject: r14218: Fix Coverity Bug # 2 (This used to be commit 26377b63a3a3d2d5ed23bdbb5f22b70ec7d3fcad) --- source3/libsmb/clikrb5.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 55a705d7f0..da3ef6a0e4 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -898,7 +898,6 @@ krb5_error_code decode_krb5_ap_req(const krb5_data *code, krb5_ap_req **rep); krb5_keyblock **keyblock) { krb5_error_code ret; - krb5_ap_req *ap_req = NULL; krb5_kvno kvno; krb5_enctype enctype; krb5_keyblock *local_keyblock; @@ -930,10 +929,6 @@ krb5_error_code decode_krb5_ap_req(const krb5_data *code, krb5_ap_req **rep); } out: - if (ap_req) { - smb_krb5_free_ap_req(context, ap_req); - } - if (ret && local_keyblock != NULL) { krb5_free_keyblock(context, local_keyblock); } else { -- cgit From a17d276fa0164cd3f13c85a0ae02cc2a504d394d Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 17 Mar 2006 10:22:13 +0000 Subject: r14506: Remove remaining references to a KCM credential cache type. Guenther (This used to be commit aae8f8ae7a79d06c74151186f3c2470bdec5687d) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index da3ef6a0e4..4943f67b77 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -426,7 +426,7 @@ static BOOL ads_cleanup_expired_creds(krb5_context context, use memory ccaches, and a FILE one probably means that we're using creds obtained outside of our exectuable */ - if (strequal(cc_type, "KCM") || strequal(cc_type, "FILE")) { + if (strequal(cc_type, "FILE")) { DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a %s ccache\n", cc_type)); return False; } -- cgit From b68b05854ff5a7e75953462eba74f97753428ef1 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 24 Apr 2006 15:57:54 +0000 Subject: r15210: Add wrapper functions smb_krb5_parse_name, smb_krb5_unparse_name, smb_krb5_parse_name_norealm_conv that pull/push from unix charset to utf8 (which krb5 uses on the wire). This should fix issues when the unix charset is not compatible with or set to utf8. Jeremy. (This used to be commit 37ab42afbc9a79cf5b04ce6a1bf4060e9c961199) --- source3/libsmb/clikrb5.c | 93 ++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 83 insertions(+), 10 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 4943f67b77..1f43b91e38 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -38,6 +38,78 @@ #define KRB5_KEY_DATA(k) ((k)->contents) #endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */ +/************************************************************** + Wrappers around kerberos string functions that convert from + utf8 -> unix charset and vica versa. +**************************************************************/ + +/************************************************************** + krb5_parse_name that takes a UNIX charset. +**************************************************************/ + +krb5_error_code smb_krb5_parse_name(krb5_context context, + const char *name, /* in unix charset */ + krb5_principal *principal) +{ + krb5_error_code ret; + char *utf8_name; + + if (push_utf8_allocate(&utf8_name, name) == (size_t)-1) { + return ENOMEM; + } + + ret = krb5_parse_name(context, utf8_name, principal); + SAFE_FREE(utf8_name); + return ret; +} + +#ifdef HAVE_KRB5_PARSE_NAME_NOREALM +/************************************************************** + krb5_parse_name_norealm that takes a UNIX charset. +**************************************************************/ + +static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, + const char *name, /* in unix charset */ + krb5_principal *principal) +{ + krb5_error_code ret; + char *utf8_name; + + if (push_utf8_allocate(&utf8_name, name) == (size_t)-1) { + return ENOMEM; + } + + ret = krb5_parse_name_norealm(context, utf8_name, principal); + SAFE_FREE(utf8_name); + return ret; +} +#endif + +/************************************************************** + krb5_parse_name that returns a UNIX charset name. Must + be freed with normal free() call. +**************************************************************/ + +krb5_error_code smb_krb5_unparse_name(krb5_context context, + krb5_const_principal principal, + char **unix_name) +{ + krb5_error_code ret; + char *utf8_name; + + ret = krb5_unparse_name(context, principal, &utf8_name); + if (ret) { + return ret; + } + + if (pull_utf8_allocate(unix_name, utf8_name)==-1) { + krb5_free_unparsed_name(context, utf8_name); + return ENOMEM; + } + krb5_free_unparsed_name(context, utf8_name); + return 0; +} + #ifndef HAVE_KRB5_SET_REAL_TIME /* * This function is not in the Heimdal mainline. @@ -459,7 +531,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, BOOL creds_ready = False; int i = 0, maxtries = 3; - retval = krb5_parse_name(context, principal, &server); + retval = smb_krb5_parse_name(context, principal, &server); if (retval) { DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal)); return retval; @@ -795,10 +867,11 @@ get_key_from_keytab(krb5_context context, } if ( DEBUGLEVEL >= 10 ) { - krb5_unparse_name(context, server, &name); - DEBUG(10,("get_key_from_keytab: will look for kvno %d, enctype %d and name: %s\n", - kvno, enctype, name)); - krb5_free_unparsed_name(context, name); + if (smb_krb5_unparse_name(context, server, &name) == 0) { + DEBUG(10,("get_key_from_keytab: will look for kvno %d, enctype %d and name: %s\n", + kvno, enctype, name)); + SAFE_FREE(name); + } } ret = krb5_kt_get_entry(context, @@ -943,7 +1016,7 @@ out: krb5_principal *principal) { #ifdef HAVE_KRB5_PARSE_NAME_NOREALM - return krb5_parse_name_norealm(context, name, principal); + return smb_krb5_parse_name_norealm_conv(context, name, principal); #endif /* we are cheating here because parse_name will in fact set the realm. @@ -951,7 +1024,7 @@ out: * ignores the realm anyway when calling * smb_krb5_principal_compare_any_realm later - Guenther */ - return krb5_parse_name(context, name, principal); + return smb_krb5_parse_name(context, name, principal); } BOOL smb_krb5_principal_compare_any_realm(krb5_context context, @@ -1022,7 +1095,7 @@ out: krb5_creds creds; if (client_string) { - ret = krb5_parse_name(context, client_string, &client); + ret = smb_krb5_parse_name(context, client_string, &client); if (ret) { goto done; } @@ -1063,7 +1136,7 @@ out: memset(&creds_in, 0, sizeof(creds_in)); if (client_string) { - ret = krb5_parse_name(context, client_string, &creds_in.client); + ret = smb_krb5_parse_name(context, client_string, &creds_in.client); if (ret) { goto done; } @@ -1075,7 +1148,7 @@ out: } if (service_string) { - ret = krb5_parse_name(context, service_string, &creds_in.server); + ret = smb_krb5_parse_name(context, service_string, &creds_in.server); if (ret) { goto done; } -- cgit From ba52fd71dc6b4dcf42a0c2de5b2f1e1e316b1da4 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 24 Apr 2006 16:29:55 +0000 Subject: r15216: Fix the build for machines without krb5. Oops, sorry. Jeremy. (This used to be commit bea87e2df45c67cc75d91bd3ed1acc4c64a1c8ea) --- source3/libsmb/clikrb5.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 1f43b91e38..d3da25760b 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -47,7 +47,7 @@ krb5_parse_name that takes a UNIX charset. **************************************************************/ -krb5_error_code smb_krb5_parse_name(krb5_context context, + krb5_error_code smb_krb5_parse_name(krb5_context context, const char *name, /* in unix charset */ krb5_principal *principal) { @@ -90,7 +90,7 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, be freed with normal free() call. **************************************************************/ -krb5_error_code smb_krb5_unparse_name(krb5_context context, + krb5_error_code smb_krb5_unparse_name(krb5_context context, krb5_const_principal principal, char **unix_name) { -- cgit From 351e749246a278b60a7e18c1eeafdc8ec70efea2 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 25 Apr 2006 12:24:25 +0000 Subject: r15240: Correctly disallow unauthorized access when logging on with the kerberized pam_winbind and workstation restrictions are in effect. The krb5 AS-REQ needs to add the host netbios-name in the address-list. We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from the edata of the KRB_ERROR but the login at least fails when the local machine is not in the workstation list on the DC. Guenther (This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176) --- source3/libsmb/clikrb5.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index d3da25760b..40ffec6f53 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1205,6 +1205,104 @@ done: } + krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr) +{ + krb5_error_code ret = 0; +#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */ + krb5_free_addresses(context, addr->addrs); +#elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */ + ret = krb5_free_addresses(context, addr->addrs); + SAFE_FREE(addr->addrs); +#endif + SAFE_FREE(addr); + addr = NULL; + return ret; +} + + krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr) +{ + krb5_error_code ret = 0; + nstring buf; +#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */ + krb5_address **addrs = NULL; +#elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */ + krb5_addresses *addrs = NULL; +#endif + + *kerb_addr = (smb_krb5_addresses *)SMB_MALLOC(sizeof(smb_krb5_addresses)); + if (*kerb_addr == NULL) { + return ENOMEM; + } + + put_name(buf, global_myname(), ' ', 0x20); + +#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */ + { + int num_addr = 2; + + addrs = (krb5_address **)SMB_MALLOC(sizeof(krb5_address *) * num_addr); + if (addrs == NULL) { + return ENOMEM; + } + + memset(addrs, 0, sizeof(krb5_address *) * num_addr); + + addrs[0] = (krb5_address *)SMB_MALLOC(sizeof(krb5_address)); + if (addrs[0] == NULL) { + SAFE_FREE(addrs); + return ENOMEM; + } + + addrs[0]->magic = KV5M_ADDRESS; + addrs[0]->addrtype = KRB5_ADDR_NETBIOS; + addrs[0]->length = MAX_NETBIOSNAME_LEN; + addrs[0]->contents = (unsigned char *)SMB_MALLOC(addrs[0]->length); + if (addrs[0]->contents == NULL) { + SAFE_FREE(addrs[0]); + SAFE_FREE(addrs); + return ENOMEM; + } + + memcpy(addrs[0]->contents, buf, addrs[0]->length); + + addrs[1] = NULL; + } +#elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */ + { + addrs = (krb5_addresses *)SMB_MALLOC(sizeof(krb5_addresses)); + if (addrs == NULL) { + return ENOMEM; + } + + memset(addrs, 0, sizeof(krb5_addresses)); + + addrs->len = 1; + addrs->val = (krb5_address *)SMB_MALLOC(sizeof(krb5_address)); + if (addrs->val == NULL) { + SAFE_FREE(addrs); + return ENOMEM; + } + + addrs->val[0].addr_type = KRB5_ADDR_NETBIOS; + addrs->val[0].address.length = MAX_NETBIOSNAME_LEN; + addrs->val[0].address.data = (unsigned char *)SMB_MALLOC(addrs->val[0].address.length); + if (addrs->val[0].address.data == NULL) { + SAFE_FREE(addrs->val); + SAFE_FREE(addrs); + return ENOMEM; + } + + memcpy(addrs->val[0].address.data, buf, addrs->val[0].address.length); + } +#else +#error UNKNOWN_KRB5_ADDRESS_FORMAT +#endif + (*kerb_addr)->addrs = addrs; + + return ret; +} + + #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ int cli_krb5_get_ticket(const char *principal, time_t time_offset, -- cgit From 6f5effa730dde49ec30e03e3bc403990affe9f03 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 25 Apr 2006 12:53:38 +0000 Subject: r15243: Sorry for the breakage: * Fix the build without kerberos headers * Fix memleak in the krb5_address handling Guenther (This used to be commit 10e42117559d4bc6a34e41a94914bf6c65c3477f) --- source3/libsmb/clikrb5.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 40ffec6f53..e0d6b09d97 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1208,6 +1208,9 @@ done: krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr) { krb5_error_code ret = 0; + if (addr == NULL) { + return ret; + } #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */ krb5_free_addresses(context, addr->addrs); #elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */ @@ -1242,6 +1245,7 @@ done: addrs = (krb5_address **)SMB_MALLOC(sizeof(krb5_address *) * num_addr); if (addrs == NULL) { + SAFE_FREE(kerb_addr); return ENOMEM; } @@ -1250,6 +1254,7 @@ done: addrs[0] = (krb5_address *)SMB_MALLOC(sizeof(krb5_address)); if (addrs[0] == NULL) { SAFE_FREE(addrs); + SAFE_FREE(kerb_addr); return ENOMEM; } @@ -1260,6 +1265,7 @@ done: if (addrs[0]->contents == NULL) { SAFE_FREE(addrs[0]); SAFE_FREE(addrs); + SAFE_FREE(kerb_addr); return ENOMEM; } @@ -1271,6 +1277,7 @@ done: { addrs = (krb5_addresses *)SMB_MALLOC(sizeof(krb5_addresses)); if (addrs == NULL) { + SAFE_FREE(kerb_addr); return ENOMEM; } @@ -1280,6 +1287,7 @@ done: addrs->val = (krb5_address *)SMB_MALLOC(sizeof(krb5_address)); if (addrs->val == NULL) { SAFE_FREE(addrs); + SAFE_FREE(kerb_addr); return ENOMEM; } @@ -1289,6 +1297,7 @@ done: if (addrs->val[0].address.data == NULL) { SAFE_FREE(addrs->val); SAFE_FREE(addrs); + SAFE_FREE(kerb_addr); return ENOMEM; } -- cgit From e030a9e9dcda36edee475aa9fd8772f9f74b3552 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 15 Jun 2006 21:25:57 +0000 Subject: r16268: Add TCP fallback for our implementation of the CHANGEPW kpasswd calls. This patch is mainly based on the work of Todd Stecher and has been reviewed by Jeremy. I sucessfully tested and valgrinded it with MIT 1.4.3, 1.3.5, Heimdal 0.7.2 and 0.6.1rc3. Guenther (This used to be commit 535d03cbe8b021e9aa6d74b62d81b867c494c957) --- source3/libsmb/clikrb5.