mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s3-kerberos: only use krb5 headers where required.
This seems to be the only way to deal with mixed heimdal/MIT setups during merged build. Guenther
This commit is contained in:
parent
23d77be6cb
commit
04f8c229de
@ -27,6 +27,7 @@ create dns_resolver * * /usr/local/sbin/cifs.upcall %k
|
||||
|
||||
#include "includes.h"
|
||||
#include "../libcli/auth/spnego.h"
|
||||
#include "smb_krb5.h"
|
||||
#include <keyutils.h>
|
||||
#include <getopt.h>
|
||||
|
||||
|
@ -3375,10 +3375,7 @@ if test x"$with_ads_support" != x"no"; then
|
||||
samba_cv_HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER=no)])
|
||||
|
||||
if test x"$samba_cv_HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER" = x"yes"; then
|
||||
AC_DEFINE(KRB5_DEPRECATED, 1,
|
||||
[Whether to use deprecated krb5 interfaces])
|
||||
else
|
||||
AC_DEFINE(KRB5_DEPRECATED,,
|
||||
AC_DEFINE(HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER, 1,
|
||||
[Whether to use deprecated krb5 interfaces])
|
||||
fi
|
||||
fi
|
||||
|
@ -8,6 +8,24 @@
|
||||
|
||||
#include "../libds/common/flags.h"
|
||||
|
||||
/*
|
||||
* This should be under the HAVE_KRB5 flag but since they're used
|
||||
* in lp_kerberos_method(), they ned to be always available
|
||||
*/
|
||||
#define KERBEROS_VERIFY_SECRETS 0
|
||||
#define KERBEROS_VERIFY_SYSTEM_KEYTAB 1
|
||||
#define KERBEROS_VERIFY_DEDICATED_KEYTAB 2
|
||||
#define KERBEROS_VERIFY_SECRETS_AND_KEYTAB 3
|
||||
|
||||
/*
|
||||
* If you add any entries to the above, please modify the below expressions
|
||||
* so they remain accurate.
|
||||
*/
|
||||
#define USE_KERBEROS_KEYTAB (KERBEROS_VERIFY_SECRETS != lp_kerberos_method())
|
||||
#define USE_SYSTEM_KEYTAB \
|
||||
((KERBEROS_VERIFY_SECRETS_AND_KEYTAB == lp_kerberos_method()) || \
|
||||
(KERBEROS_VERIFY_SYSTEM_KEYTAB == lp_kerberos_method()))
|
||||
|
||||
#define TOK_ID_KRB_AP_REQ ((const uint8_t *)"\x01\x00")
|
||||
#define TOK_ID_KRB_AP_REP ((const uint8_t *)"\x02\x00")
|
||||
#define TOK_ID_KRB_ERROR ((const uint8_t *)"\x03\x00")
|
||||
@ -226,62 +244,9 @@ typedef void **ADS_MODLIST;
|
||||
/* Kerberos environment variable names */
|
||||
#define KRB5_ENV_CCNAME "KRB5CCNAME"
|
||||
|
||||
/* Heimdal uses a slightly different name */
|
||||
#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
|
||||
#define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
|
||||
#endif
|
||||
|
||||
/* The older versions of heimdal that don't have this
|
||||
define don't seem to use it anyway. I'm told they
|
||||
always use a subkey */
|
||||
#ifndef HAVE_AP_OPTS_USE_SUBKEY
|
||||
#define AP_OPTS_USE_SUBKEY 0
|
||||
#endif
|
||||
|
||||
#define WELL_KNOWN_GUID_COMPUTERS "AA312825768811D1ADED00C04FD8D5CD"
|
||||
#define WELL_KNOWN_GUID_USERS "A9D1CA15768811D1ADED00C04FD8D5CD"
|
||||
|
||||
#ifndef KRB5_ADDR_NETBIOS
|
||||
