mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
Thanks Meeester Potter, for reverting *all* my Heimdal changes because
I mistyped a comma :-). Jeremy.
This commit is contained in:
parent
09d8a8e87f
commit
04cc149c75
@ -36,17 +36,13 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
|
||||
krb5_keytab keytab = NULL;
|
||||
krb5_data packet;
|
||||
krb5_ticket *tkt = NULL;
|
||||
krb5_data salt;
|
||||
krb5_encrypt_block eblock;
|
||||
int ret, i;
|
||||
int ret;
|
||||
krb5_keyblock * key;
|
||||
krb5_principal host_princ;
|
||||
char *host_princ_s;
|
||||
fstring myname;
|
||||
char *password_s;
|
||||
krb5_data password;
|
||||
krb5_enctype *enctypes = NULL;
|
||||
BOOL auth_ok = False;
|
||||
|
||||
if (!secrets_init()) {
|
||||
DEBUG(1,("secrets_init failed\n"));
|
||||
@ -71,6 +67,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
|
||||
ret = krb5_set_default_realm(context, ads->auth.realm);
|
||||
if (ret) {
|
||||
DEBUG(1,("krb5_set_default_realm failed (%s)\n", error_message(ret)));
|
||||
ads_destroy(&ads);
|
||||
return NT_STATUS_LOGON_FAILURE;
|
||||
}
|
||||
|
||||
@ -92,54 +89,30 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
|
||||
return NT_STATUS_LOGON_FAILURE;
|
||||
}
|
||||
|
||||
ret = krb5_principal2salt(context, host_princ, &salt);
|
||||
if (ret) {
|
||||
DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
|
||||
return NT_STATUS_LOGON_FAILURE;
|
||||
}
|
||||
|
||||
if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) {
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
if ((ret = krb5_get_permitted_enctypes(context, &enctypes))) {
|
||||
DEBUG(1,("krb5_get_permitted_enctypes failed (%s)\n",
|
||||
error_message(ret)));
|
||||
if (create_kerberos_key_from_string(context, host_princ, &password, key)) {
|
||||
SAFE_FREE(key);
|
||||
return NT_STATUS_LOGON_FAILURE;
|
||||
}
|
||||
|
||||
krb5_auth_con_setuseruserkey(context, auth_context, key);
|
||||
|
||||
/* we need to setup a auth context with each possible encoding type in turn */
|
||||
for (i=0;enctypes[i];i++) {
|
||||
krb5_use_enctype(context, &eblock, enctypes[i]);
|
||||
|
||||
ret = krb5_string_to_key(context, &eblock, key, &password, &salt);
|
||||
if (ret) {
|
||||
continue;
|
||||
}
|
||||
|
||||
krb5_auth_con_setuseruserkey(context, auth_context, key);
|
||||
|
||||
packet.length = ticket->length;
|
||||
packet.data = (krb5_pointer)ticket->data;
|
||||
|
||||
if (!(ret = krb5_rd_req(context, &auth_context, &packet,
|
||||
NULL, keytab, NULL, &tkt))) {
|
||||
krb5_free_ktypes(context, enctypes);
|
||||
auth_ok = True;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (!auth_ok) {
|
||||
DEBUG(3,("krb5_rd_req with auth failed (%s)\n",
|
||||
error_message(ret)));
|
||||
return NT_STATUS_LOGON_FAILURE;
|
||||
}
|
||||
packet.length = ticket->length;
|
||||
packet.data = (krb5_pointer)ticket->data;
|
||||
|
||||
#if 0
|
||||
file_save("/tmp/ticket.dat", ticket->data, ticket->length);
|
||||
#endif
|
||||
|
||||
if ((ret = krb5_rd_req(context, &auth_context, &packet,
|
||||
NULL, keytab, NULL, &tkt))) {
|
||||
DEBUG(3,("krb5_rd_req with auth failed (%s)\n",
|
||||
error_message(ret)));
|
||||
return NT_STATUS_LOGON_FAILURE;
|
||||
}
|
||||
|
||||
if (tkt->enc_part2) {
|
||||
*auth_data = data_blob(tkt->enc_part2->authorization_data[0]->contents,
|
||||
|
@ -70,6 +70,54 @@
|
||||
__ERROR__XX__UNKNOWN_ADDRTYPE
|
||||
#endif
|
||||
|
||||
#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY)
|
||||
int create_kerberos_key_from_string(krb5_context context,
|
||||
krb5_principal host_princ,
|
||||
krb5_data *password,
|
||||
krb5_keyblock *key)
|
||||
{
|
||||
int ret;
|
||||
krb5_data salt;
|
||||
krb5_encrypt_block eblock;
|
||||
|
||||
ret = krb5_principal2salt(context, host_princ, &salt);
|
||||
if (ret) {
|
||||
DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
|
||||
return ret;
|
||||
}
|
||||
krb5_use_enctype(context, &eblock, ENCTYPE_DES_CBC_MD5);
|
||||
return krb5_string_to_key(context, &eblock, key, password, &salt);
|
||||
}
|
||||
#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
|
||||
int create_kerberos_key_from_string(krb5_context context,
|
||||
krb5_principal host_princ,
|
||||
krb5_data *password,
|
||||
krb5_keyblock *key)
|
||||
{
|
||||
int ret;
|
||||
krb5_salt salt;
|
||||
|
||||
ret = krb5_get_pw_salt(context, host_princ, &salt);
|
||||
if (ret) {
|
||||
DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
|
||||
return ret;
|
||||
}
|
||||
return krb5_string_to_key_salt(context, ENCTYPE_DES_CBC_MD5, password->data,
|
||||
salt, key);
|
||||
}
|
||||
#else
|
||||
__ERROR_XX_UNKNOWN_CREATE_KEY_FUNCTIONS
|
||||
#endif
|
||||
|
||||
#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
|
||||
krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context,
|
||||
krb5_auth_context auth_context,
|
||||
krb5_keyblock *keyblock)
|
||||
{
|
||||
return krb5_auth_con_setkey(context, auth_context, keyblock);
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
we can't use krb5_mk_req because w2k wants the service to be in a particular format
|
||||
*/
|
||||
|
Loading…
Reference in New Issue
Block a user