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 58 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index e0d6b09d97..f1815b3e8f 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1310,7 +1310,64 @@ done: return ret; } - + +void smb_krb5_free_error(krb5_context context, krb5_error *krberror) +{ +#ifdef HAVE_KRB5_FREE_ERROR_CONTENTS /* Heimdal */ + krb5_free_error_contents(context, krberror); +#else /* MIT */ + krb5_free_error(context, krberror); +#endif +} + +krb5_error_code handle_krberror_packet(krb5_context context, + krb5_data *packet) +{ + krb5_error_code ret; + BOOL got_error_code = False; + + DEBUG(10,("handle_krberror_packet: got error packet\n")); + +#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR /* Heimdal */ + { + krb5_error krberror; + + if ((ret = krb5_rd_error(context, packet, &krberror))) { + DEBUG(10,("handle_krberror_packet: krb5_rd_error failed with: %s\n", + error_message(ret))); + return ret; + } + + if (krberror.e_data == NULL || krberror.e_data->data == NULL) { + ret = (krb5_error_code) krberror.error_code; + got_error_code = True; + } + + smb_krb5_free_error(context, &krberror); + } +#else /* MIT */ + { + krb5_error *krberror; + + if ((ret = krb5_rd_error(context, packet, &krberror))) { + DEBUG(10,("handle_krberror_packet: krb5_rd_error failed with: %s\n", + error_message(ret))); + return ret; + } + + if (krberror->e_data.data == NULL) { + ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; + got_error_code = True; + } + smb_krb5_free_error(context, krberror); + } +#endif + if (got_error_code) { + DEBUG(5,("handle_krberror_packet: got KERBERR from kpasswd: %s (%d)\n", + error_message(ret), ret)); + } + return ret; +} #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ -- cgit From 9e7377e81f61b2a3e4b8ff4cc5cd926e25ddacf3 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 15 Jun 2006 21:45:10 +0000 Subject: r16269: Fix the build. Guenther (This used to be commit 546710d58c07acdaa175caa48cec4d3f2bc657ad) --- source3/libsmb/clikrb5.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index f1815b3e8f..abb3843bac 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1311,7 +1311,7 @@ done: return ret; } -void smb_krb5_free_error(krb5_context context, krb5_error *krberror) + void smb_krb5_free_error(krb5_context context, krb5_error *krberror) { #ifdef HAVE_KRB5_FREE_ERROR_CONTENTS /* Heimdal */ krb5_free_error_contents(context, krberror); @@ -1320,8 +1320,8 @@ void smb_krb5_free_error(krb5_context context, krb5_error *krberror) #endif } -krb5_error_code handle_krberror_packet(krb5_context context, - krb5_data *packet) + krb5_error_code handle_krberror_packet(krb5_context context, + krb5_data *packet) { krb5_error_code ret; BOOL got_error_code = False; -- cgit From fbdcf2663b56007a438ac4f0d8d82436b1bfe688 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 11 Jul 2006 18:01:26 +0000 Subject: r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index abb3843bac..d40fc31dc4 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -112,7 +112,7 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, #ifndef HAVE_KRB5_SET_REAL_TIME /* - * This function is not in the Heimdal mainline. + * Thir function is not in the Heimdal mainline. */ krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds) { -- cgit From 6dfccad5645ef0b459d5904ce48550f72acf8d37 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 11 Jul 2006 21:23:44 +0000 Subject: r16960: Some warnings from host "opi" (This used to be commit 083ef11cc9be8f1299f233bde194173e092e2c3c) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index d40fc31dc4..f0169eb91e 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -682,7 +682,7 @@ failed: else err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey); if (err == 0 && skey != NULL) { - DEBUG(10, ("Got KRB5 session key of length %d\n", KRB5_KEY_LENGTH(skey))); + DEBUG(10, ("Got KRB5 session key of length %d\n", (int)KRB5_KEY_LENGTH(skey))); *session_key = data_blob(KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey)); dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length); -- cgit From bd8556c8dd5664067d4113f30e20ab2e3a11fc3b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 20 Jul 2006 20:23:04 +0000 Subject: r17162: Fix typo small typos noticed by Paul Green. (This used to be commit 1a5874588686fb4ece9be70059ff75b975ed2bd5) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index f0169eb91e..fc9dd690b3 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -112,7 +112,7 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, #ifndef HAVE_KRB5_SET_REAL_TIME /* - * Thir function is not in the Heimdal mainline. + * This function is not in the Heimdal mainline. */ krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds) { -- cgit From bbefb74bca851ebdc9679d9c95494236b66ebccf Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 11 Oct 2006 09:15:11 +0000 Subject: r19237: fix typo metze (This used to be commit d91041d4b6973fd9779d355cd6f9634e207b7653) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index fc9dd690b3..44713784f4 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -956,7 +956,7 @@ krb5_error_code decode_krb5_ap_req(const krb5_data *code, krb5_ap_req **rep); smb_krb5_free_ap_req(context, ap_req); } #else -#error UNKOWN_KRB5_AP_REQ_DECODING_FUNCTION +#error UNKNOWN_KRB5_AP_REQ_DECODING_FUNCTION #endif return ret; } -- cgit From 876be25055e0cc6f2c18ddfc377151b2ca68a54f Mon Sep 17 00:00:00 2001 From: James Peach Date: Fri, 13 Oct 2006 23:43:27 +0000 Subject: r19270: Stop depending on internal MIT symbols. These are private on MacOS x, so we can't get at them even if we wanted to. Kerberos experts, please take a look to make sure I've done the right thing! (This used to be commit 9b8e179fcc1fb877e8601bfd242ee1fd615b554c) --- source3/libsmb/clikrb5.c | 103 ++++++++++++++++++++++++++--------------------- 1 file changed, 56 insertions(+), 47 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 44713784f4..2415b28160 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -130,12 +130,34 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, } #endif -#if defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES) && !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES) +#if !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES) + +#if defined(HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES) + +/* With MIT kerberos, we should use krb5_set_default_tgs_enctypes in preference + * to krb5_set_default_tgs_ktypes. See + * http://lists.samba.org/archive/samba-technical/2006-July/048271.html + * + * If the MIT libraries are not exporting internal symbols, we will end up in + * this branch, which is correct. Otherwise we will continue to use the + * internal symbol + */ + krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc) +{ + return krb5_set_default_tgs_enctypes(ctx, enc); +} + +#elif defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES) + +/* Heimdal */ krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc) { return krb5_set_default_in_tkt_etypes(ctx, enc); } -#endif + +#endif /* HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES */ + +#endif /* HAVE_KRB5_SET_DEFAULT_TGS_KTYPES */ #if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* HEIMDAL */ @@ -239,18 +261,6 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, #error UNKNOWN_GET_ENCTYPES_FUNCTIONS #endif - void free_kerberos_etypes(krb5_context context, - krb5_enctype *enctypes) -{ -#if defined(HAVE_KRB5_FREE_KTYPES) - krb5_free_ktypes(context, enctypes); - return; -#else - SAFE_FREE(enctypes); - return; -#endif -} - #if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, @@ -373,6 +383,14 @@ BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_ } #if !defined(HAVE_KRB5_LOCATE_KDC) + +/* krb5_locate_kdc is an internal MIT symbol. MIT are not yet willing to commit + * to a public interface for this functionality, so we have to be able to live + * without it if the MIT libraries are hiding their internal symbols. + */ + +#if defined(KRB5_KRBHST_INIT) +/* Heimdal */ krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters) { krb5_krbhst_handle hnd; @@ -431,7 +449,19 @@ BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_ *addr_pp = sa; return 0; } -#endif + +#else /* ! defined(KRB5_KRBHST_INIT) */ + + krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, + struct sockaddr **addr_pp, int *naddrs, int get_masters) +{ + DEBUG(0, ("unable to explicitly locate the KDC on this platform\n")); + return KRB5_KDC_UNREACH; +} + +#endif /* KRB5_KRBHST_INIT */ + +#endif /* HAVE_KRB5_LOCATE_KDC */ #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME) void krb5_free_unparsed_name(krb5_context context, char *val) @@ -906,31 +936,16 @@ out: return ret; } - void smb_krb5_free_ap_req(krb5_context context, - krb5_ap_req *ap_req) -{ -#ifdef HAVE_KRB5_FREE_AP_REQ /* MIT */ - krb5_free_ap_req(context, ap_req); -#elif defined(HAVE_FREE_AP_REQ) /* Heimdal */ - free_AP_REQ(ap_req); -#else -#error UNKNOWN_KRB5_AP_REQ_FREE_FUNCTION -#endif -} - /* Prototypes */ -#if defined(HAVE_DECODE_KRB5_AP_REQ) /* MIT */ -krb5_error_code decode_krb5_ap_req(const krb5_data *code, krb5_ap_req **rep); -#endif krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context, const krb5_data *inbuf, krb5_kvno *kvno, krb5_enctype *enctype) { - krb5_error_code ret; #ifdef HAVE_KRB5_DECODE_AP_REQ /* Heimdal */ { + krb5_error_code ret; krb5_ap_req ap_req; ret = krb5_decode_ap_req(context, inbuf, &ap_req); @@ -941,24 +956,13 @@ krb5_error_code decode_krb5_ap_req(const krb5_data *code, krb5_ap_req **rep); *enctype = get_enctype_from_ap_req(&ap_req); smb_krb5_free_ap_req(context, &ap_req); + free_AP_REQ(ap_req); + return 0; } -#elif defined(HAVE_DECODE_KRB5_AP_REQ) /* MIT */ - { - krb5_ap_req *ap_req = NULL; - - ret = decode_krb5_ap_req(inbuf, &ap_req); - if (ret) - return ret; - - *kvno = get_kvno_from_ap_req(ap_req); - *enctype = get_enctype_from_ap_req(ap_req); - - smb_krb5_free_ap_req(context, ap_req); - } -#else -#error UNKNOWN_KRB5_AP_REQ_DECODING_FUNCTION #endif - return ret; + + /* Possibly not an appropriate error code. */ + return KRB5KDC_ERR_BADOPTION; } krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context, @@ -986,10 +990,15 @@ krb5_error_code decode_krb5_ap_req(const krb5_data *code, krb5_ap_req **rep); return ret; } +#ifdef KRB5_TICKET_HAS_KEYINFO + enctype = (*ticket)->enc_part.enctype; + kvno = (*ticket)->enc_part.kvno; +#else ret = smb_krb5_get_keyinfo_from_ap_req(context, inbuf, &kvno, &enctype); if (ret) { return ret; } +#endif ret = get_key_from_keytab(context, server, -- cgit From 6ec00affb66cdbffb29d50c67379a5155beb6a9e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sun, 15 Oct 2006 15:14:04 +0000 Subject: r19291: this should fix the build on heimdal systems metze (This used to be commit 785ab128c4d630819f141ede8bcf5fc0c705aebb) --- source3/libsmb/clikrb5.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 2415b28160..a40d684d2c 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -955,7 +955,6 @@ out: *kvno = get_kvno_from_ap_req(&ap_req); *enctype = get_enctype_from_ap_req(&ap_req); - smb_krb5_free_ap_req(context, &ap_req); free_AP_REQ(ap_req); return 0; } -- cgit From 74bb9cb3bd71e3e8c8fbe5bd9905e475ed288dd1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 17 Oct 2006 15:57:00 +0000 Subject: r19374: fix the build with heimdal metze (This used to be commit a813c7595541e31dfa77915d80235de4402bfeca) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index a40d684d2c..02897265e2 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -955,7 +955,7 @@ out: *kvno = get_kvno_from_ap_req(&ap_req); *enctype = get_enctype_from_ap_req(&ap_req); - free_AP_REQ(ap_req); + free_AP_REQ(&ap_req); return 0; } #endif -- cgit From a2dfdfbf86e51273713f2082ce92831f7fcec455 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 19 Oct 2006 21:47:11 +0000 Subject: r19416: Fix some c++ warnings. Guenther (This used to be commit b076c39b6ac87a078feae30a4384c881c46e81ac) --- source3/libsmb/clikrb5.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 02897265e2..14b5285e45 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -216,7 +216,7 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, return ret; } - ret = krb5_string_to_key_salt(context, enctype, password->data, salt, key); + ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key); krb5_free_salt(context, salt); return ret; } @@ -735,7 +735,7 @@ failed: static krb5_data kdata; kdata.data = (char *)krb5_principal_get_comp_string(context, principal, i); - kdata.length = strlen(kdata.data); + kdata.length = strlen((const char *)kdata.data); return &kdata; } #endif -- cgit From e6467907eda25a7aea3b8fa75754ab6b6e06272a Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 28 Nov 2006 21:11:20 +0000 Subject: r19939: ,fix compile warning about unused functions when not using heimdal (This used to be commit f53983079bc285ad8ced8fc4dd40df66fad13718) --- source3/libsmb/clikrb5.