svn commit: samba r3452 - in trunk/source: . libads
jra at samba.org
jra at samba.org
Tue Nov 2 02:23:13 GMT 2004
Author: jra
Date: 2004-11-02 02:22:13 +0000 (Tue, 02 Nov 2004)
New Revision: 3452
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=3452
Log:
Finish off kerberos salting patch. Needs testing !
Jeremy.
Modified:
trunk/source/configure.in
trunk/source/libads/kerberos_verify.c
trunk/source/libads/util.c
Changeset:
Modified: trunk/source/configure.in
===================================================================
--- trunk/source/configure.in 2004-11-02 02:21:26 UTC (rev 3451)
+++ trunk/source/configure.in 2004-11-02 02:22:13 UTC (rev 3452)
@@ -2616,27 +2616,7 @@
# Do no harm to the values of CFLAGS and LIBS while testing for
# Kerberos support.
-
- #################################################
- # check for krb5-config from recent MIT and Heimdal kerberos 5
- AC_PATH_PROG(KRB5_CONFIG, krb5-config)
- AC_MSG_CHECKING(for working krb5-config)
- if test -x "$KRB5_CONFIG"; then
- ac_save_CFLAGS=$CFLAGS
- CFLAGS="";export CFLAGS
- ac_save_LDFLAGS=$LDFLAGS
- LDFLAGS="";export LDFLAGS
- KRB5_LIBS="`$KRB5_CONFIG --libs gssapi`"
- KRB5_CFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
- KRB5_CPPFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
- CFLAGS=$ac_save_CFLAGS;export CFLAGS
- LDFLAGS=$ac_save_LDFLAGS;export LDFLAGS
- FOUND_KRB5=yes
- AC_MSG_RESULT(yes)
- else
- AC_MSG_RESULT(no. Fallback to previous krb5 detection strategy)
- fi
-
+
if test x$FOUND_KRB5 = x"no"; then
#################################################
# check for location of Kerberos 5 install
@@ -2657,12 +2637,36 @@
KRB5_CPPFLAGS="-I$withval/include"
KRB5_LDFLAGS="-L$withval/lib"
FOUND_KRB5=yes
+ if test -x "$withval/bin/krb5-config"; then
+ KRB5_CONFIG=$withval/bin/krb5-config
+ fi
;;
esac ],
AC_MSG_RESULT(no krb5-path given)
)
fi
+ #################################################
+ # check for krb5-config from recent MIT and Heimdal kerberos 5
+ AC_PATH_PROG(KRB5_CONFIG, krb5-config)
+ AC_MSG_CHECKING(for working krb5-config)
+ if test -x "$KRB5_CONFIG"; then
+ ac_save_CFLAGS=$CFLAGS
+ CFLAGS="";export CFLAGS
+ ac_save_LDFLAGS=$LDFLAGS
+ LDFLAGS="";export LDFLAGS
+ KRB5_LIBS="`$KRB5_CONFIG --libs gssapi`"
+ KRB5_LDFLAGS="`$KRB5_CONFIG --libs gssapi | sed s/-lgss.*//`"
+ KRB5_CFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
+ KRB5_CPPFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
+ CFLAGS=$ac_save_CFLAGS;export CFLAGS
+ LDFLAGS=$ac_save_LDFLAGS;export LDFLAGS
+ FOUND_KRB5=yes
+ AC_MSG_RESULT(yes)
+ else
+ AC_MSG_RESULT(no. Fallback to previous krb5 detection strategy)
+ fi
+
if test x$FOUND_KRB5 = x"no"; then
#################################################
# see if this box has the SuSE location for the heimdal krb implementation
@@ -2701,9 +2705,9 @@
ac_save_CPPFLAGS=$CPPFLAGS
ac_save_LDFLAGS=$LDFLAGS
- CFLAGS="$CFLAGS $KRB5_CFLAGS"
- CPPFLAGS="$CPPFLAGS $KRB5_CPPFLAGS"
- LDFLAGS="$LDFLAGS $KRB5_LDFLAGS"
+ CFLAGS="$KRB5_CFLAGS $CFLAGS"
+ CPPFLAGS="$KRB5_CPPFLAGS $CPPFLAGS"
+ LDFLAGS="$KRB5_LDFLAGS $LDFLAGS"
KRB5_LIBS="$KRB5_LDFLAGS $KRB5_LIBS"
@@ -2790,7 +2794,7 @@
AC_CHECK_FUNC_EXT(krb5_c_enctype_compare, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_enctypes_compatible_keys, $KRB5_LIBS)
- LIBS="$LIBS $KRB5_LIBS"
+ LIBS="$KRB5_LIBS $LIBS"
AC_CACHE_CHECK([for addrtype in krb5_address],
samba_cv_HAVE_ADDRTYPE_IN_KRB5_ADDRESS,[
Modified: trunk/source/libads/kerberos_verify.c
===================================================================
--- trunk/source/libads/kerberos_verify.c 2004-11-02 02:21:26 UTC (rev 3451)
+++ trunk/source/libads/kerberos_verify.c 2004-11-02 02:22:13 UTC (rev 3452)
@@ -270,9 +270,8 @@
goto out;
}
- name_to_fqdn(myname, global_myname());
- strlower_m(myname);
- asprintf(&host_princ_s, "host/%s@%s", myname, lp_realm());
