mirror of
https://github.com/samba-team/samba.git
synced 2025-01-27 14:04:05 +03:00
dbd2688c90
much closer. This changes PIDL to allow a subcontext to have a pad8 flag, saying to pad behind to an 8 byte boundary. This is the only way I can explain the 4 trainling zeros in the signature struct. Far more importantly, the PAC code is now under self-test, both in creating/parsing our own PAC, but also a PAC from my win2k3 server. This required changing auth_anonymous, because I wanted to reuse the anonymous 'server_info' generation code. I'm still having trouble with PIDL, particulary as surrounds value(), but I'll follow up on the list. Andrew Bartlett (This used to be commit 50a54bf4e9bf04d2a8e0aebb3482a2ff655c8bbb)
90 lines
2.5 KiB
C
90 lines
2.5 KiB
C
/*
|
|
Unix SMB/CIFS implementation.
|
|
|
|
PAC Glue between Samba and the KDC
|
|
|
|
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 2 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program; if not, write to the Free Software
|
|
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
#include "kdc/kdc.h"
|
|
#include "kdc/pac-glue.h" /* Ensure we don't get this prototype wrong, as that could be painful */
|
|
|
|
krb5_error_code samba_get_pac(krb5_context context,
|
|
struct krb5_kdc_configuration *config,
|
|
krb5_principal client,
|
|
krb5_keyblock *krbtgt_keyblock,
|
|
krb5_keyblock *server_keyblock,
|
|
krb5_data *pac)
|
|
{
|
|
krb5_error_code ret;
|
|
NTSTATUS nt_status;
|
|
struct auth_serversupplied_info *server_info;
|
|
char *username, *p;
|
|
const char *realm;
|
|
DATA_BLOB tmp_blob;
|
|
TALLOC_CTX *mem_ctx = talloc_named(config, 0, "samba_get_pac context");
|
|
if (!mem_ctx) {
|
|
return ENOMEM;
|
|
}
|
|
|
|
ret = krb5_unparse_name(context, client, &username);
|
|
|
|
if (ret != 0) {
|
|
krb5_set_error_string(context, "get pac: could not parse principal");
|
|
krb5_warnx(context, "get pac: could not parse principal");
|
|
talloc_free(mem_ctx);
|
|
return ret;
|
|
}
|
|
|
|
/* parse the principal name */
|
|
realm = krb5_principal_get_realm(context, client);
|
|
username = talloc_strdup(mem_ctx, username);
|
|
p = strchr(username, '@');
|
|
if (p) {
|
|
p[0] = '\0';
|
|
}
|
|
|
|
|
|
nt_status = sam_get_server_info(mem_ctx, username, realm,
|
|
data_blob(NULL, 0), data_blob(NULL, 0),
|
|
&server_info);
|
|
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
DEBUG(0, ("Getting user info for PAC failed: %s\n",
|
|
nt_errstr(nt_status)));
|
|
return EINVAL;
|
|
}
|
|
|
|
ret = kerberos_encode_pac(mem_ctx, server_info,
|
|
context,
|
|
krbtgt_keyblock,
|
|
server_keyblock,
|
|
&tmp_blob);
|
|
|
|
if (ret) {
|
|
DEBUG(1, ("PAC encoding failed: %s\n",
|
|
smb_get_krb5_error_message(context, ret, mem_ctx)));
|
|
talloc_free(mem_ctx);
|
|
return ret;
|
|
}
|
|
|
|
ret = krb5_data_copy(pac, tmp_blob.data, tmp_blob.length);
|
|
talloc_free(mem_ctx);
|
|
return ret;
|
|
}
|