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 14b5285e45..4092b4b2b9 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -852,6 +852,7 @@ failed: #endif } +#ifdef HAVE_KRB5_DECODE_AP_REQ /* Heimdal */ static int get_kvno_from_ap_req(krb5_ap_req *ap_req) { #ifdef HAVE_TICKET_POINTER_IN_KRB5_AP_REQ /* MIT */ @@ -872,6 +873,7 @@ static krb5_enctype get_enctype_from_ap_req(krb5_ap_req *ap_req) return ap_req->ticket->enc_part.enctype; #endif } +#endif /* HAVE_KRB5_DECODE_AP_REQ */ static krb5_error_code get_key_from_keytab(krb5_context context, -- cgit From 76cdf68ee9f4982f1b847023818641cf4603dfd1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 29 Dec 2006 09:18:06 +0000 Subject: r20403: Cleaning out my Samba 3.0 tree: As discussed with jerry at the CIFS conf: overriding the administrator's wishes from the krb5.conf has only every given me segfaults. We suggest leaving this up to the defaults from the libraries anyway. Andrew Bartlett (This used to be commit 0b72c04906b1c25e80b217a8f34fd3a8e756b9ca) --- source3/libsmb/clikrb5.c | 42 ------------------------------------------ 1 file changed, 42 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 4092b4b2b9..0df45f1b4d 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -130,35 +130,6 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, } #endif -#if !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES) - -#if defined(HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES) - -/* With MIT kerberos, we should use krb5_set_default_tgs_enctypes in preference - * to krb5_set_default_tgs_ktypes. See - * http://lists.samba.org/archive/samba-technical/2006-July/048271.html - * - * If the MIT libraries are not exporting internal symbols, we will end up in - * this branch, which is correct. Otherwise we will continue to use the - * internal symbol - */ - krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc) -{ - return krb5_set_default_tgs_enctypes(ctx, enc); -} - -#elif defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES) - -/* Heimdal */ - krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc) -{ - return krb5_set_default_in_tkt_etypes(ctx, enc); -} - -#endif /* HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES */ - -#endif /* HAVE_KRB5_SET_DEFAULT_TGS_KTYPES */ - #if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* HEIMDAL */ void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr) @@ -641,13 +612,6 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, krb5_context context = NULL; krb5_ccache ccdef = NULL; krb5_auth_context auth_context = NULL; - krb5_enctype enc_types[] = { -#ifdef ENCTYPE_ARCFOUR_HMAC - ENCTYPE_ARCFOUR_HMAC, -#endif - ENCTYPE_DES_CBC_MD5, - ENCTYPE_DES_CBC_CRC, - ENCTYPE_NULL}; initialize_krb5_error_table(); retval = krb5_init_context(&context); @@ -668,12 +632,6 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, goto failed; } - if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) { - DEBUG(1,("cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (%s)\n", - error_message(retval))); - goto failed; - } - if ((retval = ads_krb5_mk_req(context, &auth_context, AP_OPTS_USE_SUBKEY | (krb5_flags)extra_ap_opts, -- cgit From 594ab518a581f3728c82bdb9cf563e5fa449c0e1 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 29 Jan 2007 21:15:25 +0000 Subject: r21046: Backing out svn r20403 (Andrew's krb5 ticket cleanup as this is causing the WRONG_PASSWORD error in the SetUserInfo() call during net ads join). We are now back to always list RC4-HMAC first if supported by the krb5 libraries. (This used to be commit 4fb57bce87588ac4898588ea4988eadff3a7f435) --- source3/libsmb/clikrb5.c | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 0df45f1b4d..4092b4b2b9 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -130,6 +130,35 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, } #endif +#if !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES) + +#if defined(HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES) + +/* With MIT kerberos, we should use krb5_set_default_tgs_enctypes in preference + * to krb5_set_default_tgs_ktypes. See + * http://lists.samba.org/archive/samba-technical/2006-July/048271.html + * + * If the MIT libraries are not exporting internal symbols, we will end up in + * this branch, which is correct. Otherwise we will continue to use the + * internal symbol + */ + krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc) +{ + return krb5_set_default_tgs_enctypes(ctx, enc); +} + +#elif defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES) + +/* Heimdal */ + krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc) +{ + return krb5_set_default_in_tkt_etypes(ctx, enc); +} + +#endif /* HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES */ + +#endif /* HAVE_KRB5_SET_DEFAULT_TGS_KTYPES */ + #if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* HEIMDAL */ void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr) @@ -612,6 +641,13 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, krb5_context context = NULL; krb5_ccache ccdef = NULL; krb5_auth_context auth_context = NULL; + krb5_enctype enc_types[] = { +#ifdef ENCTYPE_ARCFOUR_HMAC + ENCTYPE_ARCFOUR_HMAC, +#endif + ENCTYPE_DES_CBC_MD5, + ENCTYPE_DES_CBC_CRC, + ENCTYPE_NULL}; initialize_krb5_error_table(); retval = krb5_init_context(&context); @@ -632,6 +668,12 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, goto failed; } + if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) { + DEBUG(1,("cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (%s)\n", + error_message(retval))); + goto failed; + } + if ((retval = ads_krb5_mk_req(context, &auth_context, AP_OPTS_USE_SUBKEY | (krb5_flags)extra_ap_opts, -- cgit From 1898eaddb805e86d0c36bd289e7fa61d7bbd4810 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 1 Feb 2007 15:10:13 +0000 Subject: r21110: Fix kinit with Heimdal (Bug #4226). Guenther (This used to be commit ea38e1f8362d75e7ac058a7c4aa06f1ca92ec108) --- source3/libsmb/clikrb5.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 4092b4b2b9..305139e1f4 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1379,6 +1379,32 @@ done: return ret; } +#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC + krb5_error_code krb5_get_init_creds_opt_alloc(krb5_context context, krb5_get_init_creds_opt **opt) +{ + krb5_get_init_creds_opt *my_opt; + + *opt = NULL; + + if ((my_opt = SMB_MALLOC(sizeof(krb5_get_init_creds_opt))) == NULL) { + return ENOMEM; + } + + krb5_get_init_creds_opt_init(my_opt); + + *opt = my_opt; + return 0; +} +#endif + +#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE + void krb5_get_init_creds_opt_free(krb5_get_init_creds_opt *opt) +{ + SAFE_FREE(opt); + opt = NULL; +} +#endif + #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ int cli_krb5_get_ticket(const char *principal, time_t time_offset, -- cgit From 69cee2a3ec4f39aab83a8cbf55307df182bf3065 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 8 Feb 2007 17:02:39 +0000 Subject: r21240: Fix longstanding Bug #4009. For the winbind cached ADS LDAP connection handling (ads_cached_connection()) we were (incorrectly) assuming that the service ticket lifetime equaled the tgt lifetime. For setups where the service ticket just lives 10 minutes, we were leaving hundreds of LDAP connections in CLOSE_WAIT state, until we fail to service entirely with "Too many open files". Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP connection after the ads_do_search_retry() has failed to submit the search request (although the bind succeeded (returning an expired service ticket that we cannot delete from the memory cred cache - this will get fixed later)). Guenther (This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91) --- source3/libsmb/clikrb5.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 305139e1f4..f06a19b345 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -551,7 +551,8 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, const krb5_flags ap_req_options, const char *principal, krb5_ccache ccache, - krb5_data *outbuf) + krb5_data *outbuf, + time_t *expire_time) { krb5_error_code retval; krb5_principal server; @@ -584,6 +585,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, } while (!creds_ready && (i < maxtries)) { + if ((retval = krb5_get_credentials(context, 0, ccache, &creds, &credsp))) { DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n", @@ -599,8 +601,9 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, krb5_set_real_time(context, t + time_offset + 1, 0); } - if (!ads_cleanup_expired_creds(context, ccache, credsp)) + if (!ads_cleanup_expired_creds(context, ccache, credsp)) { creds_ready = True; + } i++; } @@ -610,6 +613,10 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, http_timestring((unsigned)credsp->times.endtime), (unsigned)credsp->times.endtime)); + if (expire_time) { + *expire_time = (time_t)credsp->times.endtime; + } + in_data.length = 0; retval = krb5_mk_req_extended(context, auth_context, ap_req_options, &in_data, credsp, outbuf); @@ -634,7 +641,9 @@ cleanup_princ: */ int cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, - uint32 extra_ap_opts, const char *ccname) + uint32 extra_ap_opts, const char *ccname, + time_t *tgs_expire) + { krb5_error_code retval; krb5_data packet; @@ -678,7 +687,8 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, &auth_context, AP_OPTS_USE_SUBKEY | (krb5_flags)extra_ap_opts, principal, - ccdef, &packet))) { + ccdef, &packet, + tgs_expire))) { goto failed; } @@ -1409,7 +1419,7 @@ done: /* this saves a few linking headaches */ int cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, - const char *ccname) + const char *ccname, time_t *tgs_expire) { DEBUG(0,("NO KERBEROS SUPPORT\n")); return 1; -- cgit From 3adeb4274250ec4420d9d874b07d8e688a354402 Mon Sep 17 00:00:00 2001 From: James Peach Date: Fri, 9 Mar 2007 18:51:48 +0000 Subject: r21778: Wrap calls to krb5_get_init_creds_opt_free to handle the different calling convention in the latest MIT changes. Apparantly Heimdal is also changing to this calling convention. (This used to be commit c29c69d2df377fabb88a78e6f5237de106d5c2c5) --- source3/libsmb/clikrb5.c | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index f06a19b345..43dfddda47 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1389,9 +1389,14 @@ done: return ret; } -#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC - krb5_error_code krb5_get_init_creds_opt_alloc(krb5_context context, krb5_get_init_creds_opt **opt) + krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context, + krb5_get_init_creds_opt **opt) { +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC + /* Heimdal or modern MIT version */ + return krb5_get_init_creds_opt_alloc(context, opt); +#else + /* Historical MIT version */ krb5_get_init_creds_opt *my_opt; *opt = NULL; @@ -1404,16 +1409,28 @@ done: *opt = my_opt; return 0; +#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC */ } -#endif -#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE - void krb5_get_init_creds_opt_free(krb5_get_init_creds_opt *opt) + void smb_krb5_get_init_creds_opt_free(krb5_context context, + krb5_get_init_creds_opt *opt) { +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE + +#ifdef KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT + /* Modern MIT version */ + krb5_get_init_creds_opt_free(context, opt); +#else + /* Heimdal version */ + krb5_get_init_creds_opt_free(opt); +#endif + +#else /* HAVE_KRB5_GET_INIT_CREDS_OPT_FREE */ + /* Historical MIT version */ SAFE_FREE(opt); opt = NULL; +#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_FREE */ } -#endif #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ -- cgit From edccfc91928c323f18febb7b90e41e0ddbfd8c7c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 15 Mar 2007 19:18:18 +0000 Subject: r21845: Refactor the sessionsetupX code a little to allow us to return a NT_STATUS_TIME_DIFFERENCE_AT_DC error to a client when there's clock skew. Will help people debug this. Prepare us for being able to return the correct sessionsetupX "NT_STATUS_MORE_PROCESSING_REQUIRED" error with associated krb5 clock skew error to allow clients to re-sync time with us when we're eventually able to be a KDC. Jeremy. (This used to be commit c426340fc79a6b446033433b8de599130adffe28) --- source3/libsmb/clikrb5.