From ed03516c915c4a4c8ae6f7decfa04d51049d9dd5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 13 Jul 2004 05:14:59 +0000 Subject: r1475: More kerberos work - We can now connect to hosts that follow the SPNEGO RFC, and *do not* give us their principal name in the mechListMIC. - The client code now remembers the hostname it connects to - We now kinit for a user, if there is not valid ticket already - Re-introduce clock skew compensation TODO: - See if the username in the ccache matches the username specified - Use a private ccache, rather then the global one, for a 'new' kinit - Determine 'default' usernames. - The default for Krb5 is the one in the ccache, then $USER - For NTLMSSP, it's just $USER Andrew Bartlett (This used to be commit de5da669397db4ac87c6da08d3533ca3030da2b0) --- source4/libcli/auth/kerberos.c | 64 ++++++++++++++++++++++++++---------------- 1 file changed, 40 insertions(+), 24 deletions(-) (limited to 'source4/libcli/auth/kerberos.c') diff --git a/source4/libcli/auth/kerberos.c b/source4/libcli/auth/kerberos.c index 97b895a241..b08c7f505c 100644 --- a/source4/libcli/auth/kerberos.c +++ b/source4/libcli/auth/kerberos.c @@ -54,28 +54,13 @@ kerb_prompter(krb5_context ctx, void *data, simulate a kinit, putting the tgt in the default cache location remus@snapserver.com */ -int kerberos_kinit_password(const char *principal, const char *password, int time_offset, time_t *expire_time) + int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, const char *principal, const char *password, time_t *expire_time, time_t *kdc_time) { - krb5_context ctx = NULL; krb5_error_code code = 0; - krb5_ccache cc = NULL; krb5_principal me; krb5_creds my_creds; - if ((code = krb5_init_context(&ctx))) - return code; - - if (time_offset != 0) { - krb5_set_real_time(ctx, time(NULL) + time_offset, 0); - } - - if ((code = krb5_cc_default(ctx, &cc))) { - krb5_free_context(ctx); - return code; - } - if ((code = krb5_parse_name(ctx, principal, &me))) { - krb5_free_context(ctx); return code; } @@ -83,32 +68,63 @@ int kerberos_kinit_password(const char *principal, const char *password, int tim kerb_prompter, NULL, 0, NULL, NULL))) { krb5_free_principal(ctx, me); - krb5_free_context(ctx); return code; } if ((code = krb5_cc_initialize(ctx, cc, me))) { krb5_free_cred_contents(ctx, &my_creds); krb5_free_principal(ctx, me); - krb5_free_context(ctx); return code; } if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) { - krb5_cc_close(ctx, cc); krb5_free_cred_contents(ctx, &my_creds); krb5_free_principal(ctx, me); - krb5_free_context(ctx); return code; } - if (expire_time) + if (expire_time) { *expire_time = (time_t) my_creds.times.endtime; + } + + if (kdc_time) { + *kdc_time = (time_t) my_creds.times.starttime; + } - krb5_cc_close(ctx, cc); krb5_free_cred_contents(ctx, &my_creds); krb5_free_principal(ctx, me); - krb5_free_context(ctx); + + return 0; +} + + +/* + simulate a kinit, putting the tgt in the default cache location + remus@snapserver.com +*/ +int kerberos_kinit_password(const char *principal, const char *password, int time_offset, time_t *expire_time, time_t *kdc_time) +{ + krb5_context ctx = NULL; + krb5_error_code code = 0; + krb5_ccache cc = NULL; + + if ((code = krb5_init_context(&ctx))) + return code; + + if (time_offset != 0) { + krb5_set_real_time(ctx, time(NULL) + time_offset, 0); + } + + if ((code = krb5_cc_default(ctx, &cc))) { + krb5_free_context(ctx); + return code; + } + + if ((code = kerberos_kinit_password_cc(ctx, cc, principal, password, expire_time, kdc_time))) { + krb5_cc_close(ctx, cc); + krb5_free_context(ctx); + return code; + } return 0; } @@ -129,7 +145,7 @@ int ads_kinit_password(ADS_STRUCT *ads) return KRB5_LIBOS_CANTREADPWD; } - ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset, &ads->auth.expire); + ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset, &ads->auth.expire, NULL); if (ret) { DEBUG(0,("kerberos_kinit_password %s failed: %s\n", -- cgit