sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-07 09:49:30 +03:00
Code Activity

r3492: Fixes from testing kerberos salted principal fix.

Browse Source 
Jeremy.
(This used to be commit b356a8fdc5)
This commit is contained in:
Jeremy Allison
2004-11-02 21:28:14 +00:00
committed by Gerald (Jerry) Carter
parent 951ebacf45
commit 917a53cc58
3 changed files with 66 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
source3/libads/kerberos.c
View File

@ -362,8 +362,8 @@ static krb5_error_code get_service_ticket(krb5_context ctx,
}
if ((err = krb5_get_credentials(ctx, 0, ccache, &creds, &new_creds))) {
DEBUG(5,("get_service_ticket: krb5_get_credentials for %s failed: %s\n",
service_s, error_message(err)));
DEBUG(5,("get_service_ticket: krb5_get_credentials for %s enctype %d failed: %s\n",
service_s, enctype, error_message(err)));
goto out;
}
@ -602,23 +602,12 @@ static void kerberos_derive_salting_principal_for_enctype(const char *service_pr
Go through all the possible enctypes for this principal.
************************************************************************/
void kerberos_derive_salting_principal(krb5_context context,
static void kerberos_derive_salting_principal_direct(krb5_context context,
krb5_ccache ccache,
krb5_enctype *enctypes,
char *service_principal)
{
int i;
BOOL free_ccache = False;
if (ccache == NULL) {
krb5_error_code ret;
if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) {
DEBUG(0, ("kerberos_derive_salting_principal: krb5_cc_resolve for %s failed: %s\n",
LIBADS_CCACHE_NAME, error_message(ret)));
return;
}
free_ccache = True;
}
/* Try for each enctype separately, because the rules are
* different for different enctypes. */
@ -640,9 +629,48 @@ static void kerberos_derive_salting_principal_for_enctype(const char *service_pr
enctypes[i],
enctypes);
}
}
if (free_ccache && ccache) {
krb5_cc_close(context, ccache);
/************************************************************************
Wrapper function for the above.
************************************************************************/
void kerberos_derive_salting_principal(char *service_principal)
{
krb5_context context = NULL;
krb5_enctype *enctypes = NULL;
krb5_ccache ccache = NULL;
krb5_error_code ret = 0;
initialize_krb5_error_table();
if ((ret = krb5_init_context(&context)) != 0) {
DEBUG(1,("kerberos_derive_cifs_salting_principals: krb5_init_context failed. %s\n",
error_message(ret)));
return;
}
if ((ret = get_kerberos_allowed_etypes(context, &enctypes)) != 0) {
DEBUG(1,("kerberos_derive_cifs_salting_principals: get_kerberos_allowed_etypes failed. %s\n",
error_message(ret)));
goto out;
}
if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) {
DEBUG(3, ("get_service_ticket: krb5_cc_resolve for %s failed: %s\n",
LIBADS_CCACHE_NAME, error_message(ret)));
goto out;
}
kerberos_derive_salting_principal_direct(context, ccache, enctypes, service_principal);
out:
if (enctypes) {
free_kerberos_etypes(context, enctypes);
}
if (ccache) {
krb5_cc_destroy(context, ccache);
}
if (context) {
krb5_free_context(context);
}
}
@ -681,38 +709,38 @@ BOOL kerberos_derive_cifs_salting_principals(void)
if (asprintf(&service, "%s$", global_myname()) != -1) {
strlower_m(service);
kerberos_derive_salting_principal(context, ccache, enctypes, service);
kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
if (asprintf(&service, "cifs/%s", global_myname()) != -1) {
strlower_m(service);
kerberos_derive_salting_principal(context, ccache, enctypes, service);
kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
if (asprintf(&service, "host/%s", global_myname()) != -1) {
strlower_m(service);
kerberos_derive_salting_principal(context, ccache, enctypes, service);
kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
if (asprintf(&service, "cifs/%s.%s", global_myname(), lp_realm()) != -1) {
strlower_m(service);
kerberos_derive_salting_principal(context, ccache, enctypes, service);
kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
if (asprintf(&service, "host/%s.%s", global_myname(), lp_realm()) != -1) {
strlower_m(service);
kerberos_derive_salting_principal(context, ccache, enctypes, service);
kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
name_to_fqdn(my_fqdn, global_myname());
if (asprintf(&service, "cifs/%s", my_fqdn) != -1) {
strlower_m(service);
kerberos_derive_salting_principal(context, ccache, enctypes, service);
kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
if (asprintf(&service, "host/%s", my_fqdn) != -1) {
strlower_m(service);
kerberos_derive_salting_principal(context, ccache, enctypes, service);
kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}

2
source3/libads/kerberos_keytab.c
View File

@ -128,7 +128,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
}
/* Guess at how the KDC is salting keys for this principal. */
kerberos_derive_salting_principal(context, NULL, enctypes, princ_s);
kerberos_derive_salting_principal(princ_s);
ret = krb5_parse_name(context, princ_s, &princ);
if (ret) {

14
source3/utils/net_ads.c
View File

@ -823,6 +823,20 @@ int net_ads_join(int argc, const char **argv)
return -1;
}
#ifdef HAVE_KRB5
if (!kerberos_derive_salting_principal(machine_account)) {
DEBUG(1,("Failed to determine salting principal\n"));
ads_destroy(&ads);
return -1;
}
if (!kerberos_derive_cifs_salting_principals()) {
DEBUG(1,("Failed to determine salting principals\n"));
ads_destroy(&ads);
return -1;
}
#endif
if (!secrets_store_domain_sid(short_domain_name, &dom_sid)) {
DEBUG(1,("Failed to save domain sid\n"));
ads_destroy(&ads);