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 43dfddda47..659197214f 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -75,6 +75,7 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, krb5_error_code ret; char *utf8_name; + *principal = NULL; if (push_utf8_allocate(&utf8_name, name) == (size_t)-1) { return ENOMEM; } @@ -97,6 +98,7 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, krb5_error_code ret; char *utf8_name; + *unix_name = NULL; ret = krb5_unparse_name(context, principal, &utf8_name); if (ret) { return ret; @@ -1430,6 +1432,37 @@ done: SAFE_FREE(opt); opt = NULL; #endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_FREE */ +} + + krb5_error_code smb_krb5_mk_error(krb5_context context, + krb5_error_code error_code, + const krb5_principal server, + krb5_data *reply) +{ +#ifdef HAVE_SHORT_KRB5_MK_ERROR_INTERFACE /* MIT */ + /* + * The MIT interface is *terrible*. + * We have to construct this ourselves... + */ + krb5_error e; + + memset(&e, 0, sizeof(e)); + krb5_us_timeofday(context, &e.stime, &e.susec); + e.server = server; + e.error = error_code - krb5_err_base; + + return krb5_mk_error(context, &e, reply); +#else /* Heimdal. */ + return krb5_mk_error(context, + error_code, + NULL, + NULL, /* e_data */ + NULL, + server, + NULL, + NULL, + reply); +#endif } #else /* HAVE_KRB5 */ -- cgit From ca256664aa4b65902b01ddf83564b7602560bd08 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 15 Mar 2007 20:45:27 +0000 Subject: r21846: Try and fix the Darwin build which seems to have a strange krb5. Jeremy. (This used to be commit 1e32b44bfcf7676b3a9f208054fa853e7066eafc) --- source3/libsmb/clikrb5.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 659197214f..fa93bed63d 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1449,7 +1449,13 @@ done: memset(&e, 0, sizeof(e)); krb5_us_timeofday(context, &e.stime, &e.susec); e.server = server; +#if defined(krb5_err_base) e.error = error_code - krb5_err_base; +#elif defined(ERROR_TABLE_BASE_krb5) + e.error = error_code - ERROR_TABLE_BASE_krb5; +#else + e.error = error_code; /* Almost certainly wrong, but what can we do... ? */ +#endif return krb5_mk_error(context, &e, reply); #else /* Heimdal. */ -- cgit From 71b8fdff85559213f5b880946cc918777c2389cc Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 28 Mar 2007 19:47:59 +0000 Subject: r22003: Fix from Jiri.Sasek@Sun.COM to wrap our krb5_locate_kdc call as smb_krb5_locate_kdc to prevent incorrect linking and crashes on Solaris. Jeremy. (This used to be commit 7d30737c8d851505e81a60443baf9a8c7e523472) --- source3/libsmb/clikrb5.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index fa93bed63d..7043a26408 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -393,7 +393,7 @@ BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_ #if defined(KRB5_KRBHST_INIT) /* Heimdal */ - krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters) + krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters) { krb5_krbhst_handle hnd; krb5_krbhst_info *hinfo; @@ -407,7 +407,7 @@ BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_ rc = krb5_krbhst_init(ctx, realm->data, KRB5_KRBHST_KDC, &hnd); if (rc) { - DEBUG(0, ("krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc))); + DEBUG(0, ("smb_krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc))); return rc; } @@ -417,14 +417,14 @@ BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_ krb5_krbhst_reset(ctx, hnd); if (!num_kdcs) { - DEBUG(0, ("krb5_locate_kdc: zero kdcs found !\n")); + DEBUG(0, ("smb_krb5_locate_kdc: zero kdcs found !\n")); krb5_krbhst_free(ctx, hnd); return -1; } sa = SMB_MALLOC_ARRAY( struct sockaddr, num_kdcs ); if (!sa) { - DEBUG(0, ("krb5_locate_kdc: malloc failed\n")); + DEBUG(0, ("smb_krb5_locate_kdc: malloc failed\n")); krb5_krbhst_free(ctx, hnd); naddrs = 0; return -1; @@ -454,7 +454,7 @@ BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_ #else /* ! defined(KRB5_KRBHST_INIT) */ - krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, + krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters) { DEBUG(0, ("unable to explicitly locate the KDC on this platform\n")); @@ -463,6 +463,14 @@ BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_ #endif /* KRB5_KRBHST_INIT */ +#else /* ! HAVE_KRB5_LOCATE_KDC */ + + krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, + struct sockaddr **addr_pp, int *naddrs, int get_masters) +{ + return krb5_locate_kdc(ctx, realm, addr_pp, naddrs, get_masters); +} + #endif /* HAVE_KRB5_LOCATE_KDC */ #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME) -- cgit From 1ee9650a1dfa28badac1f37b4c14fca920c6330c Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 23 Apr 2007 08:40:54 +0000 Subject: r22479: Add "net ads keytab list". Guenther (This used to be commit 9ec76c542775ae58ff03f42ebfa1acc1a63a1bb1) --- source3/libsmb/clikrb5.c | 47 +++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 41 insertions(+), 6 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 7043a26408..474c6823ea 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -28,11 +28,11 @@ #ifdef HAVE_KRB5 -#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE -#define KRB5_KEY_TYPE(k) ((k)->keytype) +#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */ +#define KRB5_KEY_TYPE(k) ((k)->keytype) #define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length) #define KRB5_KEY_DATA(k) ((k)->keyvalue.data) -#else +#else /* MIT */ #define KRB5_KEY_TYPE(k) ((k)->enctype) #define KRB5_KEY_LENGTH(k) ((k)->length) #define KRB5_KEY_DATA(k) ((k)->contents) @@ -1216,7 +1216,7 @@ out: krb5_free_creds(context, creds); } #else -#error No suitable krb5 ticket renew function available +#error NO_SUITABKE_KRB5_TICKET_RENEW_FUNCTION_AVAILABLE #endif @@ -1428,18 +1428,53 @@ done: #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE #ifdef KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT - /* Modern MIT version */ + /* Modern MIT or Heimdal version */ krb5_get_init_creds_opt_free(context, opt); #else /* Heimdal version */ krb5_get_init_creds_opt_free(opt); -#endif +#endif /* KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT */ #else /* HAVE_KRB5_GET_INIT_CREDS_OPT_FREE */ /* Historical MIT version */ SAFE_FREE(opt); opt = NULL; #endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_FREE */ +} + + krb5_enctype smb_get_enctype_from_kt_entry(const krb5_keytab_entry *kt_entry) +{ +#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */ + return kt_entry->key.enctype; +#elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK) /* Heimdal */ + return kt_entry->keyblock.keytype; +#else +#error UNKNOWN_KRB5_KEYTAB_ENTRY_KEYBLOCK_FORMAT +#endif +} + + +/* caller needs to free etype_s */ + krb5_error_code smb_krb5_enctype_to_string(krb5_context context, + krb5_enctype enctype, + char **etype_s) +{ +#ifdef HAVE_KRB5_ENCTYPE_TO_STRING_WITH_KRB5_CONTEXT_ARG + return krb5_enctype_to_string(context, enctype, etype_s); /* Heimdal */ +#elif defined(HAVE_KRB5_ENCTYPE_TO_STRING_WITH_SIZE_T_ARG) + char buf[256]; + krb5_error_code ret = krb5_enctype_to_string(enctype, buf, 256); /* MIT */ + if (ret) { + return ret; + } + *etype_s = SMB_STRDUP(buf); + if (!*etype_s) { + return ENOMEM; + } + return ret; +#else +#error UNKNOWN_KRB5_ENCTYPE_TO_STRING_FUNCTION +#endif } krb5_error_code smb_krb5_mk_error(krb5_context context, -- cgit From 116c1532e7e8c398a1b22253a361bd88b729fb0f Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 4 May 2007 09:55:40 +0000 Subject: r22664: When we have krb5_get_init_creds_opt_get_error() then try to get the NTSTATUS codes directly out of the krb5_error edata. Guenther (This used to be commit dcd902f24a59288bbb7400d59c0afc0c8303ed69) --- source3/libsmb/clikrb5.c | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 474c6823ea..64cfe6e952 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -272,6 +272,45 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, } #endif +BOOL unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx, + DATA_BLOB *edata, + DATA_BLOB *edata_out) +{ + DATA_BLOB edata_contents; + ASN1_DATA data; + int edata_type; + + if (!edata->length) { + return False; + } + + asn1_load(&data, *edata); + asn1_start_tag(&data, ASN1_SEQUENCE(0)); + asn1_start_tag(&data, ASN1_CONTEXT(1)); + asn1_read_Integer(&data, &edata_type); + + if (edata_type != KRB5_PADATA_PW_SALT) { + DEBUG(0,("edata is not of required type %d but of type %d\n", + KRB5_PADATA_PW_SALT, edata_type)); + asn1_free(&data); + return False; + } + + asn1_start_tag(&data, ASN1_CONTEXT(2)); + asn1_read_OctetString(&data, &edata_contents); + asn1_end_tag(&data); + asn1_end_tag(&data); + asn1_end_tag(&data); + asn1_free(&data); + + *edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length); + + data_blob_free(&edata_contents); + + return True; +} + + BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_pac_data) { DATA_BLOB pac_contents; -- cgit From 71921605995fa95d84301534760a6bc2db3fa74b Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 7 May 2007 15:07:49 +0000 Subject: r22747: Fix some C++ warnings (This used to be commit a66a04e9f11f6c4462f2b56b447bae4eca7b177c) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 64cfe6e952..a668d3b55c 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1450,7 +1450,7 @@ done: *opt = NULL; - if ((my_opt = SMB_MALLOC(sizeof(krb5_get_init_creds_opt))) == NULL) { + if ((my_opt = SMB_MALLOC_P(krb5_get_init_creds_opt)) == NULL) { return ENOMEM; } -- cgit From c66831e04b468743df8993edc68cd72ebb4a391d Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 22 Jun 2007 11:20:37 +0000 Subject: r23582: Fix event based krb5 ticket refreshing in winbindd. We were incorrectly using the renew_till timestamp instead of the renewed ticket's endtime to calculate the next refreshing date. Guenther (This used to be commit aa3511a5b5e6a96a02110a7ad0ab1d43e6d25766) --- source3/libsmb/clikrb5.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index a668d3b55c..078706d1db 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1134,7 +1134,7 @@ out: krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, /* FILE:/tmp/krb5cc_0 */ const char *client_string, /* gd@BER.SUSE.DE */ const char *service_string, /* krbtgt/BER.SUSE.DE@BER.SUSE.DE */ - time_t *new_start_time) + time_t *expire_time) { krb5_error_code ret; krb5_context context = NULL; @@ -1189,8 +1189,8 @@ out: ret = krb5_cc_store_cred(context, ccache, &creds); - if (new_start_time) { - *new_start_time = (time_t) creds.times.renew_till; + if (expire_time) { + *expire_time = (time_t) creds.times.endtime; } krb5_free_cred_contents(context, &creds); @@ -1247,8 +1247,8 @@ out: ret = krb5_cc_store_cred(context, ccache, creds); - if (new_start_time) { - *new_start_time = (time_t) creds->times.renew_till; + if (expire_time) { + *expire_time = (time_t) creds->times.endtime; } krb5_free_cred_contents(context, &creds_in); -- cgit From 33c7b666adfa5c873ffd1461edca37b068dfddac Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 22 Jun 2007 14:43:42 +0000 Subject: r23586: Fix heimdal path in the krb5 renew routine when we need to compose the tgt string ourselves. Guenther (This used to be commit 1e4a7af99303fb17ebca499ff7e0a017a2017754) --- source3/libsmb/clikrb5.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 078706d1db..0180bef47a 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1223,7 +1223,11 @@ out: } } else { /* build tgt service by default */ - client_realm = krb5_princ_realm(context, client); + client_realm = krb5_princ_realm(context, creds_in.client); + if (!client_realm) { + ret = ENOMEM; + goto done; + } ret = krb5_make_principal(context, &creds_in.server, *client_realm, KRB5_TGS_NAME, *client_realm, NULL); if (ret) { goto done; -- cgit From 679727b8df0b64cfe2e04111a41a3e512c1428c5 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 22 Jun 2007 14:50:15 +0000 Subject: r23587: Cleanup redundant code in the krb5 renew function. Guenther (This used to be commit 0b9acc8610ae2ba9c42168e9ceb2e9ea8bc2f5bd) --- source3/libsmb/clikrb5.c | 39 ++++++++++++++++----------------------- 1 file changed, 16 insertions(+), 23 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 0180bef47a..be6fb1bda8 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1159,22 +1159,22 @@ out: goto done; } + if (client_string) { + ret = smb_krb5_parse_name(context, client_string, &client); + if (ret) { + goto done; + } + } else { + ret = krb5_cc_get_principal(context, ccache, &client); + if (ret) { + goto done; + } + } + #ifdef HAVE_KRB5_GET_RENEWED_CREDS /* MIT */ { krb5_creds creds; - - if (client_string) { - ret = smb_krb5_parse_name(context, client_string, &client); - if (ret) { - goto done; - } - } else { - ret = krb5_cc_get_principal(context, ccache, &client); - if (ret) { - goto done; - } - } - + ret = krb5_get_renewed_creds(context, &creds, client, ccache, CONST_DISCARD(char *, service_string)); if (ret) { DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret))); @@ -1204,16 +1204,9 @@ out: memset(&creds_in, 0, sizeof(creds_in)); - if (client_string) { - ret = smb_krb5_parse_name(context, client_string, &creds_in.client); - if (ret) { - goto done; - } - } else { - ret = krb5_cc_get_principal(context, ccache, &creds_in.client); - if (ret) { - goto done; - } + ret = krb5_copy_principal(context, client, &creds_in.client); + if (ret) { + goto done; } if (service_string) { -- cgit From 32a3c30627fad859bc7fa218cc40e7b056bac30d Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 22 Jun 2007 14:54:39 +0000 Subject: r23588: Some more cleanups and error checks in the krb5 renew function. Guenther (This used to be commit 277e07c8553e2ed20bc95493cdc996be43feb6bd) --- source3/libsmb/clikrb5.