+ asprintf(&host_princ_s, "%s$", global_myname());
+ strlower_m(host_princ_s);
ret = krb5_parse_name(context, host_princ_s, &host_princ);
if (ret) {
DEBUG(1,("ads_verify_ticket: krb5_parse_name(%s) failed (%s)\n",
Modified: trunk/source/libads/util.c
===================================================================
--- trunk/source/libads/util.c 2004-11-02 02:21:26 UTC (rev 3451)
+++ trunk/source/libads/util.c 2004-11-02 02:22:13 UTC (rev 3452)
@@ -20,63 +20,67 @@
#include "includes.h"
-#ifdef HAVE_KRB5
-
ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal)
{
- char *tmp_password;
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- SAM_TRUST_PASSWD *trust = NULL;
- char *password;
- char *new_password;
- char *service_principal;
- ADS_STATUS ret;
- uint32 sec_channel_type;
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ SAM_TRUST_PASSWD *trust = NULL;
+ char *password = NULL;
+ char *new_password = NULL;
+ char *service_principal = NULL;
+ ADS_STATUS ret;
+ uint32 sec_channel_type;
- nt_status = pdb_init_trustpw(&trust);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(0, ("Could not init trust password\n"));
- return ADS_ERROR_SYSTEM(ENOMEM);
- }
+ nt_status = pdb_init_trustpw(&trust);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0, ("Could not init trust password\n"));
+ return ADS_ERROR_SYSTEM(ENOMEM);
+ }
- nt_status = pdb_gettrustpwnam(trust, lp_workgroup());
- if (!NT_STATUS_IS_OK(nt_status) || !(trust->private.flags | PASS_MACHINE_TRUST_ADS)) {
- DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal));
- trust->free_fn(&trust);
- return ADS_ERROR_SYSTEM(ENOENT);
- }
+ nt_status = pdb_gettrustpwnam(trust, lp_workgroup());
+ if (!NT_STATUS_IS_OK(nt_status) || !(trust->private.flags | PASS_MACHINE_TRUST_ADS)) {
+ DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal));
+ trust->free_fn(&trust);
+ return ADS_ERROR_SYSTEM(ENOENT);
+ }
- password = trust->private.pass.data;
- sec_channel_type = SCHANNEL_TYPE(trust->private.flags);
+ password = trust->private.pass.data;
+ sec_channel_type = SCHANNEL_TYPE(trust->private.flags);
- tmp_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
- new_password = strdup(tmp_password);
+ new_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
- asprintf(&service_principal, "HOST/%s", host_principal);
+ asprintf(&service_principal, "HOST/%s", host_principal);
- ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset);
+ ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset);
- if (!ADS_ERR_OK(ret)) goto failed;
+ if (!ADS_ERR_OK(ret)) {
+ goto failed;
+ }
- pdb_set_tp_pass(trust, new_password, strlen(new_password) + 1);
- trust->private.pass.data[trust->private.pass.length] = '\0';
- pdb_set_tp_mod_time(trust, time(NULL));
+ pdb_set_tp_pass(trust, new_password, strlen(new_password) + 1);
+ trust->private.pass.data[trust->private.pass.length] = '\0';
+ pdb_set_tp_mod_time(trust, time(NULL));
- nt_status = pdb_update_trust_passwd(trust);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(1,("Failed to update trust password\n"));
- trust->free_fn(&trust);
- return ADS_ERROR_SYSTEM(EACCES);
- }
+ nt_status = pdb_update_trust_passwd(trust);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1,("Failed to update trust password\n"));
+ ret = ADS_ERROR_SYSTEM(EACCES);
+ goto failed;
+ }
+
+ /* Determine if the KDC is salting keys for this principal in a
+ * non-obvious way. */
+ if (!kerberos_derive_salting_principal(service_principal)) {
+ DEBUG(1,("Failed to determine correct salting principal for %s\n", service_principal));
+ ret = ADS_ERROR_SYSTEM(EACCES);
+ goto failed;
+ }
+
failed:
- SAFE_FREE(service_principal);
- SAFE_FREE(new_password);
- trust->free_fn(&trust);
+ SAFE_FREE(service_principal);
+ SAFE_FREE(new_password);
+ trust->free_fn(&trust);
- return ret;
+ return ret;
}
-
-
-
#endif
More information about the samba-cvs
mailing list