svn commit: samba r3492 - in branches/SAMBA_3_0/source: libads utils

jra at samba.org jra at samba.org
Tue Nov 2 21:28:18 GMT 2004 

Author: jra
Date: 2004-11-02 21:28:14 +0000 (Tue, 02 Nov 2004)
New Revision: 3492

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=3492

Log:
Fixes from testing kerberos salted principal fix.
Jeremy.

Modified:
   branches/SAMBA_3_0/source/libads/kerberos.c
   branches/SAMBA_3_0/source/libads/kerberos_keytab.c
   branches/SAMBA_3_0/source/utils/net_ads.c


Changeset:
Modified: branches/SAMBA_3_0/source/libads/kerberos.c
===================================================================
--- branches/SAMBA_3_0/source/libads/kerberos.c	2004-11-02 21:28:07 UTC (rev 3491)
+++ branches/SAMBA_3_0/source/libads/kerberos.c	2004-11-02 21:28:14 UTC (rev 3492)
@@ -362,8 +362,8 @@
 	}
 
 	if ((err = krb5_get_credentials(ctx, 0, ccache, &creds, &new_creds))) {
-		DEBUG(5,("get_service_ticket: krb5_get_credentials for %s failed: %s\n", 
-			service_s, error_message(err)));
+		DEBUG(5,("get_service_ticket: krb5_get_credentials for %s enctype %d failed: %s\n", 
+			service_s, enctype, error_message(err)));
 		goto out;
 	}
 
@@ -602,24 +602,13 @@
  Go through all the possible enctypes for this principal.
  ************************************************************************/
 
- void kerberos_derive_salting_principal(krb5_context context,
+static void kerberos_derive_salting_principal_direct(krb5_context context,
 					krb5_ccache ccache,
 					krb5_enctype *enctypes,
 					char *service_principal)
 {
 	int i;
-	BOOL free_ccache = False;
 
-	if (ccache == NULL) {
-		krb5_error_code ret;
-		if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) {
-			DEBUG(0, ("kerberos_derive_salting_principal: krb5_cc_resolve for %s failed: %s\n", 
-				LIBADS_CCACHE_NAME, error_message(ret)));
-			return;
-		}
-		free_ccache = True;
-	}
-
 	/* Try for each enctype separately, because the rules are
 	 * different for different enctypes. */
 	for (i = 0; enctypes[i] != 0; i++) {
@@ -640,10 +629,49 @@
 								enctypes[i],
 								enctypes);
 	}
+}
 
-	if (free_ccache && ccache) {
-		krb5_cc_close(context, ccache);
+/************************************************************************
+ Wrapper function for the above.
+ ************************************************************************/
+
+void kerberos_derive_salting_principal(char *service_principal)
+{
+	krb5_context context = NULL;
+	krb5_enctype *enctypes = NULL;
+	krb5_ccache ccache = NULL;
+	krb5_error_code ret = 0;
+
+	initialize_krb5_error_table();
+	if ((ret = krb5_init_context(&context)) != 0) {
+		DEBUG(1,("kerberos_derive_cifs_salting_principals: krb5_init_context failed. %s\n",
+			error_message(ret)));
+		return;
 	}
+	if ((ret = get_kerberos_allowed_etypes(context, &enctypes)) != 0) {
+		DEBUG(1,("kerberos_derive_cifs_salting_principals: get_kerberos_allowed_etypes failed. %s\n",
+			error_message(ret)));
+		goto out;
+	}
+
+	if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) {
+		DEBUG(3, ("get_service_ticket: krb5_cc_resolve for %s failed: %s\n", 
+			LIBADS_CCACHE_NAME, error_message(ret)));
+		goto out;
+	}
+
+	kerberos_derive_salting_principal_direct(context, ccache, enctypes, service_principal);
+
+  out: 
+	if (enctypes) {
+		free_kerberos_etypes(context, enctypes);
+	}
+	if (ccache) {
+		krb5_cc_destroy(context, ccache);
+	}
+	if (context) {
+		krb5_free_context(context);
+	}
 }
 
 /************************************************************************
@@ -681,38 +709,38 @@
 
 	if (asprintf(&service, "%s$", global_myname()) != -1) {
 		strlower_m(service);
-		kerberos_derive_salting_principal(context, ccache, enctypes, service);
+		kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
 		SAFE_FREE(service);
 	}
 	if (asprintf(&service, "cifs/%s", global_myname()) != -1) {
 		strlower_m(service);
-		kerberos_derive_salting_principal(context, ccache, enctypes, service);
+		kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
 		SAFE_FREE(service);
 	}
 	if (asprintf(&service, "host/%s", global_myname()) != -1) {
 		strlower_m(service);
-		kerberos_derive_salting_principal(context, ccache, enctypes, service);
+		kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
 		SAFE_FREE(service);
 	}
 	if (asprintf(&service, "cifs/%s.%s", global_myname(), lp_realm()) != -1) {
 		strlower_m(service);
-		kerberos_derive_salting_principal(context, ccache, enctypes, service);
+		kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
 		SAFE_FREE(service);
 	}
 	if (asprintf(&service, "host/%s.%s", global_myname(), lp_realm()) != -1) {
 		strlower_m(service);
-		kerberos_derive_salting_principal(context, ccache, enctypes, service);
+		kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
 		SAFE_FREE(service);
 	}
 	name_to_fqdn(my_fqdn, global_myname());
 	if (asprintf(&service, "cifs/%s", my_fqdn) != -1) {
 		strlower_m(service);
-		kerberos_derive_salting_principal(context, ccache, enctypes, service);
+		kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
 		SAFE_FREE(service);
 	}
 	if (asprintf(&service, "host/%s", my_fqdn) != -1) {
 		strlower_m(service);
-		kerberos_derive_salting_principal(context, ccache, enctypes, service);
+		kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
 		SAFE_FREE(service);
 	}
 

Modified: branches/SAMBA_3_0/source/libads/kerberos_keytab.c
===================================================================
--- branches/SAMBA_3_0/source/libads/kerberos_keytab.c	2004-11-02 21:28:07 UTC (rev 3491)
+++ branches/SAMBA_3_0/source/libads/kerberos_keytab.c	2004-11-02 21:28:14 UTC (rev 3492)
@@ -128,7 +128,7 @@
 	}
 
 	/* Guess at how the KDC is salting keys for this principal. */
-	kerberos_derive_salting_principal(context, NULL, enctypes, princ_s);
+	kerberos_derive_salting_principal(princ_s);
 
 	ret = krb5_parse_name(context, princ_s, &princ);
 	if (ret) {

Modified: branches/SAMBA_3_0/source/utils/net_ads.c
===================================================================
--- branches/SAMBA_3_0/source/utils/net_ads.c	2004-11-02 21:28:07 UTC (rev 3491)
+++ branches/SAMBA_3_0/source/utils/net_ads.c	2004-11-02 21:28:14 UTC (rev 3492)
@@ -823,6 +823,20 @@
 		return -1;
 	}
 
+#ifdef HAVE_KRB5
+	if (!kerberos_derive_salting_principal(machine_account)) {
+		DEBUG(1,("Failed to determine salting principal\n"));
+		ads_destroy(&ads);
+		return -1;
+	}
+
+	if (!kerberos_derive_cifs_salting_principals()) {
+		DEBUG(1,("Failed to determine salting principals\n"));
+		ads_destroy(&ads);
+		return -1;
+	}
+#endif
+
 	if (!secrets_store_domain_sid(short_domain_name, &dom_sid)) {
 		DEBUG(1,("Failed to save domain sid\n"));
 		ads_destroy(&ads);

More information about the samba-cvs mailing list