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index be6fb1bda8..f452766e32 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1151,6 +1151,11 @@ out: ccache_string = krb5_cc_default_name(context); } + if (!ccache_string) { + ret = EINVAL; + goto done; + } + DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string)); /* FIXME: we should not fall back to defaults */ @@ -1175,6 +1180,8 @@ out: { krb5_creds creds; + ZERO_STRUCT(creds); + ret = krb5_get_renewed_creds(context, &creds, client, ccache, CONST_DISCARD(char *, service_string)); if (ret) { DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret))); @@ -1202,7 +1209,7 @@ out: krb5_realm *client_realm; krb5_creds *creds; - memset(&creds_in, 0, sizeof(creds_in)); + ZERO_STRUCT(creds_in); ret = krb5_copy_principal(context, client, &creds_in.client); if (ret) { @@ -1252,7 +1259,7 @@ out: krb5_free_creds(context, creds); } #else -#error NO_SUITABKE_KRB5_TICKET_RENEW_FUNCTION_AVAILABLE +#error NO_SUITABLE_KRB5_TICKET_RENEW_FUNCTION_AVAILABLE #endif @@ -1260,15 +1267,14 @@ done: if (client) { krb5_free_principal(context, client); } - if (context) { - krb5_free_context(context); - } if (ccache) { krb5_cc_close(context, ccache); } + if (context) { + krb5_free_context(context); + } return ret; - } krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr) -- cgit From 75f6a458b5d62f2d07e5f5dc121c72b6f26d0f65 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 26 Jun 2007 10:19:06 +0000 Subject: r23609: Removing more redundant codepaths out of smb_krb5_renew_ticket(). Thanks Volker for the pointer hint :) Guenther (This used to be commit eb1ec508ace3a5eeb53cf47be44047bd9228cd19) --- source3/libsmb/clikrb5.c | 64 ++++++++++++++++++++---------------------------- 1 file changed, 26 insertions(+), 38 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index f452766e32..1e322974cc 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1140,6 +1140,10 @@ out: krb5_context context = NULL; krb5_ccache ccache = NULL; krb5_principal client = NULL; + krb5_creds creds, creds_in, *creds_out = NULL; + + ZERO_STRUCT(creds); + ZERO_STRUCT(creds_in); initialize_krb5_error_table(); ret = krb5_init_context(&context); @@ -1178,38 +1182,16 @@ out: #ifdef HAVE_KRB5_GET_RENEWED_CREDS /* MIT */ { - krb5_creds creds; - - ZERO_STRUCT(creds); - ret = krb5_get_renewed_creds(context, &creds, client, ccache, CONST_DISCARD(char *, service_string)); if (ret) { DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret))); goto done; } - - /* hm, doesn't that create a new one if the old one wasn't there? - Guenther */ - ret = krb5_cc_initialize(context, ccache, client); - if (ret) { - goto done; - } - - ret = krb5_cc_store_cred(context, ccache, &creds); - - if (expire_time) { - *expire_time = (time_t) creds.times.endtime; - } - - krb5_free_cred_contents(context, &creds); } #elif defined(HAVE_KRB5_GET_KDC_CRED) /* Heimdal */ { krb5_kdc_flags flags; - krb5_creds creds_in; - krb5_realm *client_realm; - krb5_creds *creds; - - ZERO_STRUCT(creds_in); + krb5_realm *client_realm = NULL; ret = krb5_copy_principal(context, client, &creds_in.client); if (ret) { @@ -1237,33 +1219,39 @@ out: flags.i = 0; flags.b.renewable = flags.b.renew = True; - ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &creds_in, &creds); + ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &creds_in, &creds_out); if (ret) { DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret))); goto done; } - - /* hm, doesn't that create a new one if the old one wasn't there? - Guenther */ - ret = krb5_cc_initialize(context, ccache, creds_in.client); - if (ret) { - goto done; - } - - ret = krb5_cc_store_cred(context, ccache, creds); - if (expire_time) { - *expire_time = (time_t) creds->times.endtime; - } - - krb5_free_cred_contents(context, &creds_in); - krb5_free_creds(context, creds); + creds = *creds_out; } #else #error NO_SUITABLE_KRB5_TICKET_RENEW_FUNCTION_AVAILABLE #endif + /* hm, doesn't that create a new one if the old one wasn't there? - Guenther */ + ret = krb5_cc_initialize(context, ccache, client); + if (ret) { + goto done; + } + + ret = krb5_cc_store_cred(context, ccache, &creds); + + if (expire_time) { + *expire_time = (time_t) creds.times.endtime; + } done: + krb5_free_cred_contents(context, &creds_in); + + if (creds_out) { + krb5_free_creds(context, creds_out); + } else { + krb5_free_cred_contents(context, &creds); + } + if (client) { krb5_free_principal(context, client); } -- cgit From a24867293257585260deb0587e7e1b710654843a Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 29 Jun 2007 09:42:14 +0000 Subject: r23649: Fix the build (by moving smb_krb5_open_keytab() to clikrb5.c). Guenther (This used to be commit 19020d19dca7f34be92c8c2ec49ae7dbde60f8c1) --- source3/libsmb/clikrb5.c | 138 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 137 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 1e322974cc..5836fc34e0 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -4,7 +4,7 @@ Copyright (C) Andrew Tridgell 2001 Copyright (C) Luke Howard 2002-2003 Copyright (C) Andrew Bartlett 2005 - Copyright (C) Guenther Deschner 2005 + Copyright (C) Guenther Deschner 2005-2007 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1544,6 +1544,142 @@ done: #endif } +/********************************************************************** + * Open a krb5 keytab with flags, handles readonly or readwrite access and + * allows to process non-default keytab names. + * @param context krb5_context + * @param keytab_name_req string + * @param write_access BOOL if writable keytab is required + * @param krb5_keytab pointer to krb5_keytab (close with krb5_kt_close()) + * @return krb5_error_code +**********************************************************************/ + +/* This MAX_NAME_LEN is a constant defined in krb5.h */ +#ifndef MAX_KEYTAB_NAME_LEN +#define MAX_KEYTAB_NAME_LEN 1100 +#endif + + krb5_error_code smb_krb5_open_keytab(krb5_context context, + const char *keytab_name_req, + BOOL write_access, + krb5_keytab *keytab) +{ + krb5_error_code ret = 0; + TALLOC_CTX *mem_ctx; + char keytab_string[MAX_KEYTAB_NAME_LEN]; + BOOL found_valid_name = False; + const char *pragma = "FILE"; + const char *tmp = NULL; + + if (!write_access && !keytab_name_req) { + /* caller just wants to read the default keytab readonly, so be it */ + return krb5_kt_default(context, keytab); + } + + mem_ctx = talloc_init("smb_krb5_open_keytab"); + if (!mem_ctx) { + return ENOMEM; + } + +#ifdef HAVE_WRFILE_KEYTAB + if (write_access) { + pragma = "WRFILE"; + } +#endif + + if (keytab_name_req) { + + if (strlen(keytab_name_req) > MAX_KEYTAB_NAME_LEN) { + ret = KRB5_CONFIG_NOTENUFSPACE; + goto out; + } + + if ((strncmp(keytab_name_req, "WRFILE:/", 8) == 0) || + (strncmp(keytab_name_req, "FILE:/", 6) == 0)) { + tmp = keytab_name_req; + goto resolve; + } + + if (keytab_name_req[0] != '/') { + ret = KRB5_KT_BADNAME; + goto out; + } + + tmp = talloc_asprintf(mem_ctx, "%s:%s", pragma, keytab_name_req); + if (!tmp) { + ret = ENOMEM; + goto out; + } + + goto resolve; + } + + /* we need to handle more complex keytab_strings, like: + * "ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab" */ + + ret = krb5_kt_default_name(context, &keytab_string[0], MAX_KEYTAB_NAME_LEN - 2); + if (ret) { + goto out; + } + + DEBUG(10,("smb_krb5_open_keytab: krb5_kt_default_name returned %s\n", keytab_string)); + + tmp = talloc_strdup(mem_ctx, keytab_string); + if (!tmp) { + ret = ENOMEM; + goto out; + } + + if (strncmp(tmp, "ANY:", 4) == 0) { + tmp += 4; + } + + memset(&keytab_string, '\0', sizeof(keytab_string)); + + while (next_token(&tmp, keytab_string, ",", sizeof(keytab_string))) { + + if (strncmp(keytab_string, "WRFILE:", 7) == 0) { + found_valid_name = True; + tmp = keytab_string; + tmp += 7; + } + + if (strncmp(keytab_string, "FILE:", 5) == 0) { + found_valid_name = True; + tmp = keytab_string; + tmp += 5; + } + + if (found_valid_name) { + + if (tmp[0] != '/') { + ret = KRB5_KT_BADNAME; + goto out; + } + + tmp = talloc_asprintf(mem_ctx, "%s:%s", pragma, tmp); + if (!tmp) { + ret = ENOMEM; + goto out; + } + break; + } + } + + if (!found_valid_name) { + ret = KRB5_KT_UNKNOWN_TYPE; + goto out; + } + + resolve: + DEBUG(10,("smb_krb5_open_keytab: resolving: %s\n", tmp)); + ret = krb5_kt_resolve(context, tmp, keytab); + + out: + TALLOC_FREE(mem_ctx); + return ret; +} + #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ int cli_krb5_get_ticket(const char *principal, time_t time_offset, -- cgit From 3b1956f9d2ad36dfc8c10a4ce22ee05a138bd2f9 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 29 Jun 2007 09:54:39 +0000 Subject: r23650: Fix remaining callers of krb5_kt_default(). Guenther (This used to be commit b9d7a2962a472afb0c6b8e3ac5c2c819d4af2b39) --- source3/libsmb/clikrb5.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 5836fc34e0..82796d39cc 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -951,10 +951,10 @@ get_key_from_keytab(krb5_context context, may be in the middle of a keytab enumeration when this is called. JRA. */ - ret = krb5_kt_default(context, &keytab); + ret = smb_krb5_open_keytab(context, NULL, False, &keytab); if (ret) { - DEBUG(0,("get_key_from_keytab: failed to open keytab: %s\n", error_message(ret))); - return ret; + DEBUG(1,("get_key_from_keytab: smb_krb5_open_keytab failed (%s)\n", error_message(ret))); + goto out; } if ( DEBUGLEVEL >= 10 ) { -- cgit From 110e420196bcaf87d8d434b3680100d9b265a879 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 29 Jun 2007 09:58:11 +0000 Subject: r23651: Always, always, always compile before commit... Guenther (This used to be commit accb40446ad3f872c5167fc2306d892553293b7b) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 82796d39cc..96c18c3a8c 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -954,7 +954,7 @@ get_key_from_keytab(krb5_context context, ret = smb_krb5_open_keytab(context, NULL, False, &keytab); if (ret) { DEBUG(1,("get_key_from_keytab: smb_krb5_open_keytab failed (%s)\n", error_message(ret))); - goto out; + return ret; } if ( DEBUGLEVEL >= 10 ) { -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 96c18c3a8c..73eefe749c 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -8,7 +8,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, -- cgit From 5e54558c6dea67b56bbfaba5698f3a434d3dffb6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 00:52:41 +0000 Subject: r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text (This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07) --- source3/libsmb/clikrb5.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 73eefe749c..c036d7a930 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -17,8 +17,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #define KRB5_PRIVATE 1 /* this file uses PRIVATE interfaces! */ -- cgit From 30191d1a5704ad2b158386b511558972d539ce47 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 Oct 2007 17:40:25 -0700 Subject: RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f) --- source3/libsmb/clikrb5.