From f4607c6e55f6aaa8fe774c7e739fab0556e7bfc0 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 29 Jun 2005 03:01:35 +0000
Subject: r7989: Allow the use of hashed passwords in the kerberos client and
 server, and create the in-memory keytab with the correct kvno, if available.

Andrew Bartlett
(This used to be commit 7b7b2b038e25f3d767b5db7d6e41dd947fdde091)
---
 source4/auth/kerberos/kerberos.c      |  54 ++++++++++++++++++
 source4/auth/kerberos/kerberos_util.c | 100 ++++++++++++++++++++++++++++------
 2 files changed, 137 insertions(+), 17 deletions(-)

(limited to 'source4/auth')

diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c
index 4b3750658f..8c82ae780e 100644
--- a/source4/auth/kerberos/kerberos.c
+++ b/source4/auth/kerberos/kerberos.c
@@ -61,6 +61,60 @@ kerb_prompter(krb5_context ctx, void *data,
 	return 0;
 }
 
+/*
+  simulate a kinit, putting the tgt in the given credentials cache. 
+  Orignally by remus@snapserver.com
+ 
+  This version is built to use a keyblock, rather than needing the
+  original password.
+*/
+ int kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc, 
+				const char *principal, krb5_keyblock *keyblock,
+				time_t *expire_time, time_t *kdc_time)
+{
+	krb5_error_code code = 0;
+	krb5_principal me;
+	krb5_creds my_creds;
+	krb5_get_init_creds_opt options;
+
+	if ((code = krb5_parse_name(ctx, principal, &me))) {
+		return code;
+	}
+
+	krb5_get_init_creds_opt_init(&options);
+
+	if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, me, keyblock,
+						 0, NULL, &options))) {
+		krb5_free_principal(ctx, me);
+		return code;
+	}
+	
+	if ((code = krb5_cc_initialize(ctx, cc, me))) {
+		krb5_free_cred_contents(ctx, &my_creds);
+		krb5_free_principal(ctx, me);
+		return code;
+	}
+	
+	if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
+		krb5_free_cred_contents(ctx, &my_creds);
+		krb5_free_principal(ctx, me);
+		return code;
+	}
+	
+	if (expire_time) {
+		*expire_time = (time_t) my_creds.times.endtime;
+	}
+
+	if (kdc_time) {
+		*kdc_time = (time_t) my_creds.times.starttime;
+	}
+
+	krb5_free_cred_contents(ctx, &my_creds);
+	krb5_free_principal(ctx, me);
+	
+	return 0;
+}
+
 /*
   simulate a kinit, putting the tgt in the given credentials cache. 
   Orignally by remus@snapserver.com
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 9f93ffe7b0..b2d9234aeb 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -3,7 +3,7 @@
 
    Kerberos utility functions for GENSEC
    
-   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -149,10 +149,34 @@ static int free_ccache(void *ptr) {
 	mem_ctx->ccache = *ccache;
 
 	talloc_set_destructor(mem_ctx, free_ccache);
-	ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, *ccache, 
-					 cli_credentials_get_principal(credentials, mem_ctx), 
-					 password, NULL, &kdc_time);
-	
+
+	if (password) {
+		ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, *ccache, 
+						 cli_credentials_get_principal(credentials, mem_ctx), 
+						 password, NULL, &kdc_time);
+	} else {
+		/* No password available, try to use a keyblock instead */
+
+		krb5_keyblock keyblock;
+		const struct samr_Password *mach_pwd;
+		mach_pwd = cli_credentials_get_nt_hash(credentials, mem_ctx);
+		if (!mach_pwd) {
+			talloc_free(mem_ctx);
+			DEBUG(1, ("kinit_to_ccache: No password available for kinit\n"));
+			return NT_STATUS_WRONG_PASSWORD;
+		}
+		ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
+					 ENCTYPE_ARCFOUR_HMAC,
+					 mach_pwd->hash, sizeof(mach_pwd->hash), 
+					 &keyblock);
+		
+		if (ret == 0) {
+			ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, *ccache, 
+							 cli_credentials_get_principal(credentials, mem_ctx), 
+							 &keyblock, NULL, &kdc_time);
+		}
+	}
+
 	/* cope with ticket being in the future due to clock skew */
 	if ((unsigned)kdc_time > time(NULL)) {
 		time_t t = time(NULL);
@@ -206,17 +230,6 @@ static int free_keytab(void *ptr) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	password_s = talloc_strdup(mem_ctx, cli_credentials_get_password(machine_account));
-	if (!password_s) {
-		DEBUG(1, ("create_memory_keytab: Could not obtain password for our local machine account!\n"));
-		talloc_free(mem_ctx);
-		return NT_STATUS_NO_MEMORY;
-	}
-	password.data = password_s;
-	password.length = strlen(password_s);
-	
-	/* this string should be unique */
-	
 	ret = krb5_kt_resolve(smb_krb5_context->krb5_context, "MEMORY_WILDCARD:", keytab);
 	if (ret) {
 		DEBUG(1,("failed to generate a new krb5 keytab: %s\n", 
@@ -239,30 +252,81 @@ static int free_keytab(void *ptr) {
 		return NT_STATUS_INTERNAL_ERROR;
 	}
 
