mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
r3451: Finish off kerberos salting patch. Needs testing !
Jeremy.
This commit is contained in:
parent
05619cfdbf
commit
ff4cb6b5e8
@ -2615,27 +2615,7 @@ if test x"$with_ads_support" != x"no"; then
|
||||
|
||||
# Do no harm to the values of CFLAGS and LIBS while testing for
|
||||
# Kerberos support.
|
||||
|
||||
#################################################
|
||||
# check for krb5-config from recent MIT and Heimdal kerberos 5
|
||||
AC_PATH_PROG(KRB5_CONFIG, krb5-config)
|
||||
AC_MSG_CHECKING(for working krb5-config)
|
||||
if test -x "$KRB5_CONFIG"; then
|
||||
ac_save_CFLAGS=$CFLAGS
|
||||
CFLAGS="";export CFLAGS
|
||||
ac_save_LDFLAGS=$LDFLAGS
|
||||
LDFLAGS="";export LDFLAGS
|
||||
KRB5_LIBS="`$KRB5_CONFIG --libs gssapi`"
|
||||
KRB5_CFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
|
||||
KRB5_CPPFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
|
||||
CFLAGS=$ac_save_CFLAGS;export CFLAGS
|
||||
LDFLAGS=$ac_save_LDFLAGS;export LDFLAGS
|
||||
FOUND_KRB5=yes
|
||||
AC_MSG_RESULT(yes)
|
||||
else
|
||||
AC_MSG_RESULT(no. Fallback to previous krb5 detection strategy)
|
||||
fi
|
||||
|
||||
|
||||
if test x$FOUND_KRB5 = x"no"; then
|
||||
#################################################
|
||||
# check for location of Kerberos 5 install
|
||||
@ -2656,12 +2636,36 @@ if test x"$with_ads_support" != x"no"; then
|
||||
KRB5_CPPFLAGS="-I$withval/include"
|
||||
KRB5_LDFLAGS="-L$withval/lib"
|
||||
FOUND_KRB5=yes
|
||||
if test -x "$withval/bin/krb5-config"; then
|
||||
KRB5_CONFIG=$withval/bin/krb5-config
|
||||
fi
|
||||
;;
|
||||
esac ],
|
||||
AC_MSG_RESULT(no krb5-path given)
|
||||
)
|
||||
fi
|
||||
|
||||
#################################################
|
||||
# check for krb5-config from recent MIT and Heimdal kerberos 5
|
||||
AC_PATH_PROG(KRB5_CONFIG, krb5-config)
|
||||
AC_MSG_CHECKING(for working krb5-config)
|
||||
if test -x "$KRB5_CONFIG"; then
|
||||
ac_save_CFLAGS=$CFLAGS
|
||||
CFLAGS="";export CFLAGS
|
||||
ac_save_LDFLAGS=$LDFLAGS
|
||||
LDFLAGS="";export LDFLAGS
|
||||
KRB5_LIBS="`$KRB5_CONFIG --libs gssapi`"
|
||||
KRB5_LDFLAGS="`$KRB5_CONFIG --libs gssapi | sed s/-lgss.*//`"
|
||||
KRB5_CFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
|
||||
KRB5_CPPFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
|
||||
CFLAGS=$ac_save_CFLAGS;export CFLAGS
|
||||
LDFLAGS=$ac_save_LDFLAGS;export LDFLAGS
|
||||
FOUND_KRB5=yes
|
||||
AC_MSG_RESULT(yes)
|
||||
else
|
||||
AC_MSG_RESULT(no. Fallback to previous krb5 detection strategy)
|
||||
fi
|
||||
|
||||
if test x$FOUND_KRB5 = x"no"; then
|
||||
#################################################
|
||||
# see if this box has the SuSE location for the heimdal krb implementation
|
||||
@ -2700,9 +2704,9 @@ if test x"$with_ads_support" != x"no"; then
|
||||
ac_save_CPPFLAGS=$CPPFLAGS
|
||||
ac_save_LDFLAGS=$LDFLAGS
|
||||
|
||||
CFLAGS="$CFLAGS $KRB5_CFLAGS"
|
||||
CPPFLAGS="$CPPFLAGS $KRB5_CPPFLAGS"
|
||||
LDFLAGS="$LDFLAGS $KRB5_LDFLAGS"
|
||||
CFLAGS="$KRB5_CFLAGS $CFLAGS"
|
||||
CPPFLAGS="$KRB5_CPPFLAGS $CPPFLAGS"
|
||||
LDFLAGS="$KRB5_LDFLAGS $LDFLAGS"
|
||||
|
||||
KRB5_LIBS="$KRB5_LDFLAGS $KRB5_LIBS"
|
||||
|
||||
