From fe64484824d8169bf66822ebf7f6a9180a238e6e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 29 Nov 2001 06:21:56 +0000 Subject: Make better use of the ads_init() function to get the kerberos relam etc. This allows us to use automagically obtained values in future, and the value from krb5.conf now. Also fix mem leaks etc. Andrew Bartlett (This used to be commit 8f9ce717819235d98a1463f20ac659cb4b4ebbd2) --- source3/smbd/negprot.c | 22 +++++++++++++--------- source3/smbd/sesssetup.c | 19 ++++++++++++------- 2 files changed, 25 insertions(+), 16 deletions(-) (limited to 'source3/smbd') diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index 9a03e1ba96..78d4da3a75 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -184,15 +184,19 @@ static int negprot_spnego(char *p) return 16; } #endif - - /* win2000 uses host$@REALM, which we will probably use eventually, - but for now this works */ - asprintf(&principal, "HOST/%s@%s", guid, lp_realm()); - blob = spnego_gen_negTokenInit(guid, - lp_security()==SEC_ADS ? OIDs_krb5 : OIDs_plain, - principal); - free(principal); - + { + ADS_STRUCT *ads; + ads = ads_init(NULL, NULL, NULL); + + /* win2000 uses host$@REALM, which we will probably use eventually, + but for now this works */ + asprintf(&principal, "HOST/%s@%s", guid, ads->realm); + blob = spnego_gen_negTokenInit(guid, + lp_security()==SEC_ADS ? OIDs_krb5 : OIDs_plain, + principal); + free(principal); + ads_destroy(&ads); + } memcpy(p, blob.data, blob.length); len = blob.length; data_blob_free(&blob); diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 863a509042..35155c0dec 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -74,23 +74,25 @@ static int reply_spnego_kerberos(connection_struct *conn, DATA_BLOB *secblob) { DATA_BLOB ticket; - char *realm, *client, *p; + char *client, *p; const struct passwd *pw; char *user; int sess_vuid; NTSTATUS ret; DATA_BLOB auth_data; auth_serversupplied_info *server_info = NULL; - - realm = lp_realm(); + ADS_STRUCT *ads; if (!spnego_parse_krb5_wrap(*secblob, &ticket)) { return ERROR_NT(NT_STATUS_LOGON_FAILURE); } - ret = ads_verify_ticket(&ticket, &client, &auth_data); + ads = ads_init(NULL, NULL, NULL); + + ret = ads_verify_ticket(ads, &ticket, &client, &auth_data); if (!NT_STATUS_IS_OK(ret)) { - DEBUG(1,("Failed to verify incoming ticket!\n")); + DEBUG(1,("Failed to verify incoming ticket!\n")); + ads_destroy(&ads); return ERROR_NT(NT_STATUS_LOGON_FAILURE); } @@ -99,15 +101,18 @@ static int reply_spnego_kerberos(connection_struct *conn, p = strchr_m(client, '@'); if (!p) { DEBUG(3,("Doesn't look like a valid principal\n")); + ads_destroy(&ads); return ERROR_NT(NT_STATUS_LOGON_FAILURE); } *p = 0; - if (strcasecmp(p+1, realm) != 0) { + if (strcasecmp(p+1, ads->realm) != 0) { DEBUG(3,("Ticket for incorrect realm %s\n", p+1)); + ads_destroy(&ads); return ERROR_NT(NT_STATUS_LOGON_FAILURE); } - + ads_destroy(&ads); + user = client; /* the password is good - let them in */ -- cgit