svn commit: samba r12296 - in trunk/source: libads libsmb rpc_client utils

jra at samba.org jra at samba.org
Fri Dec 16 23:47:40 GMT 2005


Author: jra
Date: 2005-12-16 23:47:39 +0000 (Fri, 16 Dec 2005)
New Revision: 12296

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=12296

Log:
Move over kerberos_kinit_password change.
Jeremy.

Modified:
   trunk/source/libads/kerberos.c
   trunk/source/libads/krb5_setpw.c
   trunk/source/libsmb/cliconnect.c
   trunk/source/rpc_client/cli_pipe.c
   trunk/source/utils/ntlm_auth.c


Changeset:
Modified: trunk/source/libads/kerberos.c
===================================================================
--- trunk/source/libads/kerberos.c	2005-12-16 20:19:05 UTC (rev 12295)
+++ trunk/source/libads/kerberos.c	2005-12-16 23:47:39 UTC (rev 12296)
@@ -62,13 +62,17 @@
 				const char *password,
 				int time_offset,
 				time_t *expire_time,
-				const char *cache_name)
+				time_t *renew_till_time,
+				const char *cache_name,
+				BOOL request_pac,
+				time_t renewable_time)
 {
 	krb5_context ctx = NULL;
 	krb5_error_code code = 0;
 	krb5_ccache cc = NULL;
 	krb5_principal me;
 	krb5_creds my_creds;
+	krb5_get_init_creds_opt opt;
 
 	initialize_krb5_error_table();
 	if ((code = krb5_init_context(&ctx)))
@@ -77,9 +81,11 @@
 	if (time_offset != 0) {
 		krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
 	}
-	
-	if ((code = krb5_cc_resolve(ctx, cache_name ?
-			cache_name : krb5_cc_default_name(ctx), &cc))) {
+
+	DEBUG(10,("kerberos_kinit_password: using %s as ccache\n",
+			cache_name ? cache_name: krb5_cc_default_name(ctx)));
+
+	if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) {
 		krb5_free_context(ctx);
 		return code;
 	}
@@ -88,10 +94,20 @@
 		krb5_free_context(ctx);	
 		return code;
 	}
+
+	krb5_get_init_creds_opt_init(&opt);
+	krb5_get_init_creds_opt_set_renew_life(&opt, renewable_time);
+	krb5_get_init_creds_opt_set_forwardable(&opt, 1);
 	
+	if (request_pac) {
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
+		krb5_get_init_creds_opt_set_pac_request(ctx, &opt, True);
+#endif
+	}
+
 	if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password), 
 						 kerb_prompter, 
-						 NULL, 0, NULL, NULL))) {
+						 NULL, 0, NULL, &opt))) {
 		krb5_free_principal(ctx, me);
 		krb5_free_context(ctx);		
 		return code;
@@ -111,10 +127,15 @@
 		krb5_free_context(ctx);		
 		return code;
 	}
-	
-	if (expire_time)
+
+	if (expire_time) {
 		*expire_time = (time_t) my_creds.times.endtime;
+	}
 
+	if (renew_till_time) {
+		*renew_till_time = (time_t) my_creds.times.renew_till;
+	}
+
 	krb5_cc_close(ctx, cc);
 	krb5_free_cred_contents(ctx, &my_creds);
 	krb5_free_principal(ctx, me);
@@ -157,7 +178,7 @@
 	}
 	
 	ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset,
-			&ads->auth.expire, NULL);
+			&ads->auth.expire, NULL, NULL, False, ads->auth.renewable);
 
 	if (ret) {
 		DEBUG(0,("kerberos_kinit_password %s failed: %s\n", 
@@ -349,7 +370,8 @@
 	if (password == NULL) {
 		goto out;
 	}
-	if ((err = kerberos_kinit_password(machine_account, password, 0, NULL, LIBADS_CCACHE_NAME)) != 0) {
+	if ((err = kerberos_kinit_password(machine_account, password, 0, NULL, NULL, 
+					   LIBADS_CCACHE_NAME, False, 0)) != 0) {
 		DEBUG(0,("get_service_ticket: kerberos_kinit_password %s@%s failed: %s\n", 
 			machine_account,
 			lp_realm(),

Modified: trunk/source/libads/krb5_setpw.c
===================================================================
--- trunk/source/libads/krb5_setpw.c	2005-12-16 20:19:05 UTC (rev 12295)
+++ trunk/source/libads/krb5_setpw.c	2005-12-16 23:47:39 UTC (rev 12296)
@@ -24,9 +24,17 @@
 #ifdef HAVE_KRB5
 
