From 28d78c40ade22c4b5d445dbe23f18ca210e41f8c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 24 Jan 2006 05:31:08 +0000 Subject: r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in our case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0) --- source4/auth/credentials/credentials_files.c | 29 ++++++++++------------------ source4/auth/credentials/credentials_krb5.c | 14 ++++++++++++++ source4/auth/kerberos/kerberos_util.c | 4 +++- source4/auth/kerberos/krb5_init_context.c | 2 ++ 4 files changed, 29 insertions(+), 20 deletions(-) (limited to 'source4/auth') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 219869cf3a..53350b8ed0 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -267,17 +267,12 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, cli_credentials_set_nt_hash(cred, &hash, CRED_SPECIFIED); } else { - - DEBUG(1, ("Could not find 'secret' in join record to domain: %s\n", - cli_credentials_get_domain(cred))); - - /* set anonymous as the fallback, if the machine account won't work */ - cli_credentials_set_anonymous(cred); - - talloc_free(mem_ctx); - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + cli_credentials_set_password(cred, NULL, CRED_SPECIFIED); } + } else { + cli_credentials_set_password(cred, password, CRED_SPECIFIED); } + domain = ldb_msg_find_string(msgs[0], "flatname", NULL); if (domain) { @@ -290,9 +285,6 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, } cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); - if (password) { - cli_credentials_set_password(cred, password, CRED_SPECIFIED); - } cli_credentials_set_kvno(cred, ldb_msg_find_int(msgs[0], "msDS-KeyVersionNumber", 0)); @@ -417,13 +409,14 @@ NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx) return NT_STATUS_ACCESS_DENIED; } - /* search for the secret record */ + /* search for the secret record, but only of things we can + * actually update */ ldb_ret = gendb_search(ldb, mem_ctx, NULL, &msgs, attrs, - "objectClass=kerberosSecret"); + "(&(objectClass=kerberosSecret)(|(secret=*)(ntPwdHash=*)))"); if (ldb_ret == -1) { - DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab")); + DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab:: %s", ldb_errstring(ldb))); talloc_free(mem_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -442,15 +435,13 @@ NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx) if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to read secrets for keytab update for %s\n", filter)); - talloc_free(mem_ctx); - return status; + continue; } ret = cli_credentials_update_keytab(creds); if (ret != 0) { DEBUG(1, ("Failed to update keytab for %s\n", filter)); - talloc_free(mem_ctx); - return NT_STATUS_UNSUCCESSFUL; + continue; } } return NT_STATUS_OK; diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c index 5f40ca1046..29b70d9a53 100644 --- a/source4/auth/credentials/credentials_krb5.c +++ b/source4/auth/credentials/credentials_krb5.c @@ -43,6 +43,20 @@ int cli_credentials_get_krb5_context(struct cli_credentials *cred, return 0; } +/* This needs to be called directly after the cli_credentials_init(), + * otherwise we might have problems with the krb5 context already + * being here. + */ +NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred, + struct smb_krb5_context *smb_krb5_context) +{ + if (!talloc_reference(cred, smb_krb5_context)) { + return NT_STATUS_NO_MEMORY; + } + cred->smb_krb5_context = smb_krb5_context; + return NT_STATUS_OK; +} + int cli_credentials_set_from_ccache(struct cli_credentials *cred, enum credentials_obtained obtained) { diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c index ad0e18b2e7..776b591ba4 100644 --- a/source4/auth/kerberos/kerberos_util.c +++ b/source4/auth/kerberos/kerberos_util.c @@ -397,9 +397,9 @@ static int create_keytab(TALLOC_CTX *parent_ctx, const struct samr_Password *mach_pwd; mach_pwd = cli_credentials_get_nt_hash(machine_account, mem_ctx); if (!mach_pwd) { - talloc_free(mem_ctx); DEBUG(1, ("create_keytab: Domain trust informaton for account %s not available\n", cli_credentials_get_principal(machine_account, mem_ctx))); + talloc_free(mem_ctx); return EINVAL; } ret = krb5_keyblock_init(smb_krb5_context->krb5_context, @@ -410,6 +410,7 @@ static int create_keytab(TALLOC_CTX *parent_ctx, DEBUG(1, ("create_keytab: krb5_keyblock_init failed: %s\n", smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); + talloc_free(mem_ctx); return ret; } @@ -516,6 +517,7 @@ static krb5_error_code remove_old_entries(TALLOC_CTX *parent_ctx, switch (ret) { case 0: break; + case HEIM_ERR_OPNOTSUPP: case ENOENT: case KRB5_KT_END: /* no point enumerating if there isn't anything here */ diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c index 8e52ac5e3f..830c803524 100644 --- a/source4/auth/kerberos/krb5_init_context.c +++ b/source4/auth/kerberos/krb5_init_context.c @@ -448,6 +448,8 @@ static void smb_krb5_send_and_recv_close_func(krb5_context context, void *data) return ret; } + (*smb_krb5_context)->krb5_context->mem_ctx = *smb_krb5_context; + talloc_steal(parent_ctx, *smb_krb5_context); talloc_free(tmp_ctx); -- cgit