+	password_s = talloc_strdup(mem_ctx, cli_credentials_get_password(machine_account));
+	if (!password_s) {
+		/* If we don't have the plaintext password, try for
+		 * the MD4 password hash */
+
+		krb5_keytab_entry entry;
+		const struct samr_Password *mach_pwd;
+		mach_pwd = cli_credentials_get_nt_hash(machine_account, mem_ctx);
+		if (!mach_pwd) {
+			talloc_free(mem_ctx);
+			DEBUG(1, ("create_memory_keytab: Domain trust informaton for account %s not available\n",
+				  cli_credentials_get_principal(machine_account, mem_ctx)));
+			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+		}
+		ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
+					 ENCTYPE_ARCFOUR_HMAC,
+					 mach_pwd->hash, sizeof(mach_pwd->hash), 
+					 &entry.keyblock);
+		if (ret) {
+			DEBUG(1, ("create_memory_keytab: krb5_keyblock_init failed: %s\n",
+				  smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
+							     ret, mem_ctx)));
+			return NT_STATUS_INTERNAL_ERROR;
+		}
+
+		entry.principal = salt_princ;
+		entry.vno       = cli_credentials_get_kvno(machine_account);
+		ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry);
+		if (ret) {
+			DEBUG(1, ("Failed to add ARCFOUR_HMAC (only) entry for %s to keytab: %s",
+				  cli_credentials_get_principal(machine_account, mem_ctx), 
+				  smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
+							     ret, mem_ctx)));
+			talloc_free(mem_ctx);
+			krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
+			return NT_STATUS_INTERNAL_ERROR;
+		}
+		
+		krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
+		return NT_STATUS_OK;
+	}
+		
+	/* good, we actually have the real plaintext */
+
 	ret = get_kerberos_allowed_etypes(smb_krb5_context->krb5_context, 
 					  &enctypes);
 	if (ret) {
 		DEBUG(1,("create_memory_keytab: getting encrption types failed (%s)\n",
 			 error_message(ret)));
+		talloc_free(mem_ctx);
 		return NT_STATUS_INTERNAL_ERROR;
 	}
 
+	password.data = discard_const_p(char *, password_s);
+	password.length = strlen(password_s);
+	
 	for (i=0; enctypes[i]; i++) {
 		krb5_keytab_entry entry;
 		ret = create_kerberos_key_from_string(smb_krb5_context->krb5_context, 
 						      salt_princ, &password, &entry.keyblock, enctypes[i]);
 		if (ret) {
+			talloc_free(mem_ctx);
 			return NT_STATUS_INTERNAL_ERROR;
 		}
 
                 entry.principal = salt_princ;
-                entry.vno       = 0 /* replace with real kvno */;
+                entry.vno       = cli_credentials_get_kvno(machine_account);
 		ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry);
 		if (ret) {
 			DEBUG(1, ("Failed to add entry for %s to keytab: %s",
 				  cli_credentials_get_principal(machine_account, mem_ctx), 
 				  smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
 							     ret, mem_ctx)));
+			talloc_free(mem_ctx);
+			krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
 			return NT_STATUS_INTERNAL_ERROR;
 		}
 		
@@ -273,3 +337,5 @@ static int free_keytab(void *ptr) {
 
 	return NT_STATUS_OK;
 }
+
+
-- 
cgit