 #define DEFAULT_KPASSWD_PORT	464
+
 #define KRB5_KPASSWD_VERS_CHANGEPW		1
+
 #define KRB5_KPASSWD_VERS_SETPW			0xff80
 #define KRB5_KPASSWD_VERS_SETPW_ALT		2
+
+#define KRB5_KPASSWD_SUCCESS			0
+#define KRB5_KPASSWD_MALFORMED			1
+#define KRB5_KPASSWD_HARDERROR			2
+#define KRB5_KPASSWD_AUTHERROR			3
+#define KRB5_KPASSWD_SOFTERROR			4
 #define KRB5_KPASSWD_ACCESSDENIED		5
 #define KRB5_KPASSWD_BAD_VERSION		6
 #define KRB5_KPASSWD_INITIAL_FLAG_NEEDED	7
@@ -213,6 +221,25 @@
         return (0);
 }
 
+krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code) 
+{
+	switch(res_code) {
+		case KRB5_KPASSWD_ACCESSDENIED:
+			return KRB5KDC_ERR_BADOPTION;
+		case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
+			return KRB5KDC_ERR_BADOPTION;
+			/* return KV5M_ALT_METHOD; MIT-only define */
+		case KRB5_KPASSWD_ETYPE_NOSUPP:
+			return KRB5KDC_ERR_ETYPE_NOSUPP;
+		case KRB5_KPASSWD_BAD_PRINCIPAL:
+			return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+		case KRB5_KPASSWD_POLICY_REJECT:
+		case KRB5_KPASSWD_SOFTERROR:
+			return KRB5KDC_ERR_POLICY;
+		default:
+			return KRB5KRB_ERR_GENERIC;
+	}
+}
 static krb5_error_code parse_setpw_reply(krb5_context context, 
 					 krb5_auth_context auth_context,
 					 krb5_data *packet)
@@ -312,23 +339,9 @@
 	else {
 		const char *errstr;
 		setpw_result_code_string(context, res_code, &errstr);
-		DEBUG(1, ("Error changing password: %s\n", errstr));
+		DEBUG(1, ("Error changing password: %s (%d)\n", errstr, res_code));
 
-		switch(res_code) {
-			case KRB5_KPASSWD_ACCESSDENIED:
-				return KRB5KDC_ERR_BADOPTION;
-			case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
-				return KRB5KDC_ERR_BADOPTION;
-				/* return KV5M_ALT_METHOD; MIT-only define */
-			case KRB5_KPASSWD_ETYPE_NOSUPP:
-				return KRB5KDC_ERR_ETYPE_NOSUPP;
-			case KRB5_KPASSWD_BAD_PRINCIPAL:
-				return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
-			case KRB5_KPASSWD_POLICY_REJECT:
-				return KRB5KDC_ERR_POLICY;
-			default:
-				return KRB5KRB_ERR_GENERIC;
-		}
+		return kpasswd_err_to_krb5_err(res_code);
 	}
 }
 
@@ -664,7 +677,7 @@
 {
     int ret;
 
-    if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL, NULL))) {
+    if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL, NULL, NULL, False, 0))) {
 	DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
 	return ADS_ERROR_KRB5(ret);
     }

Modified: trunk/source/libsmb/cliconnect.c
===================================================================
--- trunk/source/libsmb/cliconnect.c	2005-12-16 20:19:05 UTC (rev 12295)
+++ trunk/source/libsmb/cliconnect.c	2005-12-16 23:47:39 UTC (rev 12296)
@@ -756,7 +756,7 @@
 			int ret;
 			
 			use_in_memory_ccache();
-			ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL, NULL);
+			ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL, NULL, NULL, False, 0);
 			
 			if (ret){
 				SAFE_FREE(principal);

Modified: trunk/source/rpc_client/cli_pipe.c
===================================================================
--- trunk/source/rpc_client/cli_pipe.c	2005-12-16 20:19:05 UTC (rev 12295)
+++ trunk/source/rpc_client/cli_pipe.c	2005-12-16 23:47:39 UTC (rev 12296)
@@ -2699,7 +2699,7 @@
 
 	/* Only get a new TGT if username/password are given. */
 	if (username && password) {
-		int ret = kerberos_kinit_password(username, password, 0, NULL, NULL);
+		int ret = kerberos_kinit_password(username, password, 0, NULL, NULL, NULL, False, 0);
 		if (ret) {
 			cli_rpc_pipe_close(result);
 			return NULL;

Modified: trunk/source/utils/ntlm_auth.c
===================================================================
--- trunk/source/utils/ntlm_auth.c	2005-12-16 20:19:05 UTC (rev 12295)
+++ trunk/source/utils/ntlm_auth.c	2005-12-16 23:47:39 UTC (rev 12296)
@@ -1191,7 +1191,7 @@
 		pstr_sprintf(user, "%s@%s", opt_username, opt_domain);
 
 		if ((retval = kerberos_kinit_password(user, opt_password, 
-						      0, NULL, NULL))) {
+						      0, NULL, NULL, NULL, False, 0))) {
 			DEBUG(10, ("Requesting TGT failed: %s\n", error_message(retval)));
 			return False;
 		}



More information about the samba-cvs mailing list