sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-28 07:21:54 +03:00
Code
10989431e5
samba-mirror/source4/auth/kerberos/kerberos.c

127 lines
3.2 KiB
C
Raw Normal View History

first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
/*
Unix SMB/CIFS implementation.
kerberos utility library
Copyright (C) Andrew Tridgell 2001
Copyright (C) Remus Koos 2001
r4355: More work from the elves on Christmas eve: - Update Samba4's kerberos code to match the 'salting' changes in Samba3 (and many other cleanups by jra). - Move GENSEC into the modern era of talloc destructors. This avoids many of the memory leaks in this code, as we now can't somehow 'forget' to call the end routine. - This required fixing some of the talloc hierarchies. - The new krb5 seems more sensitive to getting the service name right, so start actually setting the service name on the krb5 context. Andrew Bartlett (This used to be commit 278bf1a61a6da6ef955a12c13d7b1a0357cebf1f)
2004-12-24 12:54:23 +03:00
Copyright (C) Nalin Dahyabhai 2004.
Copyright (C) Jeremy Allison 2004.
r6025: Remove unused variables. This code will be modified again for the new cli_credentials code shortly. Andrew Bartlett (This used to be commit 13d09c8e9a50ae265059e4a0d92a07c651018a6c)
2005-03-24 06:35:51 +03:00
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
r4355: More work from the elves on Christmas eve: - Update Samba4's kerberos code to match the 'salting' changes in Samba3 (and many other cleanups by jra). - Move GENSEC into the modern era of talloc destructors. This avoids many of the memory leaks in this code, as we now can't somehow 'forget' to call the end routine. - This required fixing some of the talloc hierarchies. - The new krb5 seems more sensitive to getting the service name right, so start actually setting the service name on the krb5 context. Andrew Bartlett (This used to be commit 278bf1a61a6da6ef955a12c13d7b1a0357cebf1f)
2004-12-24 12:54:23 +03:00
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
r6359: Fix compiler warning with struct sockaddr. I'm sure I fixed this a few weeks ago - weird. (This used to be commit 1738761d895461260dcba0dd81630cfa0ec43ae8)
2005-04-17 04:06:46 +04:00
#include "system/network.h"
r3443: the next stage in the include files re-organisation. I have created the include/system/ directory, which will contain the wrappers for the system includes for logical subsystems. So far I have created include/system/kerberos.h and include/system/network.h, which contain all the system includes for kerberos code and networking code. These are the included in subsystems that need kerberos or networking respectively. Note that this method avoids the mess of #ifdef HAVE_XXX_H in every C file, instead each C module includes the include/system/XXX.h file for the logical system support it needs, and the details are kept isolated in include/system/ This patch also creates a "struct ipv4_addr" which replaces "struct in_addr" in our code. That avoids every C file needing to import all the system networking headers. (This used to be commit 2e25c71853f8996f73755277e448e7d670810349)
2004-11-02 01:48:25 +03:00
#include "system/kerberos.h"
r5330: Remove #include <sys/time.h> from includes.h. Add #include "system/time.h" back (it was removed in some of these places because the definitions were provided by <sys/time.h> on tridge's platform.) Andrew Bartlett (This used to be commit 34b1da730304bed7fee5bae7cbde7fbccecb6af5)
2005-02-11 13:15:56 +03:00
#include "system/time.h"
r6113: Move GENSEC and the kerberos code out of libcli/auth, and into auth/gensec and auth/kerberos. This also pulls the kerberos configure code out of libads (which is otherwise dead), and into auth/kerberos/kerberos.m4 Andrew Bartlett (This used to be commit e074d63f3dcf4f84239a10879112ebaf1cfa6c4f)
2005-03-29 12:24:03 +04:00
#include "auth/kerberos/kerberos.h"
r4355: More work from the elves on Christmas eve: - Update Samba4's kerberos code to match the 'salting' changes in Samba3 (and many other cleanups by jra). - Move GENSEC into the modern era of talloc destructors. This avoids many of the memory leaks in this code, as we now can't somehow 'forget' to call the end routine. - This required fixing some of the talloc hierarchies. - The new krb5 seems more sensitive to getting the service name right, so start actually setting the service name on the krb5 context. Andrew Bartlett (This used to be commit 278bf1a61a6da6ef955a12c13d7b1a0357cebf1f)
2004-12-24 12:54:23 +03:00
#include "secrets.h"
r5309: removed ads.h from includes.h (This used to be commit 196c45b834c39f293b9533cec5cfe5a77382d4e2)
2005-02-10 10:43:39 +03:00
#include "ads.h"
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
#ifdef HAVE_KRB5
r4355: More work from the elves on Christmas eve: - Update Samba4's kerberos code to match the 'salting' changes in Samba3 (and many other cleanups by jra). - Move GENSEC into the modern era of talloc destructors. This avoids many of the memory leaks in this code, as we now can't somehow 'forget' to call the end routine. - This required fixing some of the talloc hierarchies. - The new krb5 seems more sensitive to getting the service name right, so start actually setting the service name on the krb5 context. Andrew Bartlett (This used to be commit 278bf1a61a6da6ef955a12c13d7b1a0357cebf1f)
2004-12-24 12:54:23 +03:00
#define LIBADS_CCACHE_NAME "MEMORY:libads"
r7989: Allow the use of hashed passwords in the kerberos client and server, and create the in-memory keytab with the correct kvno, if available. Andrew Bartlett (This used to be commit 7b7b2b038e25f3d767b5db7d6e41dd947fdde091)
2005-06-29 07:01:35 +04:00
/*
simulate a kinit, putting the tgt in the given credentials cache.