#define KRB5_ADDR_NETBIOS 0x14
|
||||
#endif
|
||||
|
||||
#ifndef KRB5KRB_ERR_RESPONSE_TOO_BIG
|
||||
#define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L)
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_KRB5
|
||||
typedef struct {
|
||||
#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
|
||||
krb5_address **addrs;
|
||||
#elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */
|
||||
krb5_addresses *addrs;
|
||||
#else
|
||||
#error UNKNOWN_KRB5_ADDRESS_TYPE
|
||||
#endif /* defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) */
|
||||
} smb_krb5_addresses;
|
||||
|
||||
#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */
|
||||
#define KRB5_KEY_TYPE(k) ((k)->keytype)
|
||||
#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length)
|
||||
#define KRB5_KEY_DATA(k) ((k)->keyvalue.data)
|
||||
#define KRB5_KEY_DATA_CAST void
|
||||
#else /* MIT */
|
||||
#define KRB5_KEY_TYPE(k) ((k)->enctype)
|
||||
#define KRB5_KEY_LENGTH(k) ((k)->length)
|
||||
#define KRB5_KEY_DATA(k) ((k)->contents)
|
||||
#define KRB5_KEY_DATA_CAST krb5_octet
|
||||
#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
|
||||
|
||||
#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */
|
||||
#define KRB5_KT_KEY(k) (&(k)->key)
|
||||
#elif HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
|
||||
#define KRB5_KT_KEY(k) (&(k)->keyblock)
|
||||
#else
|
||||
#error krb5_keytab_entry has no key or keyblock member
|
||||
#endif /* HAVE_KRB5_KEYTAB_ENTRY_KEY */
|
||||
|
||||
#endif /* HAVE_KRB5 */
|
||||
|
||||
enum ads_extended_dn_flags {
|
||||
ADS_EXTENDED_DN_HEX_STRING = 0,
|
||||
ADS_EXTENDED_DN_STRING = 1 /* not supported on win2k */
|
||||
|
@ -20,11 +20,6 @@
|
||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
/* work around broken krb5.h on sles9 */
|
||||
#ifdef SIZEOF_LONG
|
||||
#undef SIZEOF_LONG
|
||||
#endif
|
||||
|
||||
#include "../replace/replace.h"
|
||||
|
||||
/* make sure we have included the correct config.h */
|
||||
@ -146,9 +141,7 @@
|
||||
#endif
|
||||
#endif /* HAVE_NETGROUP */
|
||||
|
||||
#if HAVE_KRB5_H
|
||||
#include <krb5.h>
|
||||
#else
|
||||
#ifndef HAVE_KRB5_H
|
||||
#undef HAVE_KRB5
|
||||
#endif
|
||||
|
||||
@ -929,167 +922,6 @@ char *talloc_asprintf_strupper_m(TALLOC_CTX *t, const char *fmt, ...) PRINTF_ATT
|
||||
#define XATTR_REPLACE 0x2 /* set value, fail if attr does not exist */
|
||||
#endif
|
||||
|
||||
/*
|
||||
* This should be under the HAVE_KRB5 flag but since they're used
|
||||
* in lp_kerberos_method(), they ned to be always available
|
||||
*/
|
||||
#define KERBEROS_VERIFY_SECRETS 0
|
||||
#define KERBEROS_VERIFY_SYSTEM_KEYTAB 1
|
||||
#define KERBEROS_VERIFY_DEDICATED_KEYTAB 2
|
||||
#define KERBEROS_VERIFY_SECRETS_AND_KEYTAB 3
|
||||
|
||||
/*
|
||||
* If you add any entries to the above, please modify the below expressions
|
||||
* so they remain accurate.