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index c036d7a930..4291834797 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -271,7 +271,7 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, } #endif -BOOL unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx, +bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx, DATA_BLOB *edata, DATA_BLOB *edata_out) { @@ -310,7 +310,7 @@ BOOL unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx, } -BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_pac_data) +bool unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_pac_data) { DATA_BLOB pac_contents; ASN1_DATA data; @@ -347,10 +347,10 @@ BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_ return True; } - BOOL get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt) + bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt) { DATA_BLOB auth_data_wrapped; - BOOL got_auth_data_pac = False; + bool got_auth_data_pac = False; int i; #if defined(HAVE_KRB5_TKT_ENC_PART2) @@ -540,7 +540,7 @@ BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_ #endif } - BOOL kerberos_compatible_enctypes(krb5_context context, + bool kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2) { @@ -554,7 +554,7 @@ BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_ #endif } -static BOOL ads_cleanup_expired_creds(krb5_context context, +static bool ads_cleanup_expired_creds(krb5_context context, krb5_ccache ccache, krb5_creds *credsp) { @@ -607,7 +607,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, krb5_creds * credsp; krb5_creds creds; krb5_data in_data; - BOOL creds_ready = False; + bool creds_ready = False; int i = 0, maxtries = 3; retval = smb_krb5_parse_name(context, principal, &server); @@ -759,11 +759,11 @@ failed: return retval; } - BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote) + bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote) { krb5_keyblock *skey; krb5_error_code err; - BOOL ret = False; + bool ret = False; if (remote) err = krb5_auth_con_getremotesubkey(context, auth_context, &skey); @@ -1095,7 +1095,7 @@ out: return smb_krb5_parse_name(context, name, principal); } - BOOL smb_krb5_principal_compare_any_realm(krb5_context context, + bool smb_krb5_principal_compare_any_realm(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) { @@ -1383,7 +1383,7 @@ done: krb5_data *packet) { krb5_error_code ret; - BOOL got_error_code = False; + bool got_error_code = False; DEBUG(10,("handle_krberror_packet: got error packet\n")); @@ -1548,7 +1548,7 @@ done: * allows to process non-default keytab names. * @param context krb5_context * @param keytab_name_req string - * @param write_access BOOL if writable keytab is required + * @param write_access bool if writable keytab is required * @param krb5_keytab pointer to krb5_keytab (close with krb5_kt_close()) * @return krb5_error_code **********************************************************************/ @@ -1560,13 +1560,13 @@ done: krb5_error_code smb_krb5_open_keytab(krb5_context context, const char *keytab_name_req, - BOOL write_access, + bool write_access, krb5_keytab *keytab) { krb5_error_code ret = 0; TALLOC_CTX *mem_ctx; char keytab_string[MAX_KEYTAB_NAME_LEN]; - BOOL found_valid_name = False; + bool found_valid_name = False; const char *pragma = "FILE"; const char *tmp = NULL; -- cgit From f88b7a076be74a29a3bf876b4e2705f4a1ecf42b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 24 Oct 2007 14:16:54 -0700 Subject: This is a large patch (sorry). Migrate from struct in_addr to struct sockaddr_storage in most places that matter (ie. not the nmbd and NetBIOS lookups). This passes make test on an IPv4 box, but I'll have to do more work/testing on IPv6 enabled boxes. This should now give us a framework for testing and finishing the IPv6 migration. It's at the state where someone with a working IPv6 setup should (theorecically) be able to type : smbclient //ipv6-address/share and have it work. Jeremy. (This used to be commit 98e154c3125d5732c37a72d74b0eb5cd7b6155fd) --- source3/libsmb/clikrb5.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 4291834797..fb25e9e203 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -162,7 +162,7 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, #if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* HEIMDAL */ - void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr) + void setup_kaddr_v4( krb5_address *pkaddr, struct sockaddr *paddr) { pkaddr->addr_type = KRB5_ADDRESS_INET; pkaddr->address.length = sizeof(((struct sockaddr_in *)paddr)->sin_addr); @@ -170,7 +170,7 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, } #elif defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */ - void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr) + void setup_kaddr_v4( krb5_address *pkaddr, struct sockaddr *paddr) { pkaddr->addrtype = ADDRTYPE_INET; pkaddr->length = sizeof(((struct sockaddr_in *)paddr)->sin_addr); -- cgit From 32dd016353355acfb71dd773187076f95ff6e86e Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 29 Oct 2007 15:03:36 -0700 Subject: Fix the setup_kaddr() call to cope with IPv6. This is the last obvious change I can see. At this point we can start claiming IPv6 support (Hurrah !:-). Jeremy. (This used to be commit bda8c0bf571c994b524a9d67eebc422033d17094) --- source3/libsmb/clikrb5.c | 42 ++++++++++++++++++++++++++++++++++-------- 1 file changed, 34 insertions(+), 8 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index fb25e9e203..d996d61a48 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -162,19 +162,45 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, #if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* HEIMDAL */ - void setup_kaddr_v4( krb5_address *pkaddr, struct sockaddr *paddr) + bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr) { - pkaddr->addr_type = KRB5_ADDRESS_INET; - pkaddr->address.length = sizeof(((struct sockaddr_in *)paddr)->sin_addr); - pkaddr->address.data = (char *)&(((struct sockaddr_in *)paddr)->sin_addr); + memset(pkaddr, '\0', sizeof(krb5_address)); +#if defined(HAVE_IPV6) && defined(KRB5_ADDRESS_INET6) + if (paddr->ss_family == AF_INET6) { + pkaddr->addr_type = KRB5_ADDRESS_INET6; + pkaddr->address.length = sizeof(((struct sockaddr_in6 *)paddr)->sin6_addr); + pkaddr->address.data = (char *)&(((struct sockaddr_in6 *)paddr)->sin6_addr); + return true; + } +#endif + if (paddr->ss_family == AF_INET) { + pkaddr->addr_type = KRB5_ADDRESS_INET; + pkaddr->address.length = sizeof(((struct sockaddr_in *)paddr)->sin_addr); + pkaddr->address.data = (char *)&(((struct sockaddr_in *)paddr)->sin_addr); + return true; + } + return false; } #elif defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */ - void setup_kaddr_v4( krb5_address *pkaddr, struct sockaddr *paddr) + bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr) { - pkaddr->addrtype = ADDRTYPE_INET; - pkaddr->length = sizeof(((struct sockaddr_in *)paddr)->sin_addr); - pkaddr->contents = (krb5_octet *)&(((struct sockaddr_in *)paddr)->sin_addr); + memset(pkaddr, '\0', sizeof(krb5_address)); +#if defined(HAVE_IPV6) && defined(ADDRTYPE_INET6) + if (paddr->ss_family == AF_INET6) { + pkaddr->addrtype = ADDRTYPE_INET6; + pkaddr->length = sizeof(((struct sockaddr_in6 *)paddr)->sin6_addr); + pkaddr->contents = (krb5_octet *)&(((struct sockaddr_in6 *)paddr)->sin6_addr); + return true; + } +#endif + if (paddr->ss_family == AF_INET) { + pkaddr->addrtype = ADDRTYPE_INET; + pkaddr->length = sizeof(((struct sockaddr_in *)paddr)->sin_addr); + pkaddr->contents = (krb5_octet *)&(((struct sockaddr_in *)paddr)->sin_addr); + return true; + } + return false; } #else #error UNKNOWN_ADDRTYPE -- cgit From 42cfffae80480eae4381902fff3f7c61f858a933 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 7 Dec 2007 17:32:32 -0800 Subject: Remove next_token - all uses must now be next_token_talloc. No more temptations to use static length strings. Jeremy. (This used to be commit ec003f39369910dee852b7cafb883ddaa321c2de) --- source3/libsmb/clikrb5.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index d996d61a48..549574caad 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1592,6 +1592,7 @@ done: krb5_error_code ret = 0; TALLOC_CTX *mem_ctx; char keytab_string[MAX_KEYTAB_NAME_LEN]; + char *kt_str = NULL; bool found_valid_name = False; const char *pragma = "FILE"; const char *tmp = NULL; @@ -1654,29 +1655,27 @@ done: ret = ENOMEM; goto out; } - + if (strncmp(tmp, "ANY:", 4) == 0) { tmp += 4; } memset(&keytab_string, '\0', sizeof(keytab_string)); - while (next_token(&tmp, keytab_string, ",", sizeof(keytab_string))) { - - if (strncmp(keytab_string, "WRFILE:", 7) == 0) { + while (next_token_talloc(mem_ctx, &tmp, &kt_str, ",")) { + if (strncmp(kt_str, "WRFILE:", 7) == 0) { found_valid_name = True; - tmp = keytab_string; + tmp = kt_str; tmp += 7; } - if (strncmp(keytab_string, "FILE:", 5) == 0) { + if (strncmp(kt_str, "FILE:", 5) == 0) { found_valid_name = True; - tmp = keytab_string; + tmp = kt_str; tmp += 5; } if (found_valid_name) { - if (tmp[0] != '/') { ret = KRB5_KT_BADNAME; goto out; @@ -1690,7 +1689,7 @@ done: break; } } - + if (!found_valid_name) { ret = KRB5_KT_UNKNOWN_TYPE; goto out; -- cgit From 1acd160800bf93ca59daf71cea235fc88e31fb4a Mon Sep 17 00:00:00 2001 From: Guenther Deschner Date: Wed, 12 Dec 2007 13:38:28 +0100 Subject: Vista SP1-rc1 appears to break against Samba-3.0.27a MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jason, Jason Haar wrote: > Patched 3.0.28, compiled, installed and here's the log file. > > Hope it helps. BTW I don't think it matters, but this is on 32bit > CentOS4.5 systems. yes, it helps. Thanks for that. Very interesting, there are two auth data structures where the first one is a PAC and the second something unknown (yet). Can you please try the attached fix ? It should make it work again. Guenther - -- Günther Deschner GPG-ID: 8EE11688 Red Hat gdeschner@redhat.com Samba Team gd@samba.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHX9ZESOk3aI7hFogRAivSAJ9bMcD+PcsIzjYYLtAUoLNfVVEl1QCfV/Qd MPsZW4G31VOVu64SPjgnJiI= =Co+H -----END PGP SIGNATURE----- (This used to be commit c9adc07ca2a3bb1e0ea98e3b4f68e1a87e5c0196) --- source3/libsmb/clikrb5.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 549574caad..1bbd765965 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -427,9 +427,9 @@ bool unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_ /* check if it is a PAC */ got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data); data_blob_free(&auth_data_wrapped); - - if (!got_auth_data_pac) { - continue; + + if (got_auth_data_pac) { + return true; } } -- cgit From 022014dba281a50d98ac2f00a4c941124065914f Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 12 Dec 2007 18:57:45 +0100 Subject: Make heimdal and MIT happy when iterating through auth data. Guenther (This used to be commit 507247dcbf0ef02825a6c5c5f313813714df2d99) --- source3/libsmb/clikrb5.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 1bbd765965..844a3b35c0 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -399,9 +399,9 @@ bool unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_ /* check if it is a PAC */ got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data); data_blob_free(&auth_data_wrapped); - - if (!got_auth_data_pac) { - continue; + + if (got_auth_data_pac) { + return true; } } -- cgit From c1793b2b316a8f912dde14f806c84ac7d1491bf3 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sun, 17 Feb 2008 01:59:02 +0100 Subject: Use new IDL based PAC structures in clikrb5.c Guenther (This used to be commit 3b0135d57e1e70175a5eec49b603a2e5f700c770) --- source3/libsmb/clikrb5.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 844a3b35c0..c289740ab2 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -835,22 +835,22 @@ failed: #endif } - void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum, - PAC_SIGNATURE_DATA *sig) + void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum, + struct PAC_SIGNATURE_DATA *sig) { #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM cksum->cksumtype = (krb5_cksumtype)sig->type; - cksum->checksum.length = sig->signature.buf_len; - cksum->checksum.data = sig->signature.buffer; + cksum->checksum.length = sig->signature.length; + cksum->checksum.data = sig->signature.data; #else cksum->checksum_type = (krb5_cksumtype)sig->type; - cksum->length = sig->signature.buf_len; - cksum->contents = sig->signature.buffer; + cksum->length = sig->signature.length; + cksum->contents = sig->signature.data; #endif } krb5_error_code smb_krb5_verify_checksum(krb5_context context, - krb5_keyblock *keyblock, + const krb5_keyblock *keyblock, krb5_keyusage usage, krb5_checksum *cksum, uint8 *data, -- cgit From fb37f156009611af0dd454a0fb0829a09cd638ac Mon Sep 17 00:00:00 2001 From: Tim Prouty Date: Tue, 29 Apr 2008 14:36:24 -0700 Subject: Cleanup size_t return values in callers of convert_string_allocate This patch is the second iteration of an inside-out conversion to cleanup functions in charcnv.c returning size_t == -1 to indicate failure. (This used to be commit 6b189dabc562d86dcaa685419d0cb6ea276f100d) --- source3/libsmb/clikrb5.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index c289740ab2..7688b0bd12 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -52,8 +52,9 @@ { krb5_error_code ret; char *utf8_name; + size_t converted_size; - if (push_utf8_allocate(&utf8_name, name) == (size_t)-1) { + if (!push_utf8_allocate(&utf8_name, name, &converted_size)) { return ENOMEM; } @@ -73,9 +74,10 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, { krb5_error_code ret; char *utf8_name; + size_t converted_size; *principal = NULL; - if (push_utf8_allocate(&utf8_name, name) == (size_t)-1) { + if (!push_utf8_allocate(&utf8_name, name, &converted_size)) { return ENOMEM; } @@ -96,6 +98,7 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, { krb5_error_code ret; char *utf8_name; + size_t converted_size; *unix_name = NULL; ret = krb5_unparse_name(context, principal, &utf8_name); @@ -103,7 +106,7 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, return ret; } - if (pull_utf8_allocate(unix_name, utf8_name)==-1) { + if (!pull_utf8_allocate(unix_name, utf8_name, &converted_size)) { krb5_free_unparsed_name(context, utf8_name); return ENOMEM; } -- cgit From fd288b4110a988ef37f153dfee95381f6675a7ef Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 17 Jun 2008 17:58:38 +0200 Subject: clikrb5: remove unrequired create_kerberos_key_from_string_direct() prototype. Guenther (This used to be commit ec86852fc6ce2d88ad5835c8fcb337c68fd6f6bc) --- source3/libsmb/clikrb5.