samba-mirror

mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00

81 lines

2.2 KiB

C

Raw Normal View History

s3: avoid global include of ads.h. Guenther 2010-07-02 02:32:52 +04:00			`/*`
			`Unix SMB/CIFS implementation.`
			`krb5 set password implementation`
			`Copyright (C) Andrew Tridgell 2001`
			`Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)`

			`This program is free software; you can redistribute it and/or modify`
			`it under the terms of the GNU General Public License as published by`
			`the Free Software Foundation; either version 3 of the License, or`
			`(at your option) any later version.`

			`This program is distributed in the hope that it will be useful,`
			`but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`GNU General Public License for more details.`

			`You should have received a copy of the GNU General Public License`
			`along with this program. If not, see <http://www.gnu.org/licenses/>.`
			`*/`

			`#include "includes.h"`
			`#include "smb_krb5.h"`
			`#include "ads.h"`
lib/param: Move all enum declarations to lib/param This is in preperation for the parameter table being made common. Andrew Bartlett Pair-Programmed-With: Andrew Tridgell <tridge@samba.org> 2012-07-23 06:47:01 +04:00			`#include "lib/param/loadparm.h"`
s3: avoid global include of ads.h. Guenther 2010-07-02 02:32:52 +04:00
			`#ifdef HAVE_KRB5`

			`/* run kinit to setup our ccache */`
			`int ads_kinit_password(ADS_STRUCT *ads)`
			`{`
			`char *s;`
			`int ret;`
			`const char *account_name;`
			`fstring acct_name;`

s3:libads: do an early return if we don't have a password for ads_kinit_password() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 2016-10-07 19:18:56 +03:00			`if (ads->auth.password == NULL \|\| ads->auth.password[0] == '\0') {`
			`return KRB5_LIBOS_CANTREADPWD;`
			`}`

s3: avoid global include of ads.h. Guenther 2010-07-02 02:32:52 +04:00			`if (ads->auth.flags & ADS_AUTH_USER_CREDS) {`
			`account_name = ads->auth.user_name;`
			`goto got_accountname;`
			`}`

			`if ( IS_DC ) {`
			`/* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */`
			`account_name = lp_workgroup();`
			`} else {`
			`/* always use the sAMAccountName for security = domain */`
s3-param Remove special case for global_myname(), rename to lp_netbios_name() There is no reason this can't be a normal constant string in the loadparm system, now that we have lp_set_cmdline() to handle overrides correctly. Andrew Bartlett 2011-06-09 09:31:03 +04:00			`/* lp_netbios_name()$@REA.LM */`
s3: avoid global include of ads.h. Guenther 2010-07-02 02:32:52 +04:00			`if ( lp_security() == SEC_DOMAIN ) {`
s3-param Remove special case for global_myname(), rename to lp_netbios_name() There is no reason this can't be a normal constant string in the loadparm system, now that we have lp_set_cmdline() to handle overrides correctly. Andrew Bartlett 2011-06-09 09:31:03 +04:00			`fstr_sprintf( acct_name, "%s$", lp_netbios_name() );`
s3: avoid global include of ads.h. Guenther 2010-07-02 02:32:52 +04:00			`account_name = acct_name;`
			`}`
			`else`
s3-param Remove special case for global_myname(), rename to lp_netbios_name() There is no reason this can't be a normal constant string in the loadparm system, now that we have lp_set_cmdline() to handle overrides correctly. Andrew Bartlett 2011-06-09 09:31:03 +04:00			`/* This looks like host/lp_netbios_name()@REA.LM */`
s3: avoid global include of ads.h. Guenther 2010-07-02 02:32:52 +04:00			`account_name = ads->auth.user_name;`
			`}`

			`got_accountname:`
			`if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {`
			`return KRB5_CC_NOMEM;`
			`}`

Avoid overriding default ccache for ads operations. Avoid overriding default ccache for ads operations. Nowadays various samba components may need to use GSSAPI and a default cred cache to perform their tasks. This code was completely overriding the whole process default ccache name, thus altering the current credentials and sometimes hijacking them (or getting preemptively hijaked). By using gss_krb5_import_cred we can instead use a private ccache (necessary sometimes to use a different set of credentials fromt he default cifs/fqdn@realm one, for example when contacting foreign DCs using trust credentials) that does not affect the rest of the process. For the kerberos versions which don't have gss_krb5_import_cred we fallback to temp override of KRB5CCNAME and gss_acquire_cred. Signed-off-by: Alexander Bokovoy <ab@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104 2012-09-07 22:14:08 +04:00			`ret = kerberos_kinit_password_ext(s, ads->auth.password,`
			`ads->auth.time_offset,`
			`&ads->auth.tgt_expire, NULL,`
			`ads->auth.ccache_name, false, false,`
s3:libads: let kerberos_kinit_password_ext() return the canonicalized principal/realm BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> 2019-09-16 18:14:11 +03:00			`ads->auth.renewable,`
			`NULL, NULL, NULL, NULL);`
s3: avoid global include of ads.h. Guenther 2010-07-02 02:32:52 +04:00
			`if (ret) {`
			`DEBUG(0,("kerberos_kinit_password %s failed: %s\n",`
			`s, error_message(ret)));`
			`}`
			`SAFE_FREE(s);`
			`return ret;`
			`}`

			`#endif`

81 lines 2.2 KiB C Raw Normal View History Unescape Escape

81 lines

2.2 KiB

C

Raw Normal View History