|
||||
*/
|
||||
#define USE_KERBEROS_KEYTAB (KERBEROS_VERIFY_SECRETS != lp_kerberos_method())
|
||||
#define USE_SYSTEM_KEYTAB \
|
||||
((KERBEROS_VERIFY_SECRETS_AND_KEYTAB == lp_kerberos_method()) || \
|
||||
(KERBEROS_VERIFY_SYSTEM_KEYTAB == lp_kerberos_method()))
|
||||
|
||||
#if defined(HAVE_KRB5)
|
||||
krb5_error_code smb_krb5_parse_name(krb5_context context,
|
||||
const char *name, /* in unix charset */
|
||||
krb5_principal *principal);
|
||||
|
||||
krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
|
||||
krb5_context context,
|
||||
krb5_const_principal principal,
|
||||
char **unix_name);
|
||||
|
||||
#ifndef HAVE_KRB5_SET_REAL_TIME
|
||||
krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds);
|
||||
#endif
|
||||
|
||||
krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc);
|
||||
|
||||
#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
|
||||
krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock);
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_KRB5_FREE_UNPARSED_NAME
|
||||
void krb5_free_unparsed_name(krb5_context ctx, char *val);
|
||||
#endif
|
||||
|
||||
/* Stub out initialize_krb5_error_table since it is not present in all
|
||||
* Kerberos implementations. If it's not present, it's not necessary to
|
||||
* call it.
|
||||
*/
|
||||
#ifndef HAVE_INITIALIZE_KRB5_ERROR_TABLE
|
||||
#define initialize_krb5_error_table()
|
||||
#endif
|
||||
|
||||
/* Samba wrapper function for krb5 functionality. */
|
||||
bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr);
|
||||
int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype, bool no_salt);
|
||||
bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt);
|
||||
krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt);
|
||||
krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
|
||||
#if defined(HAVE_KRB5_LOCATE_KDC)
|
||||
krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
|
||||
#endif
|
||||
krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes);
|
||||
bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote);
|
||||
krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
|
||||
krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, int enctype);
|
||||
void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype);
|
||||
bool kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2);
|
||||
void kerberos_free_data_contents(krb5_context context, krb5_data *pdata);
|
||||
NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx,
|
||||
DATA_BLOB *pac_data_blob,
|
||||
krb5_context context,
|
||||
krb5_keyblock *service_keyblock,
|
||||
krb5_const_principal client_principal,
|
||||
time_t tgs_authtime,
|
||||
struct PAC_DATA **pac_data_out);
|
||||
void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
|
||||
struct PAC_SIGNATURE_DATA *sig);
|
||||
krb5_error_code smb_krb5_verify_checksum(krb5_context context,
|
||||
const krb5_keyblock *keyblock,
|
||||
krb5_keyusage usage,
|
||||
krb5_checksum *cksum,
|
||||
uint8 *data,
|
||||
size_t length);
|
||||
time_t get_authtime_from_tkt(krb5_ticket *tkt);
|
||||
void smb_krb5_free_ap_req(krb5_context context,
|
||||
krb5_ap_req *ap_req);
|
||||
krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context,
|
||||
const krb5_data *inbuf,
|
||||
krb5_kvno *kvno,
|
||||
krb5_enctype *enctype);
|
||||
krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context,
|
||||
krb5_auth_context *auth_context,
|
||||
const krb5_data *inbuf,
|
||||
krb5_const_principal server,
|
||||
krb5_keytab keytab,
|
||||
krb5_flags *ap_req_options,
|
||||
krb5_ticket **ticket,
|
||||
krb5_keyblock **keyblock);
|
||||
krb5_error_code smb_krb5_parse_name_norealm(krb5_context context,
|
||||
const char *name,
|
||||
krb5_principal *principal);
|
||||
bool smb_krb5_principal_compare_any_realm(krb5_context context,
|
||||
krb5_const_principal princ1,
|
||||
krb5_const_principal princ2);
