From ff4cb6b5e80731856d6f3f7eebd8fc23902e3580 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 2 Nov 2004 02:21:26 +0000 Subject: [PATCH] r3451: Finish off kerberos salting patch. Needs testing ! Jeremy. --- source/configure.in | 54 ++++++++++++++++-------------- source/libads/kerberos_verify.c | 5 ++- source/libads/util.c | 58 ++++++++++++++++++--------------- 3 files changed, 63 insertions(+), 54 deletions(-) diff --git a/source/configure.in b/source/configure.in index c7335c5df0c..d32d6843586 100644 --- a/source/configure.in +++ b/source/configure.in @@ -2615,27 +2615,7 @@ if test x"$with_ads_support" != x"no"; then # Do no harm to the values of CFLAGS and LIBS while testing for # Kerberos support. - - ################################################# - # check for krb5-config from recent MIT and Heimdal kerberos 5 - AC_PATH_PROG(KRB5_CONFIG, krb5-config) - AC_MSG_CHECKING(for working krb5-config) - if test -x "$KRB5_CONFIG"; then - ac_save_CFLAGS=$CFLAGS - CFLAGS="";export CFLAGS - ac_save_LDFLAGS=$LDFLAGS - LDFLAGS="";export LDFLAGS - KRB5_LIBS="`$KRB5_CONFIG --libs gssapi`" - KRB5_CFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`" - KRB5_CPPFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`" - CFLAGS=$ac_save_CFLAGS;export CFLAGS - LDFLAGS=$ac_save_LDFLAGS;export LDFLAGS - FOUND_KRB5=yes - AC_MSG_RESULT(yes) - else - AC_MSG_RESULT(no. Fallback to previous krb5 detection strategy) - fi - + if test x$FOUND_KRB5 = x"no"; then ################################################# # check for location of Kerberos 5 install @@ -2656,12 +2636,36 @@ if test x"$with_ads_support" != x"no"; then KRB5_CPPFLAGS="-I$withval/include" KRB5_LDFLAGS="-L$withval/lib" FOUND_KRB5=yes + if test -x "$withval/bin/krb5-config"; then + KRB5_CONFIG=$withval/bin/krb5-config + fi ;; esac ], AC_MSG_RESULT(no krb5-path given) ) fi + ################################################# + # check for krb5-config from recent MIT and Heimdal kerberos 5 + AC_PATH_PROG(KRB5_CONFIG, krb5-config) + AC_MSG_CHECKING(for working krb5-config) + if test -x "$KRB5_CONFIG"; then + ac_save_CFLAGS=$CFLAGS + CFLAGS="";export CFLAGS + ac_save_LDFLAGS=$LDFLAGS + LDFLAGS="";export LDFLAGS + KRB5_LIBS="`$KRB5_CONFIG --libs gssapi`" + KRB5_LDFLAGS="`$KRB5_CONFIG --libs gssapi | sed s/-lgss.*//`" + KRB5_CFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`" + KRB5_CPPFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`" + CFLAGS=$ac_save_CFLAGS;export CFLAGS + LDFLAGS=$ac_save_LDFLAGS;export LDFLAGS + FOUND_KRB5=yes + AC_MSG_RESULT(yes) + else + AC_MSG_RESULT(no. Fallback to previous krb5 detection strategy) + fi + if test x$FOUND_KRB5 = x"no"; then ################################################# # see if this box has the SuSE location for the heimdal krb implementation @@ -2700,9 +2704,9 @@ if test x"$with_ads_support" != x"no"; then ac_save_CPPFLAGS=$CPPFLAGS ac_save_LDFLAGS=$LDFLAGS - CFLAGS="$CFLAGS $KRB5_CFLAGS" - CPPFLAGS="$CPPFLAGS $KRB5_CPPFLAGS" - LDFLAGS="$LDFLAGS $KRB5_LDFLAGS" + CFLAGS="$KRB5_CFLAGS $CFLAGS" + CPPFLAGS="$KRB5_CPPFLAGS $CPPFLAGS" + LDFLAGS="$KRB5_LDFLAGS $LDFLAGS" KRB5_LIBS="$KRB5_LDFLAGS $KRB5_LIBS" @@ -2789,7 +2793,7 @@ if test x"$with_ads_support" != x"no"; then AC_CHECK_FUNC_EXT(krb5_c_enctype_compare, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_enctypes_compatible_keys, $KRB5_LIBS) - LIBS="$LIBS $KRB5_LIBS" + LIBS="$KRB5_LIBS $LIBS" AC_CACHE_CHECK([for addrtype in krb5_address], samba_cv_HAVE_ADDRTYPE_IN_KRB5_ADDRESS,[ diff --git a/source/libads/kerberos_verify.c b/source/libads/kerberos_verify.c index 140d7550add..8524fc5d05a 100644 --- a/source/libads/kerberos_verify.c +++ b/source/libads/kerberos_verify.c @@ -262,9 +262,8 @@ NTSTATUS ads_verify_ticket(const char *realm, const DATA_BLOB *ticket, goto out; } - name_to_fqdn(myname, global_myname()); - strlower_m(myname); - asprintf(&host_princ_s, "host/%s@%s", myname, lp_realm()); + asprintf(&host_princ_s, "%s$", global_myname()); + strlower_m(host_princ_s); ret = krb5_parse_name(context, host_princ_s, &host_princ); if (ret) { DEBUG(1,("ads_verify_ticket: krb5_parse_name(%s) failed (%s)\n", diff --git a/source/libads/util.c b/source/libads/util.c index 9912a7ba831..f5b88735387 100644 --- a/source/libads/util.c +++ b/source/libads/util.c @@ -24,39 +24,45 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal) { - char *tmp_password; - char *password; - char *new_password; - char *service_principal; - ADS_STATUS ret; - uint32 sec_channel_type; + char *password; + char *new_password; + char *service_principal; + ADS_STATUS ret; + uint32 sec_channel_type; - if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) { - DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal)); - return ADS_ERROR_SYSTEM(ENOENT); - } + if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) { + DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal)); + return ADS_ERROR_SYSTEM(ENOENT); + } - tmp_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); - new_password = strdup(tmp_password); + new_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); - asprintf(&service_principal, "HOST/%s", host_principal); + asprintf(&service_principal, "HOST/%s", host_principal); - ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset); + ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset); - if (!ADS_ERR_OK(ret)) goto failed; + if (!ADS_ERR_OK(ret)) { + goto failed; + } - if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) { - DEBUG(1,("Failed to save machine password\n")); - return ADS_ERROR_SYSTEM(EACCES); - } + if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) { + DEBUG(1,("Failed to save machine password\n")); + ret = ADS_ERROR_SYSTEM(EACCES); + goto failed; + } + + /* Determine if the KDC is salting keys for this principal in a + * non-obvious way. */ + if (!kerberos_derive_salting_principal(service_principal)) { + DEBUG(1,("Failed to determine correct salting principal for %s\n", service_principal)); + ret = ADS_ERROR_SYSTEM(EACCES); + goto failed; + } failed: - SAFE_FREE(service_principal); - SAFE_FREE(new_password); - - return ret; + SAFE_FREE(service_principal); + SAFE_FREE(password); + SAFE_FREE(new_password); + return ret; } - - - #endif