@ -2789,7 +2793,7 @@ if test x"$with_ads_support" != x"no"; then
|
||||
AC_CHECK_FUNC_EXT(krb5_c_enctype_compare, $KRB5_LIBS)
|
||||
AC_CHECK_FUNC_EXT(krb5_enctypes_compatible_keys, $KRB5_LIBS)
|
||||
|
||||
LIBS="$LIBS $KRB5_LIBS"
|
||||
LIBS="$KRB5_LIBS $LIBS"
|
||||
|
||||
AC_CACHE_CHECK([for addrtype in krb5_address],
|
||||
samba_cv_HAVE_ADDRTYPE_IN_KRB5_ADDRESS,[
|
||||
|
@ -262,9 +262,8 @@ NTSTATUS ads_verify_ticket(const char *realm, const DATA_BLOB *ticket,
|
||||
goto out;
|
||||
}
|
||||
|
||||
name_to_fqdn(myname, global_myname());
|
||||
strlower_m(myname);
|
||||
asprintf(&host_princ_s, "host/%s@%s", myname, lp_realm());
|
||||
asprintf(&host_princ_s, "%s$", global_myname());
|
||||
strlower_m(host_princ_s);
|
||||
ret = krb5_parse_name(context, host_princ_s, &host_princ);
|
||||
if (ret) {
|
||||
DEBUG(1,("ads_verify_ticket: krb5_parse_name(%s) failed (%s)\n",
|
||||
|
@ -24,39 +24,45 @@
|
||||
|
||||
ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal)
|
||||
{
|
||||
char *tmp_password;
|
||||
char *password;
|
||||
char *new_password;
|
||||
char *service_principal;
|
||||
ADS_STATUS ret;
|
||||
uint32 sec_channel_type;
|
||||
char *password;
|
||||
char *new_password;
|
||||
char *service_principal;
|
||||
ADS_STATUS ret;
|
||||
uint32 sec_channel_type;
|
||||
|
||||
if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) {
|
||||
DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal));
|
||||
return ADS_ERROR_SYSTEM(ENOENT);
|
||||
}
|
||||
if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) {
|
||||
DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal));
|
||||
return ADS_ERROR_SYSTEM(ENOENT);
|
||||
}
|
||||
|
||||
tmp_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
|
||||
new_password = strdup(tmp_password);
|
||||
new_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
|
||||
|
||||
asprintf(&service_principal, "HOST/%s", host_principal);
|
||||
asprintf(&service_principal, "HOST/%s", host_principal);
|
||||
|
||||
ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset);
|
||||
ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset);
|
||||
|
||||
if (!ADS_ERR_OK(ret)) goto failed;
|
||||
if (!ADS_ERR_OK(ret)) {
|
||||
goto failed;
|
||||
}
|
||||
|
||||
if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) {
|
||||
DEBUG(1,("Failed to save machine password\n"));
|
||||
return ADS_ERROR_SYSTEM(EACCES);
|
||||
}
|
||||
if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) {
|
||||
DEBUG(1,("Failed to save machine password\n"));
|
||||
ret = ADS_ERROR_SYSTEM(EACCES);
|
||||
goto failed;
|
||||
}
|
||||
|
||||
/* Determine if the KDC is salting keys for this principal in a
|
||||
* non-obvious way. */
|
||||
if (!kerberos_derive_salting_principal(service_principal)) {
|
||||
DEBUG(1,("Failed to determine correct salting principal for %s\n", service_principal));
|
||||
ret = ADS_ERROR_SYSTEM(EACCES);
|
||||
goto failed;
|
||||
}
|
||||
|
||||
failed:
|
||||
SAFE_FREE(service_principal);
|
||||
SAFE_FREE(new_password);
|
||||
|
||||
return ret;
|
||||
SAFE_FREE(service_principal);
|
||||
SAFE_FREE(password);
|
||||
SAFE_FREE(new_password);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
|
||||
#endif
|
||||
|
Loading…
Reference in New Issue
Block a user