|
||||
int cli_krb5_get_ticket(const char *principal, time_t time_offset,
|
||||
DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
|
||||
uint32 extra_ap_opts, const char *ccname,
|
||||
time_t *tgs_expire,
|
||||
const char *impersonate_princ_s);
|
||||
krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *expire_time);
|
||||
krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code);
|
||||
krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr);
|
||||
krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr);
|
||||
NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error);
|
||||
krb5_error_code nt_status_to_krb5(NTSTATUS nt_status);
|
||||
void smb_krb5_free_error(krb5_context context, krb5_error *krberror);
|
||||
krb5_error_code handle_krberror_packet(krb5_context context,
|
||||
krb5_data *packet);
|
||||
|
||||
void smb_krb5_get_init_creds_opt_free(krb5_context context,
|
||||
krb5_get_init_creds_opt *opt);
|
||||
krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context,
|
||||
krb5_get_init_creds_opt **opt);
|
||||
krb5_error_code smb_krb5_mk_error(krb5_context context,
|
||||
krb5_error_code error_code,
|
||||
const krb5_principal server,
|
||||
krb5_data *reply);
|
||||
krb5_enctype smb_get_enctype_from_kt_entry(krb5_keytab_entry *kt_entry);
|
||||
krb5_error_code smb_krb5_enctype_to_string(krb5_context context,
|
||||
krb5_enctype enctype,
|
||||
char **etype_s);
|
||||
krb5_error_code smb_krb5_open_keytab(krb5_context context,
|
||||
const char *keytab_name,
|
||||
bool write_access,
|
||||
krb5_keytab *keytab);
|
||||
krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx,
|
||||
krb5_context context,
|
||||
krb5_keytab keytab,
|
||||
const char **keytab_name);
|
||||
int smb_krb5_kt_add_entry_ext(krb5_context context,
|
||||
krb5_keytab keytab,
|
||||
krb5_kvno kvno,
|
||||
const char *princ_s,
|
||||
krb5_enctype *enctypes,
|
||||
krb5_data password,
|
||||
bool no_salt,
|
||||
bool keep_old_entries);
|
||||
krb5_error_code smb_krb5_get_credentials(krb5_context context,
|
||||
krb5_ccache ccache,
|
||||
krb5_principal me,
|
||||
krb5_principal server,
|
||||
krb5_principal impersonate_princ,
|
||||
krb5_creds **out_creds);
|
||||
krb5_error_code smb_krb5_get_creds(const char *server_s,
|
||||
time_t time_offset,
|
||||
const char *cc,
|
||||
const char *impersonate_princ_s,
|
||||
krb5_creds **creds_p);
|
||||
char *smb_krb5_principal_get_realm(krb5_context context,
|
||||
krb5_principal principal);
|
||||
#endif /* HAVE_KRB5 */
|
||||
|
||||
|
||||
#ifdef HAVE_LDAP
|
||||
|
||||
/* function declarations not included in proto.h */
|
||||
|
148
source3/include/krb5_protos.h
Normal file
148
source3/include/krb5_protos.h
Normal file
@ -0,0 +1,148 @@
|
||||
/* work around broken krb5.h on sles9 */
|
||||
#ifdef SIZEOF_LONG
|
||||
#undef SIZEOF_LONG
|
||||
#endif
|
||||
|
||||
|
||||
#if defined(HAVE_KRB5)
|
||||
krb5_error_code smb_krb5_parse_name(krb5_context context,
|
||||
const char *name, /* in unix charset */
|
||||
krb5_principal *principal);
|
||||
|
||||
krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
|
||||
krb5_context context,
|
||||
krb5_const_principal principal,
|
||||
char **unix_name);
|
||||
|
||||
#ifndef HAVE_KRB5_SET_REAL_TIME
|
||||
krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds);
|
||||
#endif
|
||||
|
||||
krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc);
|
||||
|
||||
#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
|
||||
krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock);
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_KRB5_FREE_UNPARSED_NAME
|
||||
void krb5_free_unparsed_name(krb5_context ctx, char *val);
|
||||
#endif
|
||||
|
||||
/* Stub out initialize_krb5_error_table since it is not present in all
|
||||
* Kerberos implementations. If it's not present, it's not necessary to
|
||||
* call it.
