svn commit: samba r3492 - in branches/SAMBA_3_0/source: libads utils
jra at samba.org
jra at samba.org
Tue Nov 2 21:28:18 GMT 2004
Author: jra
Date: 2004-11-02 21:28:14 +0000 (Tue, 02 Nov 2004)
New Revision: 3492
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=3492
Log:
Fixes from testing kerberos salted principal fix.
Jeremy.
Modified:
branches/SAMBA_3_0/source/libads/kerberos.c
branches/SAMBA_3_0/source/libads/kerberos_keytab.c
branches/SAMBA_3_0/source/utils/net_ads.c
Changeset:
Modified: branches/SAMBA_3_0/source/libads/kerberos.c
===================================================================
--- branches/SAMBA_3_0/source/libads/kerberos.c 2004-11-02 21:28:07 UTC (rev 3491)
+++ branches/SAMBA_3_0/source/libads/kerberos.c 2004-11-02 21:28:14 UTC (rev 3492)
@@ -362,8 +362,8 @@
}
if ((err = krb5_get_credentials(ctx, 0, ccache, &creds, &new_creds))) {
- DEBUG(5,("get_service_ticket: krb5_get_credentials for %s failed: %s\n",
- service_s, error_message(err)));
+ DEBUG(5,("get_service_ticket: krb5_get_credentials for %s enctype %d failed: %s\n",
+ service_s, enctype, error_message(err)));
goto out;
}
@@ -602,24 +602,13 @@
Go through all the possible enctypes for this principal.
************************************************************************/
- void kerberos_derive_salting_principal(krb5_context context,
+static void kerberos_derive_salting_principal_direct(krb5_context context,
krb5_ccache ccache,
krb5_enctype *enctypes,
char *service_principal)
{
int i;
- BOOL free_ccache = False;
- if (ccache == NULL) {
- krb5_error_code ret;
- if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) {
- DEBUG(0, ("kerberos_derive_salting_principal: krb5_cc_resolve for %s failed: %s\n",
- LIBADS_CCACHE_NAME, error_message(ret)));
- return;
- }
- free_ccache = True;
- }
-
/* Try for each enctype separately, because the rules are
* different for different enctypes. */
for (i = 0; enctypes[i] != 0; i++) {
@@ -640,10 +629,49 @@
enctypes[i],
enctypes);
}
+}
- if (free_ccache && ccache) {
- krb5_cc_close(context, ccache);
+/************************************************************************
+ Wrapper function for the above.
+ ************************************************************************/
+
+void kerberos_derive_salting_principal(char *service_principal)
+{
+ krb5_context context = NULL;
+ krb5_enctype *enctypes = NULL;
+ krb5_ccache ccache = NULL;
+ krb5_error_code ret = 0;
+
+ initialize_krb5_error_table();
+ if ((ret = krb5_init_context(&context)) != 0) {
+ DEBUG(1,("kerberos_derive_cifs_salting_principals: krb5_init_context failed. %s\n",
+ error_message(ret)));
+ return;
}
+ if ((ret = get_kerberos_allowed_etypes(context, &enctypes)) != 0) {
+ DEBUG(1,("kerberos_derive_cifs_salting_principals: get_kerberos_allowed_etypes failed. %s\n",
+ error_message(ret)));
+ goto out;
+ }
+
+ if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) {
+ DEBUG(3, ("get_service_ticket: krb5_cc_resolve for %s failed: %s\n",
+ LIBADS_CCACHE_NAME, error_message(ret)));
+ goto out;
+ }
+
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service_principal);
+
+ out:
+ if (enctypes) {
+ free_kerberos_etypes(context, enctypes);
+ }
+ if (ccache) {
+ krb5_cc_destroy(context, ccache);
+ }
+ if (context) {
+ krb5_free_context(context);
+ }
}
/************************************************************************
@@ -681,38 +709,38 @@
if (asprintf(&service, "%s$", global_myname()) != -1) {
strlower_m(service);
- kerberos_derive_salting_principal(context, ccache, enctypes, service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
if (asprintf(&service, "cifs/%s", global_myname()) != -1) {
strlower_m(service);
- kerberos_derive_salting_principal(context, ccache, enctypes, service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
if (asprintf(&service, "host/%s", global_myname()) != -1) {
strlower_m(service);
- kerberos_derive_salting_principal(context, ccache, enctypes, service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
if (asprintf(&service, "cifs/%s.%s", global_myname(), lp_realm()) != -1) {
strlower_m(service);
- kerberos_derive_salting_principal(context, ccache, enctypes, service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
if (asprintf(&service, "host/%s.%s", global_myname(), lp_realm()) != -1) {
strlower_m(service);
- kerberos_derive_salting_principal(context, ccache, enctypes, service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
name_to_fqdn(my_fqdn, global_myname());
if (asprintf(&service, "cifs/%s", my_fqdn) != -1) {
strlower_m(service);
- kerberos_derive_salting_principal(context, ccache, enctypes, service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
if (asprintf(&service, "host/%s", my_fqdn) != -1) {
strlower_m(service);
- kerberos_derive_salting_principal(context, ccache, enctypes, service);
+ kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
SAFE_FREE(service);
}
Modified: branches/SAMBA_3_0/source/libads/kerberos_keytab.c
===================================================================
--- branches/SAMBA_3_0/source/libads/kerberos_keytab.c 2004-11-02 21:28:07 UTC (rev 3491)
+++ branches/SAMBA_3_0/source/libads/kerberos_keytab.c 2004-11-02 21:28:14 UTC (rev 3492)
@@ -128,7 +128,7 @@
}
/* Guess at how the KDC is salting keys for this principal. */
- kerberos_derive_salting_principal(context, NULL, enctypes, princ_s);
+ kerberos_derive_salting_principal(princ_s);
ret = krb5_parse_name(context, princ_s, &princ);
if (ret) {
Modified: branches/SAMBA_3_0/source/utils/net_ads.c
===================================================================
--- branches/SAMBA_3_0/source/utils/net_ads.c 2004-11-02 21:28:07 UTC (rev 3491)
+++ branches/SAMBA_3_0/source/utils/net_ads.c 2004-11-02 21:28:14 UTC (rev 3492)
@@ -823,6 +823,20 @@
return -1;
}
+#ifdef HAVE_KRB5
+ if (!kerberos_derive_salting_principal(machine_account)) {
+ DEBUG(1,("Failed to determine salting principal\n"));
+ ads_destroy(&ads);
+ return -1;
+ }
+
+ if (!kerberos_derive_cifs_salting_principals()) {
+ DEBUG(1,("Failed to determine salting principals\n"));
+ ads_destroy(&ads);
+ return -1;
+ }
+#endif
+
if (!secrets_store_domain_sid(short_domain_name, &dom_sid)) {
DEBUG(1,("Failed to save domain sid\n"));
ads_destroy(&ads);
More information about the samba-cvs
mailing list