svn commit: samba r7989 - in
branches/SAMBA_4_0/source/auth/kerberos: .
abartlet at samba.org
abartlet at samba.org
Wed Jun 29 03:01:36 GMT 2005
Author: abartlet
Date: 2005-06-29 03:01:35 +0000 (Wed, 29 Jun 2005)
New Revision: 7989
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=7989
Log:
Allow the use of hashed passwords in the kerberos client and server,
and create the in-memory keytab with the correct kvno, if available.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/auth/kerberos/kerberos.c
branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c
Changeset:
Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos.c
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos.c 2005-06-29 02:28:57 UTC (rev 7988)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos.c 2005-06-29 03:01:35 UTC (rev 7989)
@@ -64,7 +64,61 @@
/*
simulate a kinit, putting the tgt in the given credentials cache.
Orignally by remus at snapserver.com
+
+ This version is built to use a keyblock, rather than needing the
+ original password.
*/
+ int kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc,
+ const char *principal, krb5_keyblock *keyblock,
+ time_t *expire_time, time_t *kdc_time)
+{
+ krb5_error_code code = 0;
+ krb5_principal me;
+ krb5_creds my_creds;
+ krb5_get_init_creds_opt options;
+
+ if ((code = krb5_parse_name(ctx, principal, &me))) {
+ return code;
+ }
+
+ krb5_get_init_creds_opt_init(&options);
+
+ if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, me, keyblock,
+ 0, NULL, &options))) {
+ krb5_free_principal(ctx, me);
+ return code;
+ }
+
+ if ((code = krb5_cc_initialize(ctx, cc, me))) {
+ krb5_free_cred_contents(ctx, &my_creds);
+ krb5_free_principal(ctx, me);
+ return code;
+ }
+
+ if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
+ krb5_free_cred_contents(ctx, &my_creds);
+ krb5_free_principal(ctx, me);
+ return code;
+ }
+
+ if (expire_time) {
+ *expire_time = (time_t) my_creds.times.endtime;
+ }
+
+ if (kdc_time) {
+ *kdc_time = (time_t) my_creds.times.starttime;
+ }
+
+ krb5_free_cred_contents(ctx, &my_creds);
+ krb5_free_principal(ctx, me);
+
+ return 0;
+}
+
+/*
+ simulate a kinit, putting the tgt in the given credentials cache.
+ Orignally by remus at snapserver.com
+*/
int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc,
const char *principal, const char *password,
time_t *expire_time, time_t *kdc_time)
Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c 2005-06-29 02:28:57 UTC (rev 7988)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c 2005-06-29 03:01:35 UTC (rev 7989)
@@ -3,7 +3,7 @@
Kerberos utility functions for GENSEC
- Copyright (C) Andrew Bartlett <abartlet at samba.org> 2004
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2004-2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -149,10 +149,34 @@
mem_ctx->ccache = *ccache;
talloc_set_destructor(mem_ctx, free_ccache);
- ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, *ccache,
- cli_credentials_get_principal(credentials, mem_ctx),
- password, NULL, &kdc_time);
-
+
+ if (password) {
+ ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, *ccache,
+ cli_credentials_get_principal(credentials, mem_ctx),
+ password, NULL, &kdc_time);
+ } else {
+ /* No password available, try to use a keyblock instead */
+
+ krb5_keyblock keyblock;
+ const struct samr_Password *mach_pwd;
+ mach_pwd = cli_credentials_get_nt_hash(credentials, mem_ctx);
+ if (!mach_pwd) {
+ talloc_free(mem_ctx);
+ DEBUG(1, ("kinit_to_ccache: No password available for kinit\n"));
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+ ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