|
||||
*/
|
||||
#ifndef HAVE_INITIALIZE_KRB5_ERROR_TABLE
|
||||
#define initialize_krb5_error_table()
|
||||
#endif
|
||||
|
||||
/* Samba wrapper function for krb5 functionality. */
|
||||
bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr);
|
||||
int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype, bool no_salt);
|
||||
bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt);
|
||||
krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt);
|
||||
krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
|
||||
#if defined(HAVE_KRB5_LOCATE_KDC)
|
||||
krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
|
||||
#endif
|
||||
krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes);
|
||||
bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote);
|
||||
krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
|
||||
krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, int enctype);
|
||||
void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype);
|
||||
bool kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2);
|
||||
void kerberos_free_data_contents(krb5_context context, krb5_data *pdata);
|
||||
NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx,
|
||||
DATA_BLOB *pac_data_blob,
|
||||
krb5_context context,
|
||||
krb5_keyblock *service_keyblock,
|
||||
krb5_const_principal client_principal,
|
||||
time_t tgs_authtime,
|
||||
struct PAC_DATA **pac_data_out);
|
||||
void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
|
||||
struct PAC_SIGNATURE_DATA *sig);
|
||||
krb5_error_code smb_krb5_verify_checksum(krb5_context context,
|
||||
const krb5_keyblock *keyblock,
|
||||
krb5_keyusage usage,
|
||||
krb5_checksum *cksum,
|
||||
uint8 *data,
|
||||
size_t length);
|
||||
time_t get_authtime_from_tkt(krb5_ticket *tkt);
|
||||
void smb_krb5_free_ap_req(krb5_context context,
|
||||
krb5_ap_req *ap_req);
|
||||
krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context,
|
||||
const krb5_data *inbuf,
|
||||
krb5_kvno *kvno,
|
||||
krb5_enctype *enctype);
|
||||
krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context,
|
||||
krb5_auth_context *auth_context,
|
||||
const krb5_data *inbuf,
|
||||
krb5_const_principal server,
|
||||
krb5_keytab keytab,
|
||||
krb5_flags *ap_req_options,
|
||||
krb5_ticket **ticket,
|
||||
krb5_keyblock **keyblock);
|
||||
krb5_error_code smb_krb5_parse_name_norealm(krb5_context context,
|
||||
const char *name,
|
||||
krb5_principal *principal);
|
||||
bool smb_krb5_principal_compare_any_realm(krb5_context context,
|
||||
krb5_const_principal princ1,
|
||||
krb5_const_principal princ2);
|
||||
int cli_krb5_get_ticket(const char *principal, time_t time_offset,
|
||||
DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
|
||||
uint32 extra_ap_opts, const char *ccname,
|
||||
time_t *tgs_expire,
|
||||
const char *impersonate_princ_s);
|
||||
krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *expire_time);
|
||||
krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code);
|
||||
krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr);
|
||||
krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr);
|
||||
NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error);
|
||||
krb5_error_code nt_status_to_krb5(NTSTATUS nt_status);
|
||||
void smb_krb5_free_error(krb5_context context, krb5_error *krberror);
|
||||
krb5_error_code handle_krberror_packet(krb5_context context,
|
||||
krb5_data *packet);
|
||||
|
||||
void smb_krb5_get_init_creds_opt_free(krb5_context context,
|
||||
krb5_get_init_creds_opt *opt);
|
||||
krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context,