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 7688b0bd12..4c535d2bcf 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -210,11 +210,11 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, #endif #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK) - int create_kerberos_key_from_string_direct(krb5_context context, - krb5_principal host_princ, - krb5_data *password, - krb5_keyblock *key, - krb5_enctype enctype) +static int create_kerberos_key_from_string_direct(krb5_context context, + krb5_principal host_princ, + krb5_data *password, + krb5_keyblock *key, + krb5_enctype enctype) { int ret; krb5_data salt; @@ -231,11 +231,11 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context, return ret; } #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT) - int create_kerberos_key_from_string_direct(krb5_context context, - krb5_principal host_princ, - krb5_data *password, - krb5_keyblock *key, - krb5_enctype enctype) +static int create_kerberos_key_from_string_direct(krb5_context context, + krb5_principal host_princ, + krb5_data *password, + krb5_keyblock *key, + krb5_enctype enctype) { int ret; krb5_salt salt; -- cgit From 0ac8c5d49a8b0d5535eebf80871003f6c19af5eb Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 18 Jun 2008 12:45:57 +0200 Subject: kerberos: make smb_krb5_kt_add_entry public, allow to pass keys without salting them. Guenther (This used to be commit 7c4da23be1105dc224033b21eb486e7fcdc7d9c5) --- source3/libsmb/clikrb5.c | 56 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 38 insertions(+), 18 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 4c535d2bcf..52c729625c 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -214,20 +214,31 @@ static int create_kerberos_key_from_string_direct(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, - krb5_enctype enctype) + krb5_enctype enctype, + bool no_salt) { int ret; krb5_data salt; krb5_encrypt_block eblock; - ret = krb5_principal2salt(context, host_princ, &salt); - if (ret) { - DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); - return ret; + if (no_salt) { + key->contents = (krb5_octet *)SMB_MALLOC(password->length); + if (!key->contents) { + return ENOMEM; + } + memcpy(key->contents, password->data, password->length); + key->length = password->length; + key->enctype = enctype; + } else { + ret = krb5_principal2salt(context, host_princ, &salt); + if (ret) { + DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); + return ret; + } + krb5_use_enctype(context, &eblock, enctype); + ret = krb5_string_to_key(context, &eblock, key, password, &salt); + SAFE_FREE(salt.data); } - krb5_use_enctype(context, &eblock, enctype); - ret = krb5_string_to_key(context, &eblock, key, password, &salt); - SAFE_FREE(salt.data); return ret; } #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT) @@ -235,19 +246,27 @@ static int create_kerberos_key_from_string_direct(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, - krb5_enctype enctype) + krb5_enctype enctype, + bool no_salt) { int ret; krb5_salt salt; - ret = krb5_get_pw_salt(context, host_princ, &salt); - if (ret) { - DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret))); - return ret; + if (no_salt) { + return krb5_keyblock_init(context, enctype, + password->data, password->length, + key); + } else { + ret = krb5_get_pw_salt(context, host_princ, &salt); + if (ret) { + DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret))); + return ret; + } + + ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key); + krb5_free_salt(context, salt); } - - ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key); - krb5_free_salt(context, salt); + return ret; } #else @@ -258,7 +277,8 @@ static int create_kerberos_key_from_string_direct(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, - krb5_enctype enctype) + krb5_enctype enctype, + bool no_salt) { krb5_principal salt_princ = NULL; int ret; @@ -268,7 +288,7 @@ static int create_kerberos_key_from_string_direct(krb5_context context, * its behavior. */ salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype); - ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype); + ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype, no_salt); if (salt_princ) { krb5_free_principal(context, salt_princ); } -- cgit From 640a2972c555a456ea9a083bdc7aae8ea283492a Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 18 Jun 2008 12:48:35 +0200 Subject: kerberos: add smb_krb5_keytab_name(). Guenther (This used to be commit c273ce8798062d1b55100411f3e92a01bdbf611c) --- source3/libsmb/clikrb5.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 52c729625c..2aae9df53e 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1727,6 +1727,28 @@ done: return ret; } +krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx, + krb5_context context, + krb5_keytab keytab, + const char **keytab_name) +{ + char keytab_string[MAX_KEYTAB_NAME_LEN]; + krb5_error_code ret = 0; + + ret = krb5_kt_get_name(context, keytab, + keytab_string, MAX_KEYTAB_NAME_LEN - 2); + if (ret) { + return ret; + } + + *keytab_name = talloc_strdup(mem_ctx, keytab_string); + if (!*keytab_name) { + return ENOMEM; + } + + return ret; +} + #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ int cli_krb5_get_ticket(const char *principal, time_t time_offset, -- cgit From 23cafd02d3222b910dbc30a7eab20ebdcc81ab33 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 26 Jun 2008 13:19:40 -0700 Subject: Fix return of uninitialized variable. Jeremy. (This used to be commit 384052f546af8c1c6848c03cad4f2ba618ba7209) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 2aae9df53e..cbe8f24909 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -217,7 +217,7 @@ static int create_kerberos_key_from_string_direct(krb5_context context, krb5_enctype enctype, bool no_salt) { - int ret; + int ret = 0; krb5_data salt; krb5_encrypt_block eblock; -- cgit From 70c2a5b02eba592b30c9239383445c2c16295ba0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 4 Aug 2008 13:52:18 +0200 Subject: clikrb5: don't use krb5_keyblock_init() when no salt is specified If the caller wants to create a key with no salt we should not use krb5_keyblock_init() (only used when using heimdal) because it does sanity checks on the key length. metze (This used to be commit c83de77b750837a110611d7023c4cf71d2d0bab1) --- source3/libsmb/clikrb5.c | 65 ++++++++++++++++++++++-------------------------- 1 file changed, 30 insertions(+), 35 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index cbe8f24909..d5d7c1f3b9 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -31,10 +31,12 @@ #define KRB5_KEY_TYPE(k) ((k)->keytype) #define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length) #define KRB5_KEY_DATA(k) ((k)->keyvalue.data) +#define KRB5_KEY_DATA_CAST void #else /* MIT */ #define KRB5_KEY_TYPE(k) ((k)->enctype) #define KRB5_KEY_LENGTH(k) ((k)->length) #define KRB5_KEY_DATA(k) ((k)->contents) +#define KRB5_KEY_DATA_CAST krb5_octet #endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */ /************************************************************** @@ -214,31 +216,21 @@ static int create_kerberos_key_from_string_direct(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, - krb5_enctype enctype, - bool no_salt) + krb5_enctype enctype) { int ret = 0; krb5_data salt; krb5_encrypt_block eblock; - if (no_salt) { - key->contents = (krb5_octet *)SMB_MALLOC(password->length); - if (!key->contents) { - return ENOMEM; - } - memcpy(key->contents, password->data, password->length); - key->length = password->length; - key->enctype = enctype; - } else { - ret = krb5_principal2salt(context, host_princ, &salt); - if (ret) { - DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); - return ret; - } - krb5_use_enctype(context, &eblock, enctype); - ret = krb5_string_to_key(context, &eblock, key, password, &salt); - SAFE_FREE(salt.data); + ret = krb5_principal2salt(context, host_princ, &salt); + if (ret) { + DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); + return ret; } + krb5_use_enctype(context, &eblock, enctype); + ret = krb5_string_to_key(context, &eblock, key, password, &salt); + SAFE_FREE(salt.data); + return ret; } #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT) @@ -246,27 +238,20 @@ static int create_kerberos_key_from_string_direct(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, - krb5_enctype enctype, - bool no_salt) + krb5_enctype enctype) { int ret; krb5_salt salt; - if (no_salt) { - return krb5_keyblock_init(context, enctype, - password->data, password->length, - key); - } else { - ret = krb5_get_pw_salt(context, host_princ, &salt); - if (ret) { - DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret))); - return ret; - } - - ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key); - krb5_free_salt(context, salt); + ret = krb5_get_pw_salt(context, host_princ, &salt); + if (ret) { + DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret))); + return ret; } + ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key); + krb5_free_salt(context, salt); + return ret; } #else @@ -287,8 +272,18 @@ static int create_kerberos_key_from_string_direct(krb5_context context, * principal/enctype in a non-obvious way. If it is, try to match * its behavior. */ + if (no_salt) { + KRB5_KEY_DATA(key) = (KRB5_KEY_DATA_CAST *)SMB_MALLOC(password->length); + if (!KRB5_KEY_DATA(key)) { + return ENOMEM; + } + memcpy(KRB5_KEY_DATA(key), password->data, password->length); + KRB5_KEY_LENGTH(key) = password->length; + KRB5_KEY_TYPE(key) = enctype; + return 0; + } salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype); - ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype, no_salt); + ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype); if (salt_princ) { krb5_free_principal(context, salt_princ); } -- cgit From e8c7ff3e880c7c7e696c5ba7baa8536b4ea7cb89 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 8 Aug 2008 14:32:15 -0700 Subject: Add Derrick Schommer's kerberos delegation patch. Some work by me and advice by Love. Jeremy. (This used to be commit ecc3838e4cb5d0c0769ec6d9a34a877ca584ffcc) --- source3/libsmb/clikrb5.c | 186 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 184 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index d5d7c1f3b9..9d39483eae 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -39,6 +39,18 @@ #define KRB5_KEY_DATA_CAST krb5_octet #endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */ +#define GSSAPI_CHECKSUM 0x8003 /* Checksum type value for Kerberos */ +#define GSSAPI_BNDLENGTH 16 /* Bind Length (rfc-1964 pg.3) */ +#define GSSAPI_CHECKSUM_SIZE (12+GSSAPI_BNDLENGTH) + +#if defined(TKT_FLG_OK_AS_DELEGATE) && defined(HAVE_KRB5_FWD_TGT_CREDS) +static krb5_error_code ads_krb5_get_fwd_ticket( krb5_context context, + krb5_auth_context *auth_context, + krb5_creds *credsp, + krb5_ccache ccache, + krb5_data *authenticator); +#endif + /************************************************************** Wrappers around kerberos string functions that convert from utf8 -> unix charset and vica versa. @@ -654,6 +666,8 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, bool creds_ready = False; int i = 0, maxtries = 3; + ZERO_STRUCT(in_data); + retval = smb_krb5_parse_name(context, principal, &server); if (retval) { DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal)); @@ -709,14 +723,69 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, *expire_time = (time_t)credsp->times.endtime; } - in_data.length = 0; +#if defined(TKT_FLG_OK_AS_DELEGATE) && defined(HAVE_KRB5_FWD_TGT_CREDS) + if( credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE ) { + /* Fetch a forwarded TGT from the KDC so that we can hand off a 2nd ticket + as part of the kerberos exchange. */ + + DEBUG( 3, ("ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT\n") ); + + if( *auth_context == NULL ) { + /* Allocate if it has not yet been allocated. */ + retval = krb5_auth_con_init( context, auth_context ); + if (retval) { + DEBUG(1,("ads_krb5_mk_req: krb5_auth_con_init failed (%s)\n", + error_message(retval))); + goto cleanup_creds; + } + } + + retval = krb5_auth_con_setuseruserkey( context, *auth_context, &credsp->keyblock ); + if (retval) { + DEBUG(1,("ads_krb5_mk_req: krb5_auth_con_setuseruserkey failed (%s)\n", + error_message(retval))); + goto cleanup_creds; + } + + /* Must use a subkey for forwarded tickets. */ + retval = krb5_auth_con_setflags( context, *auth_context, KRB5_AUTH_CONTEXT_USE_SUBKEY); + if (retval) { + DEBUG(1,("ads_krb5_mk_req: krb5_auth_con_setflags failed (%s)\n", + error_message(retval))); + goto cleanup_creds; + } + + retval = ads_krb5_get_fwd_ticket( context, + auth_context, + credsp, + ccache, + &in_data ); + if (retval) { + DEBUG( 1, ("ads_krb5_get_fwd_ticket failed (%s)\n", error_message( retval ) ) ); + goto cleanup_creds; + } + + if (retval) { + DEBUG( 1, ("krb5_auth_con_set_req_cksumtype failed (%s)\n", + error_message( retval ) ) ); + goto cleanup_creds; + } + + } +#endif + retval = krb5_mk_req_extended(context, auth_context, ap_req_options, &in_data, credsp, outbuf); if (retval) { DEBUG(1,("ads_krb5_mk_req: krb5_mk_req_extended failed (%s)\n", error_message(retval))); } - + + if (in_data.data) { + free( in_data.data ); + in_data.length = 0; + } + krb5_free_creds(context, credsp); cleanup_creds: @@ -1744,6 +1813,119 @@ krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx, return ret; } +#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) +/************************************************************** +Routine: