svn commit: samba r7979 - in
branches/SAMBA_4_0/source/auth/kerberos: .
abartlet at samba.org
abartlet at samba.org
Tue Jun 28 09:37:05 GMT 2005
Author: abartlet
Date: 2005-06-28 09:37:04 +0000 (Tue, 28 Jun 2005)
New Revision: 7979
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=7979
Log:
Metze reminded me to try one more combination, and we can now verify
the 'PAC', required for interopability with Active Directory.
This is still a cludge, as it doesn't handle different encryption
types, but that should be fairly easy to fix (needs PIDL/IDL changes).
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c
Changeset:
Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c 2005-06-28 08:27:50 UTC (rev 7978)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c 2005-06-28 09:37:04 UTC (rev 7979)
@@ -42,7 +42,6 @@
krb5_error_code ret;
krb5_crypto crypto;
Checksum cksum;
- int i;
cksum.cksumtype = (CKSUMTYPE)sig->type;
cksum.checksum.length = sizeof(sig->signature);
@@ -57,30 +56,21 @@
DEBUG(0,("krb5_crypto_init() failed\n"));
return NT_STATUS_FOOBAR;
}
- for (i=0; i < 40; i++) {
- keyusage = i;
- ret = krb5_verify_checksum(smb_krb5_context->krb5_context,
- crypto,
- keyusage,
- pac_data.data,
- pac_data.length,
- &cksum);
- if (!ret) {
- DEBUG(0, ("PAC Verified: keyusage: %d\n", keyusage));
- break;
- } else {
- DEBUG(2, ("PAC Verification failed: %s\n",
- smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
- }
+ ret = krb5_verify_checksum(smb_krb5_context->krb5_context,
+ crypto,
+ KRB5_KU_OTHER_CKSUM,
+ pac_data.data,
+ pac_data.length,
+ &cksum);
+ if (ret) {
+ DEBUG(2, ("PAC Verification failed: %s\n",
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
}
krb5_crypto_destroy(smb_krb5_context->krb5_context, crypto);
if (ret) {
- DEBUG(0,("NOT verifying PAC checksums yet!\n"));
- //return NT_STATUS_LOGON_FAILURE;
- } else {
- DEBUG(0,("PAC checksums verified!\n"));
+ return NT_STATUS_ACCESS_DENIED;
}
return NT_STATUS_OK;
@@ -100,7 +90,6 @@
struct PAC_LOGON_INFO *logon_info = NULL;
struct PAC_DATA pac_data;
DATA_BLOB modified_pac_blob = data_blob_talloc(mem_ctx, blob.data, blob.length);
- DATA_BLOB tmp_blob;
int i;
status = ndr_pull_struct_blob(&blob, mem_ctx, &pac_data,
@@ -109,7 +98,6 @@
DEBUG(0,("can't parse the PAC\n"));
return status;
}
- NDR_PRINT_DEBUG(PAC_DATA, &pac_data);
if (pac_data.num_buffers < 3) {
/* we need logon_ingo, service_key and kdc_key */
@@ -161,17 +149,11 @@
return NT_STATUS_FOOBAR;
}
- memset(&modified_pac_blob.data[modified_pac_blob.length - 48],
- '\0', 48);
+ memset(&modified_pac_blob.data[modified_pac_blob.length - 20],
+ '\0', 16);
+ memset(&modified_pac_blob.data[modified_pac_blob.length - 44],
+ '\0', 16);
- status = ndr_pull_struct_blob(&modified_pac_blob, mem_ctx, &pac_data,
- (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("can't parse the PAC\n"));
- return status;
- }
- NDR_PRINT_DEBUG(PAC_DATA, &pac_data);
-
/* verify by servie_key */
status = kerberos_pac_checksum(mem_ctx,
modified_pac_blob, &srv_sig,
More information about the samba-cvs
mailing list