|
||||
krb5_get_init_creds_opt **opt);
|
||||
krb5_error_code smb_krb5_mk_error(krb5_context context,
|
||||
krb5_error_code error_code,
|
||||
const krb5_principal server,
|
||||
krb5_data *reply);
|
||||
krb5_enctype smb_get_enctype_from_kt_entry(krb5_keytab_entry *kt_entry);
|
||||
krb5_error_code smb_krb5_enctype_to_string(krb5_context context,
|
||||
krb5_enctype enctype,
|
||||
char **etype_s);
|
||||
krb5_error_code smb_krb5_open_keytab(krb5_context context,
|
||||
const char *keytab_name,
|
||||
bool write_access,
|
||||
krb5_keytab *keytab);
|
||||
krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx,
|
||||
krb5_context context,
|
||||
krb5_keytab keytab,
|
||||
const char **keytab_name);
|
||||
int smb_krb5_kt_add_entry_ext(krb5_context context,
|
||||
krb5_keytab keytab,
|
||||
krb5_kvno kvno,
|
||||
const char *princ_s,
|
||||
krb5_enctype *enctypes,
|
||||
krb5_data password,
|
||||
bool no_salt,
|
||||
bool keep_old_entries);
|
||||
krb5_error_code smb_krb5_get_credentials(krb5_context context,
|
||||
krb5_ccache ccache,
|
||||
krb5_principal me,
|
||||
krb5_principal server,
|
||||
krb5_principal impersonate_princ,
|
||||
krb5_creds **out_creds);
|
||||
krb5_error_code smb_krb5_get_creds(const char *server_s,
|
||||
time_t time_offset,
|
||||
const char *cc,
|
||||
const char *impersonate_princ_s,
|
||||
krb5_creds **creds_p);
|
||||
char *smb_krb5_principal_get_realm(krb5_context context,
|
||||
krb5_principal principal);
|
||||
#endif /* HAVE_KRB5 */
|
||||
|
72
source3/include/smb_krb5.h
Normal file
72
source3/include/smb_krb5.h
Normal file
@ -0,0 +1,72 @@
|
||||
#ifndef _HEADER_smb_krb5_h
|
||||
#define _HEADER_smb_krb5_h
|
||||
|
||||
#define KRB5_PRIVATE 1 /* this file uses PRIVATE interfaces! */
|
||||
/* this file uses DEPRECATED interfaces! */
|
||||
|
||||
#if defined(HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER)
|
||||
#define KRB5_DEPRECATED 1
|
||||
#else
|
||||
#define KRB5_DEPRECATED
|
||||
#endif
|
||||
|
||||
#if HAVE_KRB5_H
|
||||
#include <krb5.h>
|
||||
#endif
|
||||
|
||||
#ifndef KRB5_ADDR_NETBIOS
|
||||
#define KRB5_ADDR_NETBIOS 0x14
|
||||
#endif
|
||||
|
||||
#ifndef KRB5KRB_ERR_RESPONSE_TOO_BIG
|
||||
#define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L)
|
||||
#endif
|
||||
|
||||
/* Heimdal uses a slightly different name */
|
||||
#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
|
||||
#define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
|
||||
#endif
|
||||
|
||||
/* The older versions of heimdal that don't have this
|
||||
define don't seem to use it anyway. I'm told they
|
||||
always use a subkey */
|
||||
#ifndef HAVE_AP_OPTS_USE_SUBKEY
|
||||
#define AP_OPTS_USE_SUBKEY 0
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_KRB5
|
||||
typedef struct {
|
||||
#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
|
||||
krb5_address **addrs;
|
||||
#elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */
|
||||
krb5_addresses *addrs;
|
||||
#else
|
||||
#error UNKNOWN_KRB5_ADDRESS_TYPE
|
||||
#endif /* defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) */
|
||||
} smb_krb5_addresses;
|
||||
|
||||
#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */
|
||||
#define KRB5_KEY_TYPE(k) ((k)->keytype)
|
||||
#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length)
|
||||
#define KRB5_KEY_DATA(k) ((k)->keyvalue.data)
|
||||
#define KRB5_KEY_DATA_CAST void
|
||||
#else /* MIT */
|
||||
#define KRB5_KEY_TYPE(k) ((k)->enctype)
|
||||
#define KRB5_KEY_LENGTH(k) ((k)->length)
|
||||
#define KRB5_KEY_DATA(k) ((k)->contents)
|
||||
