1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

Thanks Meeester Potter, for reverting *all* my Heimdal changes because

I mistyped a comma :-).
Jeremy.
This commit is contained in:
Jeremy Allison 0001-01-01 00:00:00 +00:00
parent 09d8a8e87f
commit 04cc149c75
2 changed files with 62 additions and 41 deletions

View File

@ -36,17 +36,13 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
krb5_keytab keytab = NULL;
krb5_data packet;
krb5_ticket *tkt = NULL;
krb5_data salt;
krb5_encrypt_block eblock;
int ret, i;
int ret;
krb5_keyblock * key;
krb5_principal host_princ;
char *host_princ_s;
fstring myname;
char *password_s;
krb5_data password;
krb5_enctype *enctypes = NULL;
BOOL auth_ok = False;
if (!secrets_init()) {
DEBUG(1,("secrets_init failed\n"));
@ -71,6 +67,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
ret = krb5_set_default_realm(context, ads->auth.realm);
if (ret) {
DEBUG(1,("krb5_set_default_realm failed (%s)\n", error_message(ret)));
ads_destroy(&ads);
return NT_STATUS_LOGON_FAILURE;
}
@ -92,54 +89,30 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
return NT_STATUS_LOGON_FAILURE;
}
ret = krb5_principal2salt(context, host_princ, &salt);
if (ret) {
DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
return NT_STATUS_LOGON_FAILURE;
}
if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) {
return NT_STATUS_NO_MEMORY;
}
if ((ret = krb5_get_permitted_enctypes(context, &enctypes))) {
DEBUG(1,("krb5_get_permitted_enctypes failed (%s)\n",
error_message(ret)));
if (create_kerberos_key_from_string(context, host_princ, &password, key)) {
SAFE_FREE(key);
return NT_STATUS_LOGON_FAILURE;
}
krb5_auth_con_setuseruserkey(context, auth_context, key);
/* we need to setup a auth context with each possible encoding type in turn */
for (i=0;enctypes[i];i++) {
krb5_use_enctype(context, &eblock, enctypes[i]);
ret = krb5_string_to_key(context, &eblock, key, &password, &salt);
if (ret) {
continue;
}
krb5_auth_con_setuseruserkey(context, auth_context, key);
packet.length = ticket->length;
packet.data = (krb5_pointer)ticket->data;
if (!(ret = krb5_rd_req(context, &auth_context, &packet,
NULL, keytab, NULL, &tkt))) {
krb5_free_ktypes(context, enctypes);
auth_ok = True;
break;
}
}
if (!auth_ok) {
DEBUG(3,("krb5_rd_req with auth failed (%s)\n",
error_message(ret)));
return NT_STATUS_LOGON_FAILURE;
}
packet.length = ticket->length;
packet.data = (krb5_pointer)ticket->data;
#if 0
file_save("/tmp/ticket.dat", ticket->data, ticket->length);
#endif
if ((ret = krb5_rd_req(context, &auth_context, &packet,
NULL, keytab, NULL, &tkt))) {
DEBUG(3,("krb5_rd_req with auth failed (%s)\n",
error_message(ret)));
return NT_STATUS_LOGON_FAILURE;
}
if (tkt->enc_part2) {
*auth_data = data_blob(tkt->enc_part2->authorization_data[0]->contents,

View File

@ -70,6 +70,54 @@
__ERROR__XX__UNKNOWN_ADDRTYPE
#endif
#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY)
int create_kerberos_key_from_string(krb5_context context,
krb5_principal host_princ,
krb5_data *password,
krb5_keyblock *key)
{
int ret;
krb5_data salt;
krb5_encrypt_block eblock;
ret = krb5_principal2salt(context, host_princ, &salt);
if (ret) {
DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
return ret;
}
krb5_use_enctype(context, &eblock, ENCTYPE_DES_CBC_MD5);
return krb5_string_to_key(context, &eblock, key, password, &salt);
}
#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
int create_kerberos_key_from_string(krb5_context context,
krb5_principal host_princ,
krb5_data *password,
krb5_keyblock *key)
{
int ret;
krb5_salt salt;
ret = krb5_get_pw_salt(context, host_princ, &salt);
if (ret) {
DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
return ret;
}
return krb5_string_to_key_salt(context, ENCTYPE_DES_CBC_MD5, password->data,
salt, key);
}
#else
__ERROR_XX_UNKNOWN_CREATE_KEY_FUNCTIONS
#endif
#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context,
krb5_auth_context auth_context,
krb5_keyblock *keyblock)
{
return krb5_auth_con_setkey(context, auth_context, keyblock);
}
#endif
/*
we can't use krb5_mk_req because w2k wants the service to be in a particular format
*/