svn commit: samba r12296 - in trunk/source: libads libsmb
rpc_client utils
jra at samba.org
jra at samba.org
Fri Dec 16 23:47:40 GMT 2005
Author: jra
Date: 2005-12-16 23:47:39 +0000 (Fri, 16 Dec 2005)
New Revision: 12296
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=12296
Log:
Move over kerberos_kinit_password change.
Jeremy.
Modified:
trunk/source/libads/kerberos.c
trunk/source/libads/krb5_setpw.c
trunk/source/libsmb/cliconnect.c
trunk/source/rpc_client/cli_pipe.c
trunk/source/utils/ntlm_auth.c
Changeset:
Modified: trunk/source/libads/kerberos.c
===================================================================
--- trunk/source/libads/kerberos.c 2005-12-16 20:19:05 UTC (rev 12295)
+++ trunk/source/libads/kerberos.c 2005-12-16 23:47:39 UTC (rev 12296)
@@ -62,13 +62,17 @@
const char *password,
int time_offset,
time_t *expire_time,
- const char *cache_name)
+ time_t *renew_till_time,
+ const char *cache_name,
+ BOOL request_pac,
+ time_t renewable_time)
{
krb5_context ctx = NULL;
krb5_error_code code = 0;
krb5_ccache cc = NULL;
krb5_principal me;
krb5_creds my_creds;
+ krb5_get_init_creds_opt opt;
initialize_krb5_error_table();
if ((code = krb5_init_context(&ctx)))
@@ -77,9 +81,11 @@
if (time_offset != 0) {
krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
}
-
- if ((code = krb5_cc_resolve(ctx, cache_name ?
- cache_name : krb5_cc_default_name(ctx), &cc))) {
+
+ DEBUG(10,("kerberos_kinit_password: using %s as ccache\n",
+ cache_name ? cache_name: krb5_cc_default_name(ctx)));
+
+ if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) {
krb5_free_context(ctx);
return code;
}
@@ -88,10 +94,20 @@
krb5_free_context(ctx);
return code;
}
+
+ krb5_get_init_creds_opt_init(&opt);
+ krb5_get_init_creds_opt_set_renew_life(&opt, renewable_time);
+ krb5_get_init_creds_opt_set_forwardable(&opt, 1);
+ if (request_pac) {
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
+ krb5_get_init_creds_opt_set_pac_request(ctx, &opt, True);
+#endif
+ }
+
if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password),
kerb_prompter,
- NULL, 0, NULL, NULL))) {
+ NULL, 0, NULL, &opt))) {
krb5_free_principal(ctx, me);
krb5_free_context(ctx);
return code;
@@ -111,10 +127,15 @@
krb5_free_context(ctx);
return code;
}
-
- if (expire_time)
+
+ if (expire_time) {
*expire_time = (time_t) my_creds.times.endtime;
+ }
+ if (renew_till_time) {
+ *renew_till_time = (time_t) my_creds.times.renew_till;
+ }
+
krb5_cc_close(ctx, cc);
krb5_free_cred_contents(ctx, &my_creds);
krb5_free_principal(ctx, me);
@@ -157,7 +178,7 @@
}
ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset,
- &ads->auth.expire, NULL);
+ &ads->auth.expire, NULL, NULL, False, ads->auth.renewable);
if (ret) {
DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
@@ -349,7 +370,8 @@
if (password == NULL) {
goto out;
}
- if ((err = kerberos_kinit_password(machine_account, password, 0, NULL, LIBADS_CCACHE_NAME)) != 0) {
+ if ((err = kerberos_kinit_password(machine_account, password, 0, NULL, NULL,
+ LIBADS_CCACHE_NAME, False, 0)) != 0) {
DEBUG(0,("get_service_ticket: kerberos_kinit_password %s@%s failed: %s\n",
machine_account,
lp_realm(),
Modified: trunk/source/libads/krb5_setpw.c
===================================================================
--- trunk/source/libads/krb5_setpw.c 2005-12-16 20:19:05 UTC (rev 12295)
+++ trunk/source/libads/krb5_setpw.c 2005-12-16 23:47:39 UTC (rev 12296)
@@ -24,9 +24,17 @@
#ifdef HAVE_KRB5
#define DEFAULT_KPASSWD_PORT 464
+
#define KRB5_KPASSWD_VERS_CHANGEPW 1
+
#define KRB5_KPASSWD_VERS_SETPW 0xff80
#define KRB5_KPASSWD_VERS_SETPW_ALT 2
+
+#define KRB5_KPASSWD_SUCCESS 0
+#define KRB5_KPASSWD_MALFORMED 1