ads_krb5_get_fwd_ticket + Description: + When a service ticket is flagged as trusted + for delegation we should provide a forwardable + ticket so that the remote host can act on our + behalf. This is done by taking the 2nd forwardable + TGT and storing it in the GSS-API authenticator + "checksum". This routine will populate + the krb5_data authenticator with this TGT. + Parameters: + krb5_context context: The kerberos context for this authentication. + krb5_auth_context: The authentication context. + krb5_creds *credsp: The ticket credentials (AS-REP). + krb5_ccache ccache: The credentials cache. + krb5_data &authenticator: The checksum field that will store the TGT, and + authenticator.data must be freed by the caller. + + Returns: + krb5_error_code: 0 if no errors, otherwise set. +**************************************************************/ + +static krb5_error_code ads_krb5_get_fwd_ticket( krb5_context context, + krb5_auth_context *auth_context, + krb5_creds *credsp, + krb5_ccache ccache, + krb5_data *authenticator) +{ + krb5_data fwdData; + krb5_error_code retval = 0; + char *pChksum = NULL; + char *p = NULL; + + ZERO_STRUCT(fwdData); + ZERO_STRUCTP(authenticator); + + retval = krb5_fwd_tgt_creds(context,/* Krb5 context [in] */ + *auth_context, /* Authentication context [in] */ + CONST_DISCARD(char *, KRB5_TGS_NAME), /* Ticket service name ("krbtgt") [in] */ + credsp->client, /* Client principal for the tgt [in] */ + credsp->server, /* Server principal for the tgt [in] */ + ccache, /* Credential cache to use for storage [in] */ + 1, /* Turn on for "Forwardable ticket" [in] */ + &fwdData ); /* Resulting response [out] */ + + + if (retval) { + DEBUG(1,("ads_krb5_get_fwd_ticket: krb5_fwd_tgt_creds failed (%s)\n", + error_message(retval))); + goto out; + } + + if ((unsigned int)GSSAPI_CHECKSUM_SIZE + (unsigned int)fwdData.length < + (unsigned int)GSSAPI_CHECKSUM_SIZE) { + retval = EINVAL; + goto out; + } + + /* We're going to allocate a gssChecksum structure with a little + extra data the length of the kerberos credentials length + (APPLICATION 22) so that we can pack it on the end of the structure. + */ + + pChksum = SMB_MALLOC(GSSAPI_CHECKSUM_SIZE + fwdData.length ); + if (!pChksum) { + retval = ENOMEM; + goto out; + } + + p = pChksum; + + SIVAL(p, 0, GSSAPI_BNDLENGTH); + p += 4; + + /* Zero out the bindings fields */ + memset(p, '\0', GSSAPI_BNDLENGTH ); + p += GSSAPI_BNDLENGTH; + + SIVAL(p, 0, GSS_C_DELEG_FLAG ); + p += 4; + SSVAL(p, 0, 1 ); + p += 2; + SSVAL(p, 0, fwdData.length ); + p += 2; + + /* Migrate the kerberos KRB_CRED data to the checksum delegation */ + memcpy(p, fwdData.data, fwdData.length ); + p += fwdData.length; + + /* We need to do this in order to allow our GSS-API */ + retval = krb5_auth_con_set_req_cksumtype( context, *auth_context, GSSAPI_CHECKSUM ); + if (retval) { + goto out; + } + + /* We now have a service ticket, now turn it into an AP-REQ. */ + authenticator->length = ntohs(fwdData.length + GSSAPI_CHECKSUM_SIZE); + + /* Caller should call free() when they're done with this. */ + authenticator->data = (char *)pChksum; + + out: + + /* Remove that input data, we never needed it anyway. */ + if (fwdData.length > 0) { + krb5_free_data_contents( context, &fwdData ); + } + + return retval; +} +#endif + #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ int cli_krb5_get_ticket(const char *principal, time_t time_offset, -- cgit From 6d99eedafc3f35a4cdd544c6eea9a7f527193b50 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 8 Aug 2008 15:15:36 -0700 Subject: Try and fix the build for systems that don't have krb5_auth_con_set_req_cksumtype(). Jeremy. (This used to be commit 8598e7b06ec57ca6fcde863270e6bb0e2de9993e) --- source3/libsmb/clikrb5.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 9d39483eae..9cd5cd3310 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -43,7 +43,7 @@ #define GSSAPI_BNDLENGTH 16 /* Bind Length (rfc-1964 pg.3) */ #define GSSAPI_CHECKSUM_SIZE (12+GSSAPI_BNDLENGTH) -#if defined(TKT_FLG_OK_AS_DELEGATE) && defined(HAVE_KRB5_FWD_TGT_CREDS) +#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) static krb5_error_code ads_krb5_get_fwd_ticket( krb5_context context, krb5_auth_context *auth_context, krb5_creds *credsp, @@ -723,7 +723,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, *expire_time = (time_t)credsp->times.endtime; } -#if defined(TKT_FLG_OK_AS_DELEGATE) && defined(HAVE_KRB5_FWD_TGT_CREDS) +#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) if( credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE ) { /* Fetch a forwarded TGT from the KDC so that we can hand off a 2nd ticket as part of the kerberos exchange. */ @@ -1813,7 +1813,7 @@ krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx, return ret; } -#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) +#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) /************************************************************** Routine: ads_krb5_get_fwd_ticket Description: -- cgit From 3acde0d74711e4e7169dd4b0a0a2ea8fa476cef2 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 8 Aug 2008 16:08:11 -0700 Subject: One more build fix. Ensure we have KRB5_AUTH_CONTEXT_USE_SUBKEY defined before we compile the new code. Jeremy. (This used to be commit 7686752c5b015b15a6729631ba4aeedd25ebc659) --- source3/libsmb/clikrb5.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 9cd5cd3310..2052d5a1bc 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -43,7 +43,7 @@ #define GSSAPI_BNDLENGTH 16 /* Bind Length (rfc-1964 pg.3) */ #define GSSAPI_CHECKSUM_SIZE (12+GSSAPI_BNDLENGTH) -#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) +#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) static krb5_error_code ads_krb5_get_fwd_ticket( krb5_context context, krb5_auth_context *auth_context, krb5_creds *credsp, @@ -723,7 +723,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, *expire_time = (time_t)credsp->times.endtime; } -#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) +#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) if( credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE ) { /* Fetch a forwarded TGT from the KDC so that we can hand off a 2nd ticket as part of the kerberos exchange. */ @@ -1813,7 +1813,7 @@ krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx, return ret; } -#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) +#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) /************************************************************** Routine: ads_krb5_get_fwd_ticket Description: -- cgit From c7257754cdda2e7137969417eb56481192b0654a Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 11 Aug 2008 11:20:38 +0200 Subject: fix build warning. Guenther (This used to be commit 85021d6a459c957cc276a93c3515029244f52677) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 2052d5a1bc..5bb33b11d7 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1877,7 +1877,7 @@ static krb5_error_code ads_krb5_get_fwd_ticket( krb5_context context, (APPLICATION 22) so that we can pack it on the end of the structure. */ - pChksum = SMB_MALLOC(GSSAPI_CHECKSUM_SIZE + fwdData.length ); + pChksum = (char *)SMB_MALLOC(GSSAPI_CHECKSUM_SIZE + fwdData.length ); if (!pChksum) { retval = ENOMEM; goto out; -- cgit From 2597c97d3a274bdb96e9958a79aa70d84381a12a Mon Sep 17 00:00:00 2001 From: Igor Mammedov Date: Mon, 18 Aug 2008 09:55:11 -0700 Subject: Fix length error in wrapping spnego blob (This used to be commit 16ee95494ba495c5f5ff8779206f380db1067b2d) --- source3/libsmb/clikrb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 5bb33b11d7..fa21ad3467 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1910,7 +1910,7 @@ static krb5_error_code ads_krb5_get_fwd_ticket( krb5_context context, } /* We now have a service ticket, now turn it into an AP-REQ. */ - authenticator->length = ntohs(fwdData.length + GSSAPI_CHECKSUM_SIZE); + authenticator->length = fwdData.length + GSSAPI_CHECKSUM_SIZE; /* Caller should call free() when they're done with this. */ authenticator->data = (char *)pChksum; -- cgit From 0380fe9d823d6219441050a9b7298bf039b20742 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 22 Aug 2008 16:08:00 +0200 Subject: kerberos: move the KRB5_KEY* macros to header file. Guenther (This used to be commit c28fa17ffffee3e6fd4897c9c6b4937388a19600) --- source3/libsmb/clikrb5.c | 12 ------------ 1 file changed, 12 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index fa21ad3467..b6fb7cf050 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -27,18 +27,6 @@ #ifdef HAVE_KRB5 -#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */ -#define KRB5_KEY_TYPE(k) ((k)->keytype) -#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length) -#define KRB5_KEY_DATA(k) ((k)->keyvalue.data) -#define KRB5_KEY_DATA_CAST void -#else /* MIT */ -#define KRB5_KEY_TYPE(k) ((k)->enctype) -#define KRB5_KEY_LENGTH(k) ((k)->length) -#define KRB5_KEY_DATA(k) ((k)->contents) -#define KRB5_KEY_DATA_CAST krb5_octet -#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */ - #define GSSAPI_CHECKSUM 0x8003 /* Checksum type value for Kerberos */ #define GSSAPI_BNDLENGTH 16 /* Bind Length (rfc-1964 pg.3) */ #define GSSAPI_CHECKSUM_SIZE (12+GSSAPI_BNDLENGTH) -- cgit From bff20e14c38d7139033127182b76aa24e471b581 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 22 Aug 2008 14:58:01 +0200 Subject: kerberos: use KRB5_KT_KEY macro where appropriate. Guenther (This used to be commit a042dffd7121bda3dbc9509f69fcfae06ed4cc22) --- source3/libsmb/clikrb5.c | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index b6fb7cf050..bedd7d7aee 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -1045,6 +1045,7 @@ get_key_from_keytab(krb5_context context, krb5_error_code ret; krb5_keytab keytab; char *name = NULL; + krb5_keyblock *keyp; /* We have to open a new keytab handle here, as MIT does an implicit open/getnext/close on krb5_kt_get_entry. We @@ -1077,14 +1078,9 @@ get_key_from_keytab(krb5_context context, goto out; } -#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */ - ret = krb5_copy_keyblock(context, &entry.keyblock, out_key); -#elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) /* MIT */ - ret = krb5_copy_keyblock(context, &entry.key, out_key); -#else -#error UNKNOWN_KRB5_KEYTAB_ENTRY_FORMAT -#endif + keyp = KRB5_KT_KEY(&entry); + ret = krb5_copy_keyblock(context, keyp, out_key); if (ret) { DEBUG(0,("get_key_from_keytab: failed to copy key: %s\n", error_message(ret))); goto out; @@ -1572,15 +1568,9 @@ done: #endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_FREE */ } - krb5_enctype smb_get_enctype_from_kt_entry(const krb5_keytab_entry *kt_entry) + krb5_enctype smb_get_enctype_from_kt_entry(krb5_keytab_entry *kt_entry) { -#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */ - return kt_entry->key.enctype; -#elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK) /* Heimdal */ - return kt_entry->keyblock.keytype; -#else -#error UNKNOWN_KRB5_KEYTAB_ENTRY_KEYBLOCK_FORMAT -#endif + return KRB5_KEY_TYPE(KRB5_KT_KEY(kt_entry)); } -- cgit From 06dd647fe04535474eab85d110d409781544e7a7 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 31 Aug 2008 11:45:12 +0200 Subject: Remove a duplicate retval check Jeremy, please check! (This used to be commit 6579005e6490f1a99b3860627ba51decaeb864bd) --- source3/libsmb/clikrb5.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index bedd7d7aee..f940081072 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -749,16 +749,10 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, ccache, &in_data ); if (retval) { - DEBUG( 1, ("ads_krb5_get_fwd_ticket failed (%s)\n", error_message( retval ) ) ); + DEBUG( 1, ("ads_krb5_get_fwd_ticket failed (%s)\n", + error_message( retval ) ) ); goto cleanup_creds; } - - if (retval) { - DEBUG( 1, ("krb5_auth_con_set_req_cksumtype failed (%s)\n", - error_message( retval ) ) ); - goto cleanup_creds; - } - } #endif -- cgit From 3978317af0c265d317258f5f6a04436100437a8c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 10 Sep 2008 10:18:02 -0700 Subject: Fix blocker bug 5745 kerberos authentication with (lib)smbclient is broken. Jeremy. (This used to be commit a59bd0e4854117a8646f4d388a0f7285362d5ba2) --- source3/libsmb/clikrb5.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/clikrb5.c') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index f940081072..b8afb57977 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -749,9 +749,21 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, ccache, &in_data ); if (retval) { - DEBUG( 1, ("ads_krb5_get_fwd_ticket failed (%s)\n", + DEBUG( 3, ("ads_krb5_get_fwd_ticket failed (%s)\n", error_message( retval ) ) ); - goto cleanup_creds; + + /* + * This is not fatal. Delete the *auth_context and continue + * with krb5_mk_req_extended to get a non-forwardable ticket. + */ + + if (in_data.data) { + free( in_data.data ); + in_data.data = NULL; + in_data.length = 0; + } + krb5_auth_con_free(context, *auth_context); + *auth_context = NULL; } } #endif -- cgit