mirror of
https://github.com/samba-team/samba.git
synced 2024-12-25 23:21:54 +03:00
5c6dd5e800
Finally remove the distinction between 'krb5' and 'ms_krb5'. We now
don't do kerberos stuff twice on failure. The solution to this is
slightly more general than perhaps was really required (as this is a
special case), but it works, and I'm happy with the cleanup I achived
in the process. All modules have been updated to supply a
NULL-terminated list of OIDs.
In that process, SPNEGO code has been generalised, as I realised that
two of the functions should have been identical in behaviour.
Over in the actual modules, I have worked to remove the 'kinit' code
from gensec_krb5, and placed it in kerberos/kerberos_util.c.
The GSSAPI module has been extended to use this, so no longer requires
a manual kinit at the command line. It will soon loose the
requirement for a on-disk keytab too.
The general kerberos code has also been updated to move from
error_message() to our routine which gets the Heimdal error string
(which may be much more useful) when available.
Andrew Bartlett
(This used to be commit 0101728d8e)
121 lines
3.5 KiB
C
121 lines
3.5 KiB
C
/*
|
|
Unix SMB/CIFS implementation.
|
|
|
|
Kerberos utility functions for GENSEC
|
|
|
|
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 2 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program; if not, write to the Free Software
|
|
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
#include "system/kerberos.h"
|
|
#include "system/time.h"
|
|
#include "system/network.h"
|
|
#include "auth/kerberos/kerberos.h"
|
|
#include "auth/auth.h"
|
|
|
|
struct ccache_container {
|
|
krb5_context krb5_context;
|
|
krb5_ccache ccache;
|
|
} ccache_container;
|
|
|
|
#if 0
|
|
static int free_ccache(void *ptr) {
|
|
struct ccache_container *ccc = ptr;
|
|
/* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */
|
|
krb5_cc_close(ccc->krb5_context, ccc->ccache);
|
|
|
|
return 0;
|
|
}
|
|
#endif
|
|
|
|
/**
|
|
* Return a freshly allocated ccache (destroyed by destructor on child
|
|
* of parent_ctx), for a given set of client credentials
|
|
*/
|
|
|
|
NTSTATUS kinit_to_ccache(TALLOC_CTX *parent_ctx,
|
|
struct cli_credentials *credentials,
|
|
krb5_context context,
|
|
krb5_ccache *ccache,
|
|
const char **ccache_name)
|
|
{
|
|
krb5_error_code ret;
|
|
const char *password;
|
|
char *ccache_string;
|
|
time_t kdc_time = 0;
|
|
struct ccache_container *mem_ctx = talloc(parent_ctx, struct ccache_container);
|
|
|
|
if (!mem_ctx) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
password = cli_credentials_get_password(credentials);
|
|
|
|
/* this string should be unique */
|
|
ccache_string = talloc_asprintf(mem_ctx, "MEMORY:%s_%s",
|
|
cli_credentials_get_principal(credentials, mem_ctx),
|
|
generate_random_str(mem_ctx, 16));
|
|
|
|
ret = krb5_cc_resolve(context, ccache_string, ccache);
|
|
if (ret) {
|
|
DEBUG(1,("failed to generate a new krb5 keytab (%s): %s\n",
|
|
ccache_string,
|
|
error_message(ret)));
|
|
talloc_free(mem_ctx);
|
|
return NT_STATUS_INTERNAL_ERROR;
|
|
}
|
|
|
|
mem_ctx->krb5_context = context;
|
|
mem_ctx->ccache = *ccache;
|
|
|
|
#if 0
|
|
talloc_set_destructor(mem_ctx, free_ccache);
|
|
#endif
|
|
ret = kerberos_kinit_password_cc(context, *ccache,
|
|
cli_credentials_get_principal(credentials, mem_ctx),
|
|
password, NULL, &kdc_time);
|
|
|
|
/* cope with ticket being in the future due to clock skew */
|
|
if ((unsigned)kdc_time > time(NULL)) {
|
|
time_t t = time(NULL);
|
|
int time_offset =(unsigned)kdc_time-t;
|
|
DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
|
|
krb5_set_real_time(context, t + time_offset + 1, 0);
|
|
}
|
|
|
|
if (ret == KRB5KRB_AP_ERR_SKEW || ret == KRB5_KDCREP_SKEW) {
|
|
DEBUG(1,("kinit for %s failed (%s)\n",
|
|
cli_credentials_get_principal(credentials, mem_ctx),
|
|
smb_get_krb5_error_message(context,
|
|
ret, mem_ctx)));
|
|
talloc_free(mem_ctx);
|
|
return NT_STATUS_TIME_DIFFERENCE_AT_DC;
|
|
}
|
|
if (ret) {
|
|
DEBUG(1,("kinit for %s failed (%s)\n",
|
|
cli_credentials_get_principal(credentials, mem_ctx),
|
|
smb_get_krb5_error_message(context,
|
|
ret, mem_ctx)));
|
|
talloc_free(mem_ctx);
|
|
return NT_STATUS_WRONG_PASSWORD;
|
|
}
|
|
*ccache_name = ccache_string;
|
|
|
|
return NT_STATUS_OK;
|
|
}
|