From b0c7c175b1c1ed45a31a710e4fbe18bbffdd6d38 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Oct 2005 10:28:16 +0000 Subject: r11220: Add the ability to handle the salt prinicpal as part of the credentials. This works with the setup/secrets.ldif change from the previous patch, and pretty much just re-invents the keytab. Needed for kpasswdd work. Andrew Bartlett (This used to be commit cc9d167bab280eaeb793a5e7dfdf1f31be47fbf5) --- source4/auth/credentials/credentials.c | 1 + source4/auth/credentials/credentials.h | 1 + source4/auth/credentials/credentials_files.c | 13 +++++-- source4/auth/credentials/credentials_krb5.c | 9 +++++ source4/auth/kerberos/kerberos_util.c | 56 +++++++++++++++------------- 5 files changed, 51 insertions(+), 29 deletions(-) (limited to 'source4') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 9be877dd2c..5fe6daddbe 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -51,6 +51,7 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->old_password = NULL; cred->smb_krb5_context = NULL; + cred->salt_principal = NULL; return cred; } diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index aa2a0d0ac2..b43ddbbe89 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -57,6 +57,7 @@ struct cli_credentials { const char *domain; const char *realm; const char *principal; + const char *salt_principal; struct samr_Password *nt_hash; diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 31f645bc6c..cdf38dcfa8 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -182,6 +182,7 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, "secureChannelType", "ntPwdHash", "msDS-KeyVersionNumber", + "saltPrincipal", NULL }; @@ -191,6 +192,7 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, const char *domain; const char *realm; enum netr_SchannelType sct; + const char *salt_principal; /* ok, we are going to get it now, don't recurse back here */ cred->machine_account_pending = False; @@ -209,13 +211,13 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, &msgs, attrs, "%s", filter); if (ldb_ret == 0) { - DEBUG(1, ("Could not find join record to domain: %s\n", - cli_credentials_get_domain(cred))); + DEBUG(1, ("Could not find entry to match filter: %s\n", + filter)); talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } else if (ldb_ret != 1) { - DEBUG(1, ("Found more than one (%d) join records to domain: %s\n", - ldb_ret, cli_credentials_get_domain(cred))); + DEBUG(1, ("Found more than one (%d) entry to match filter: %s\n", + ldb_ret, filter)); talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -231,6 +233,9 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } + + salt_principal = ldb_msg_find_string(msgs[0], "saltPrincipal", NULL); + cli_credentials_set_salt_principal(cred, salt_principal); sct = ldb_msg_find_int(msgs[0], "secureChannelType", 0); if (sct) { diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c index b20d9ee750..abb8418748 100644 --- a/source4/auth/credentials/credentials_krb5.c +++ b/source4/auth/credentials/credentials_krb5.c @@ -299,3 +299,12 @@ int cli_credentials_get_kvno(struct cli_credentials *cred) return cred->kvno; } +const char *cli_credentials_get_salt_principal(struct cli_credentials *cred) +{ + return cred->salt_principal; +} + +void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal) +{ + cred->salt_principal = talloc_strdup(cred, principal); +} diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c index 3d7084aa0d..6a09562dca 100644 --- a/source4/auth/kerberos/kerberos_util.c +++ b/source4/auth/kerberos/kerberos_util.c @@ -50,37 +50,43 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx, char *machine_username; char *salt_body; char *lower_realm; + char *salt_principal; struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container); if (!mem_ctx) { return ENOMEM; } - - machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account)); - if (!machine_username) { - talloc_free(mem_ctx); - return ENOMEM; - } - - if (machine_username[strlen(machine_username)-1] == '$') { - machine_username[strlen(machine_username)-1] = '\0'; - } - lower_realm = strlower_talloc(mem_ctx, cli_credentials_get_realm(machine_account)); - if (!lower_realm) { - talloc_free(mem_ctx); - return ENOMEM; - } - - salt_body = talloc_asprintf(mem_ctx, "%s.%s", machine_username, - lower_realm); - if (!salt_body) { - talloc_free(mem_ctx); + salt_principal = cli_credentials_get_salt_principal(machine_account); + if (salt_principal) { + ret = krb5_parse_name(smb_krb5_context->krb5_context, salt_principal, salt_princ); + } else { + machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account)); + + if (!machine_username) { + talloc_free(mem_ctx); + return ENOMEM; + } + + if (machine_username[strlen(machine_username)-1] == '$') { + machine_username[strlen(machine_username)-1] = '\0'; + } + lower_realm = strlower_talloc(mem_ctx, cli_credentials_get_realm(machine_account)); + if (!lower_realm) { + talloc_free(mem_ctx); + return ENOMEM; + } + + salt_body = talloc_asprintf(mem_ctx, "%s.%s", machine_username, + lower_realm); + if (!salt_body) { + talloc_free(mem_ctx); return ENOMEM; - } - - ret = krb5_make_principal(smb_krb5_context->krb5_context, salt_princ, - cli_credentials_get_realm(machine_account), - "host", salt_body, NULL); + } + + ret = krb5_make_principal(smb_krb5_context->krb5_context, salt_princ, + cli_credentials_get_realm(machine_account), + "host", salt_body, NULL); + } if (ret == 0) { mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context); -- cgit