+ ENCTYPE_ARCFOUR_HMAC,
+ mach_pwd->hash, sizeof(mach_pwd->hash),
+ &keyblock);
+
+ if (ret == 0) {
+ ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, *ccache,
+ cli_credentials_get_principal(credentials, mem_ctx),
+ &keyblock, NULL, &kdc_time);
+ }
+ }
+
/* cope with ticket being in the future due to clock skew */
if ((unsigned)kdc_time > time(NULL)) {
time_t t = time(NULL);
@@ -206,17 +230,6 @@
return NT_STATUS_NO_MEMORY;
}
- password_s = talloc_strdup(mem_ctx, cli_credentials_get_password(machine_account));
- if (!password_s) {
- DEBUG(1, ("create_memory_keytab: Could not obtain password for our local machine account!\n"));
- talloc_free(mem_ctx);
- return NT_STATUS_NO_MEMORY;
- }
- password.data = password_s;
- password.length = strlen(password_s);
-
- /* this string should be unique */
-
ret = krb5_kt_resolve(smb_krb5_context->krb5_context, "MEMORY_WILDCARD:", keytab);
if (ret) {
DEBUG(1,("failed to generate a new krb5 keytab: %s\n",
@@ -239,30 +252,81 @@
return NT_STATUS_INTERNAL_ERROR;
}
+ password_s = talloc_strdup(mem_ctx, cli_credentials_get_password(machine_account));
+ if (!password_s) {
+ /* If we don't have the plaintext password, try for
+ * the MD4 password hash */
+
+ krb5_keytab_entry entry;
+ const struct samr_Password *mach_pwd;
+ mach_pwd = cli_credentials_get_nt_hash(machine_account, mem_ctx);
+ if (!mach_pwd) {
+ talloc_free(mem_ctx);
+ DEBUG(1, ("create_memory_keytab: Domain trust informaton for account %s not available\n",
+ cli_credentials_get_principal(machine_account, mem_ctx)));
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+ ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
+ ENCTYPE_ARCFOUR_HMAC,
+ mach_pwd->hash, sizeof(mach_pwd->hash),
+ &entry.keyblock);
+ if (ret) {
+ DEBUG(1, ("create_memory_keytab: krb5_keyblock_init failed: %s\n",
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+ ret, mem_ctx)));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ entry.principal = salt_princ;
+ entry.vno = cli_credentials_get_kvno(machine_account);
+ ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry);
+ if (ret) {
+ DEBUG(1, ("Failed to add ARCFOUR_HMAC (only) entry for %s to keytab: %s",
+ cli_credentials_get_principal(machine_account, mem_ctx),
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+ ret, mem_ctx)));
+ talloc_free(mem_ctx);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
+ return NT_STATUS_OK;
+ }
+
+ /* good, we actually have the real plaintext */
+
ret = get_kerberos_allowed_etypes(smb_krb5_context->krb5_context,
&enctypes);
if (ret) {
DEBUG(1,("create_memory_keytab: getting encrption types failed (%s)\n",
error_message(ret)));
+ talloc_free(mem_ctx);
return NT_STATUS_INTERNAL_ERROR;
}
+ password.data = discard_const_p(char *, password_s);
+ password.length = strlen(password_s);
+
for (i=0; enctypes[i]; i++) {
krb5_keytab_entry entry;
ret = create_kerberos_key_from_string(smb_krb5_context->krb5_context,
salt_princ, &password, &entry.keyblock, enctypes[i]);
if (ret) {
+ talloc_free(mem_ctx);
return NT_STATUS_INTERNAL_ERROR;
}
entry.principal = salt_princ;
- entry.vno = 0 /* replace with real kvno */;
+ entry.vno = cli_credentials_get_kvno(machine_account);
ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry);
if (ret) {
DEBUG(1, ("Failed to add entry for %s to keytab: %s",
cli_credentials_get_principal(machine_account, mem_ctx),
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
+ talloc_free(mem_ctx);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
return NT_STATUS_INTERNAL_ERROR;
}
@@ -273,3 +337,5 @@
return NT_STATUS_OK;
}
+
+
More information about the samba-cvs
mailing list