#define KRB5_KEY_DATA_CAST krb5_octet
|
||||
#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
|
||||
|
||||
#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */
|
||||
#define KRB5_KT_KEY(k) (&(k)->key)
|
||||
#elif HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
|
||||
#define KRB5_KT_KEY(k) (&(k)->keyblock)
|
||||
#else
|
||||
#error krb5_keytab_entry has no key or keyblock member
|
||||
#endif /* HAVE_KRB5_KEYTAB_ENTRY_KEY */
|
||||
|
||||
#endif /* HAVE_KRB5 */
|
||||
|
||||
#include "krb5_protos.h"
|
||||
|
||||
#endif /* _HEADER_smb_krb5_h */
|
@ -21,6 +21,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
#include "smb_krb5.h"
|
||||
|
||||
/*
|
||||
build a ADS_STATUS structure
|
||||
|
@ -24,6 +24,7 @@
|
||||
|
||||
#include "includes.h"
|
||||
#include "librpc/gen_ndr/ndr_krb5pac.h"
|
||||
#include "smb_krb5.h"
|
||||
|
||||
#ifdef HAVE_KRB5
|
||||
|
||||
|
@ -22,6 +22,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
#include "smb_krb5.h"
|
||||
|
||||
#ifdef HAVE_KRB5
|
||||
|
||||
|
@ -26,6 +26,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
#include "smb_krb5.h"
|
||||
|
||||
#ifdef HAVE_KRB5
|
||||
|
||||
|
@ -24,6 +24,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
#include "smb_krb5.h"
|
||||
|
||||
#ifdef HAVE_KRB5
|
||||
|
||||
|
@ -18,6 +18,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
#include "smb_krb5.h"
|
||||
|
||||
#ifdef HAVE_KRB5
|
||||
|
||||
|
@ -19,6 +19,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
#include "smb_krb5.h"
|
||||
|
||||
#ifdef HAVE_KRB5
|
||||
|
||||
|
@ -20,6 +20,7 @@
|
||||
#ifndef __LIBNET_H__
|
||||
#define __LIBNET_H__
|
||||
|
||||
#include "smb_krb5.h"
|
||||
#include "libnet/libnet_keytab.h"
|
||||
#include "libnet/libnet_samsync.h"
|
||||
#include "libnet/libnet_dssync.h"
|
||||
|
@ -21,6 +21,7 @@
|
||||
#include "includes.h"
|
||||
#include "../libcli/auth/libcli_auth.h"
|
||||
#include "../libcli/auth/spnego.h"
|
||||
#include "smb_krb5.h"
|
||||
|
||||
static const struct {
|
||||
int prot;
|
||||
|
@ -20,10 +20,8 @@
|
||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#define KRB5_PRIVATE 1 /* this file uses PRIVATE interfaces! */
|
||||
/* this file uses DEPRECATED interfaces! */
|
||||
|
||||
#include "includes.h"
|
||||
#include "smb_krb5.h"
|
||||
|
||||
#ifdef HAVE_KRB5
|
||||
|
||||
|
@ -21,6 +21,7 @@
|
||||
|
||||
#include "includes.h"
|
||||
#include "../libcli/auth/spnego.h"
|
||||
#include "smb_krb5.h"
|
||||
|
||||
/*
|
||||
generate a negTokenInit packet given a GUID, a list of supported
|
||||
|
@ -22,6 +22,7 @@
|
||||
#include "../librpc/gen_ndr/ndr_schannel.h"
|
||||
#include "../libcli/auth/schannel.h"
|
||||
#include "../libcli/auth/spnego.h"
|
||||
#include "smb_krb5.h"
|
||||
|
||||
#undef DBGC_CLASS
|
||||
#define DBGC_CLASS DBGC_RPC_CLI
|
||||
|
@ -27,6 +27,7 @@
|
||||
#include "utils/ntlm_auth.h"
|
||||
#include "../libcli/auth/libcli_auth.h"
|
||||
#include "../libcli/auth/spnego.h"
|
||||
#include "smb_krb5.h"
|
||||
#include <iniparser.h>
|
||||
|
||||
#ifndef PAM_WINBIND_CONFIG_FILE
|
||||
|
@ -24,6 +24,8 @@
|
||||
#include "includes.h"
|
||||
#include "winbindd.h"
|
||||
#include "../libcli/auth/libcli_auth.h"
|
||||
#include "smb_krb5.h"
|
||||
|
||||
#undef DBGC_CLASS
|
||||
#define DBGC_CLASS DBGC_WINBIND
|
||||
|
||||
|
@ -26,6 +26,7 @@
|
||||
#include "winbindd.h"
|
||||
#include "../libcli/auth/libcli_auth.h"
|
||||
#include "../librpc/gen_ndr/cli_samr.h"
|
||||
#include "smb_krb5.h"
|
||||
|
||||
#undef DBGC_CLASS
|
||||
#define DBGC_CLASS DBGC_WINBIND
|
||||
|
Loading…
Reference in New Issue
Block a user