+#define KRB5_KPASSWD_HARDERROR 2
+#define KRB5_KPASSWD_AUTHERROR 3
+#define KRB5_KPASSWD_SOFTERROR 4
#define KRB5_KPASSWD_ACCESSDENIED 5
#define KRB5_KPASSWD_BAD_VERSION 6
#define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7
@@ -213,6 +221,25 @@
return (0);
}
+krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code)
+{
+ switch(res_code) {
+ case KRB5_KPASSWD_ACCESSDENIED:
+ return KRB5KDC_ERR_BADOPTION;
+ case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
+ return KRB5KDC_ERR_BADOPTION;
+ /* return KV5M_ALT_METHOD; MIT-only define */
+ case KRB5_KPASSWD_ETYPE_NOSUPP:
+ return KRB5KDC_ERR_ETYPE_NOSUPP;
+ case KRB5_KPASSWD_BAD_PRINCIPAL:
+ return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+ case KRB5_KPASSWD_POLICY_REJECT:
+ case KRB5_KPASSWD_SOFTERROR:
+ return KRB5KDC_ERR_POLICY;
+ default:
+ return KRB5KRB_ERR_GENERIC;
+ }
+}
static krb5_error_code parse_setpw_reply(krb5_context context,
krb5_auth_context auth_context,
krb5_data *packet)
@@ -312,23 +339,9 @@
else {
const char *errstr;
setpw_result_code_string(context, res_code, &errstr);
- DEBUG(1, ("Error changing password: %s\n", errstr));
+ DEBUG(1, ("Error changing password: %s (%d)\n", errstr, res_code));
- switch(res_code) {
- case KRB5_KPASSWD_ACCESSDENIED:
- return KRB5KDC_ERR_BADOPTION;
- case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
- return KRB5KDC_ERR_BADOPTION;
- /* return KV5M_ALT_METHOD; MIT-only define */
- case KRB5_KPASSWD_ETYPE_NOSUPP:
- return KRB5KDC_ERR_ETYPE_NOSUPP;
- case KRB5_KPASSWD_BAD_PRINCIPAL:
- return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
- case KRB5_KPASSWD_POLICY_REJECT:
- return KRB5KDC_ERR_POLICY;
- default:
- return KRB5KRB_ERR_GENERIC;
- }
+ return kpasswd_err_to_krb5_err(res_code);
}
}
@@ -664,7 +677,7 @@
{
int ret;
- if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL, NULL))) {
+ if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL, NULL, NULL, False, 0))) {
DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
return ADS_ERROR_KRB5(ret);
}
Modified: trunk/source/libsmb/cliconnect.c
===================================================================
--- trunk/source/libsmb/cliconnect.c 2005-12-16 20:19:05 UTC (rev 12295)
+++ trunk/source/libsmb/cliconnect.c 2005-12-16 23:47:39 UTC (rev 12296)
@@ -756,7 +756,7 @@
int ret;
use_in_memory_ccache();
- ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL, NULL);
+ ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL, NULL, NULL, False, 0);
if (ret){
SAFE_FREE(principal);
Modified: trunk/source/rpc_client/cli_pipe.c
===================================================================
--- trunk/source/rpc_client/cli_pipe.c 2005-12-16 20:19:05 UTC (rev 12295)
+++ trunk/source/rpc_client/cli_pipe.c 2005-12-16 23:47:39 UTC (rev 12296)
@@ -2699,7 +2699,7 @@
/* Only get a new TGT if username/password are given. */
if (username && password) {
- int ret = kerberos_kinit_password(username, password, 0, NULL, NULL);
+ int ret = kerberos_kinit_password(username, password, 0, NULL, NULL, NULL, False, 0);
if (ret) {
cli_rpc_pipe_close(result);
return NULL;
Modified: trunk/source/utils/ntlm_auth.c
===================================================================
--- trunk/source/utils/ntlm_auth.c 2005-12-16 20:19:05 UTC (rev 12295)
+++ trunk/source/utils/ntlm_auth.c 2005-12-16 23:47:39 UTC (rev 12296)
@@ -1191,7 +1191,7 @@
pstr_sprintf(user, "%s@%s", opt_username, opt_domain);
if ((retval = kerberos_kinit_password(user, opt_password,
- 0, NULL, NULL))) {
+ 0, NULL, NULL, NULL, False, 0))) {
DEBUG(10, ("Requesting TGT failed: %s\n", error_message(retval)));
return False;
}
More information about the samba-cvs
mailing list