Orignally by remus@snapserver.com
This version is built to use a keyblock, rather than needing the
original password.
*/
int kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc,
r10035: This patch removes the need for the special case hack 'MEMORY_WILDCARD' keytab type. (part of this checking is in effect a merge from lorikeet-heimdal, where I removed this) This is achieved by correctly using the GSSAPI gsskrb5_acquire_cred() function, as this allows us to specify the target principal, regardless of which alias the client may use. This patch also tries to simplify some principal handling and fixes some error cases. Posted to samba-technical, reviewed by metze, and looked over by lha on IRC. Andrew Bartlett (This used to be commit 506a7b67aee949b102d8bf0d6ee9cd12def10d00)
2005-09-05 14:53:14 +04:00
krb5_principal principal, krb5_keyblock *keyblock,
r7989: Allow the use of hashed passwords in the kerberos client and server, and create the in-memory keytab with the correct kvno, if available. Andrew Bartlett (This used to be commit 7b7b2b038e25f3d767b5db7d6e41dd947fdde091)
2005-06-29 07:01:35 +04:00
time_t *expire_time, time_t *kdc_time)
{
krb5_error_code code = 0;
krb5_creds my_creds;
krb5_get_init_creds_opt options;
krb5_get_init_creds_opt_init(&options);
r10035: This patch removes the need for the special case hack 'MEMORY_WILDCARD' keytab type. (part of this checking is in effect a merge from lorikeet-heimdal, where I removed this) This is achieved by correctly using the GSSAPI gsskrb5_acquire_cred() function, as this allows us to specify the target principal, regardless of which alias the client may use. This patch also tries to simplify some principal handling and fixes some error cases. Posted to samba-technical, reviewed by metze, and looked over by lha on IRC. Andrew Bartlett (This used to be commit 506a7b67aee949b102d8bf0d6ee9cd12def10d00)
2005-09-05 14:53:14 +04:00
if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, principal, keyblock,
r7989: Allow the use of hashed passwords in the kerberos client and server, and create the in-memory keytab with the correct kvno, if available. Andrew Bartlett (This used to be commit 7b7b2b038e25f3d767b5db7d6e41dd947fdde091)
2005-06-29 07:01:35 +04:00
0, NULL, &options))) {
return code;
}
r10035: This patch removes the need for the special case hack 'MEMORY_WILDCARD' keytab type. (part of this checking is in effect a merge from lorikeet-heimdal, where I removed this) This is achieved by correctly using the GSSAPI gsskrb5_acquire_cred() function, as this allows us to specify the target principal, regardless of which alias the client may use. This patch also tries to simplify some principal handling and fixes some error cases. Posted to samba-technical, reviewed by metze, and looked over by lha on IRC. Andrew Bartlett (This used to be commit 506a7b67aee949b102d8bf0d6ee9cd12def10d00)
2005-09-05 14:53:14 +04:00
if ((code = krb5_cc_initialize(ctx, cc, principal))) {
r7989: Allow the use of hashed passwords in the kerberos client and server, and create the in-memory keytab with the correct kvno, if available. Andrew Bartlett (This used to be commit 7b7b2b038e25f3d767b5db7d6e41dd947fdde091)
2005-06-29 07:01:35 +04:00
krb5_free_cred_contents(ctx, &my_creds);
return code;
}
if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
krb5_free_cred_contents(ctx, &my_creds);
return code;
}
if (expire_time) {
*expire_time = (time_t) my_creds.times.endtime;
}
if (kdc_time) {
*kdc_time = (time_t) my_creds.times.starttime;
}
krb5_free_cred_contents(ctx, &my_creds);
return 0;
}
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
/*
r4355: More work from the elves on Christmas eve: - Update Samba4's kerberos code to match the 'salting' changes in Samba3 (and many other cleanups by jra). - Move GENSEC into the modern era of talloc destructors. This avoids many of the memory leaks in this code, as we now can't somehow 'forget' to call the end routine. - This required fixing some of the talloc hierarchies. - The new krb5 seems more sensitive to getting the service name right, so start actually setting the service name on the krb5 context. Andrew Bartlett (This used to be commit 278bf1a61a6da6ef955a12c13d7b1a0357cebf1f)
2004-12-24 12:54:23 +03:00
simulate a kinit, putting the tgt in the given credentials cache.
Orignally by remus@snapserver.com
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
*/
r4355: More work from the elves on Christmas eve: - Update Samba4's kerberos code to match the 'salting' changes in Samba3 (and many other cleanups by jra). - Move GENSEC into the modern era of talloc destructors. This avoids many of the memory leaks in this code, as we now can't somehow 'forget' to call the end routine. - This required fixing some of the talloc hierarchies. - The new krb5 seems more sensitive to getting the service name right, so start actually setting the service name on the krb5 context. Andrew Bartlett (This used to be commit 278bf1a61a6da6ef955a12c13d7b1a0357cebf1f)
2004-12-24 12:54:23 +03:00
int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc,
r10035: This patch removes the need for the special case hack 'MEMORY_WILDCARD' keytab type. (part of this checking is in effect a merge from lorikeet-heimdal, where I removed this) This is achieved by correctly using the GSSAPI gsskrb5_acquire_cred() function, as this allows us to specify the target principal, regardless of which alias the client may use. This patch also tries to simplify some principal handling and fixes some error cases. Posted to samba-technical, reviewed by metze, and looked over by lha on IRC. Andrew Bartlett (This used to be commit 506a7b67aee949b102d8bf0d6ee9cd12def10d00)
2005-09-05 14:53:14 +04:00
krb5_principal principal, const char *password,
time_t *expire_time, time_t *kdc_time)
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
{
krb5_error_code code = 0;
krb5_creds my_creds;
r3610: prevent segv with heimdal and password krb5 init (This used to be commit a4598e7fa17c7ec0fed9cb81f5a0fb30b133861b)
2004-11-08 05:01:05 +03:00
krb5_get_init_creds_opt options;
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
r3612: This appears to be the 'offical' way to initialise this struct. Andrew Bartlett (This used to be commit 47d67c6e5b265e4192fcae0d9cd72b3ac097785e)
2004-11-08 05:28:12 +03:00
krb5_get_init_creds_opt_init(&options);
r3610: prevent segv with heimdal and password krb5 init (This used to be commit a4598e7fa17c7ec0fed9cb81f5a0fb30b133861b)
2004-11-08 05:01:05 +03:00
r10035: This patch removes the need for the special case hack 'MEMORY_WILDCARD' keytab type. (part of this checking is in effect a merge from lorikeet-heimdal, where I removed this) This is achieved by correctly using the GSSAPI gsskrb5_acquire_cred() function, as this allows us to specify the target principal, regardless of which alias the client may use. This patch also tries to simplify some principal handling and fixes some error cases. Posted to samba-technical, reviewed by metze, and looked over by lha on IRC. Andrew Bartlett (This used to be commit 506a7b67aee949b102d8bf0d6ee9cd12def10d00)
2005-09-05 14:53:14 +04:00
if ((code = krb5_get_init_creds_password(ctx, &my_creds, principal, password,
r11215: Remove no-op prompter intended to work around bugs in old kerberos libs. I'm also worried this might cause loops, if we get a 'force password change', and the prompter tries to 'deal with it'. Andrew Bartlett (This used to be commit 5bc10c4e472b45c5b5b0ea0c3dd100be6f4dabca)
2005-10-20 14:10:40 +04:00
NULL,
r3610: prevent segv with heimdal and password krb5 init (This used to be commit a4598e7fa17c7ec0fed9cb81f5a0fb30b133861b)
2004-11-08 05:01:05 +03:00
NULL, 0, NULL, &options))) {
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
return code;
}
r10035: This patch removes the need for the special case hack 'MEMORY_WILDCARD' keytab type. (part of this checking is in effect a merge from lorikeet-heimdal, where I removed this) This is achieved by correctly using the GSSAPI gsskrb5_acquire_cred() function, as this allows us to specify the target principal, regardless of which alias the client may use. This patch also tries to simplify some principal handling and fixes some error cases. Posted to samba-technical, reviewed by metze, and looked over by lha on IRC. Andrew Bartlett (This used to be commit 506a7b67aee949b102d8bf0d6ee9cd12def10d00)
2005-09-05 14:53:14 +04:00
if ((code = krb5_cc_initialize(ctx, cc, principal))) {
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
krb5_free_cred_contents(ctx, &my_creds);
return code;
}
if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
krb5_free_cred_contents(ctx, &my_creds);
return code;
}
r1475: More kerberos work - We can now connect to hosts that follow the SPNEGO RFC, and *do not* give us their principal name in the mechListMIC. - The client code now remembers the hostname it connects to - We now kinit for a user, if there is not valid ticket already - Re-introduce clock skew compensation TODO: - See if the username in the ccache matches the username specified - Use a private ccache, rather then the global one, for a 'new' kinit - Determine 'default' usernames. - The default for Krb5 is the one in the ccache, then $USER - For NTLMSSP, it's just $USER Andrew Bartlett (This used to be commit de5da669397db4ac87c6da08d3533ca3030da2b0)
2004-07-13 09:14:59 +04:00
if (expire_time) {
r1198: Merge the Samba 3.0 ntlm_auth, including the kerberos and SPENGO parts. I have moved the SPNEGO and Kerberos code into libcli/auth, and intend to refactor them into the same format as NTLMSSP. Andrew Bartlett (This used to be commit 58da78a7460d5d0a4abee7d7b84799c228e6bc0b)
2004-06-19 12:15:41 +04:00
*expire_time = (time_t) my_creds.times.endtime;
r1475: More kerberos work - We can now connect to hosts that follow the SPNEGO RFC, and *do not* give us their principal name in the mechListMIC. - The client code now remembers the hostname it connects to - We now kinit for a user, if there is not valid ticket already - Re-introduce clock skew compensation TODO: - See if the username in the ccache matches the username specified - Use a private ccache, rather then the global one, for a 'new' kinit - Determine 'default' usernames. - The default for Krb5 is the one in the ccache, then $USER - For NTLMSSP, it's just $USER Andrew Bartlett (This used to be commit de5da669397db4ac87c6da08d3533ca3030da2b0)
2004-07-13 09:14:59 +04:00
}
if (kdc_time) {
*kdc_time = (time_t) my_creds.times.starttime;
}
r1198: Merge the Samba 3.0 ntlm_auth, including the kerberos and SPENGO parts. I have moved the SPNEGO and Kerberos code into libcli/auth, and intend to refactor them into the same format as NTLMSSP. Andrew Bartlett (This used to be commit 58da78a7460d5d0a4abee7d7b84799c228e6bc0b)
2004-06-19 12:15:41 +04:00
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
krb5_free_cred_contents(ctx, &my_creds);
r1475: More kerberos work - We can now connect to hosts that follow the SPNEGO RFC, and *do not* give us their principal name in the mechListMIC. - The client code now remembers the hostname it connects to - We now kinit for a user, if there is not valid ticket already - Re-introduce clock skew compensation TODO: - See if the username in the ccache matches the username specified - Use a private ccache, rather then the global one, for a 'new' kinit - Determine 'default' usernames. - The default for Krb5 is the one in the ccache, then $USER - For NTLMSSP, it's just $USER Andrew Bartlett (This used to be commit de5da669397db4ac87c6da08d3533ca3030da2b0)
2004-07-13 09:14:59 +04:00
return 0;
}
r4355: More work from the elves on Christmas eve: - Update Samba4's kerberos code to match the 'salting' changes in Samba3 (and many other cleanups by jra). - Move GENSEC into the modern era of talloc destructors. This avoids many of the memory leaks in this code, as we now can't somehow 'forget' to call the end routine. - This required fixing some of the talloc hierarchies. - The new krb5 seems more sensitive to getting the service name right, so start actually setting the service name on the krb5 context. Andrew Bartlett (This used to be commit 278bf1a61a6da6ef955a12c13d7b1a0357cebf1f)
2004-12-24 12:54:23 +03:00
first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)
2003-08-13 05:53:07 +04:00
#endif
Copy Permalink