svn commit: samba r6094 - in branches/SAMBA_4_0/source: libads libcli/auth

abartlet at samba.org abartlet at samba.org
Mon Mar 28 06:40:19 GMT 2005 

Author: abartlet
Date: 2005-03-28 06:40:18 +0000 (Mon, 28 Mar 2005)
New Revision: 6094

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=6094

Log:
Work on the Kerberos code recently merged from Samba 3.0.  This fixes
up issues I introduced during the merge, that caused a segfault.

I've still not got the keytab code to work for me (using Samba3 to
generate the keytab) so this is still not fully tested, but it's
better than it was.

To add debugging, I now use the krb5_get_error_message() function from
Heimdal when present, to return the custom error string, which
contains far, far more information than the simple error code does.

(This last point may well be worth merging back into 3.0)

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/libads/config.m4
   branches/SAMBA_4_0/source/libcli/auth/clikrb5.c
   branches/SAMBA_4_0/source/libcli/auth/kerberos.h
   branches/SAMBA_4_0/source/libcli/auth/kerberos_verify.c


Changeset:
Modified: branches/SAMBA_4_0/source/libads/config.m4
===================================================================
--- branches/SAMBA_4_0/source/libads/config.m4	2005-03-28 03:31:44 UTC (rev 6093)
+++ branches/SAMBA_4_0/source/libads/config.m4	2005-03-28 06:40:18 UTC (rev 6094)
@@ -341,6 +341,8 @@
 	AC_CHECK_FUNC_EXT(krb5_krbhst_get_addrinfo, $KRB5_LIBS)
 	AC_CHECK_FUNC_EXT(krb5_c_enctype_compare, $KRB5_LIBS)
 	AC_CHECK_FUNC_EXT(krb5_enctypes_compatible_keys, $KRB5_LIBS)
+	AC_CHECK_FUNC_EXT(krb5_get_error_string, $KRB5_LIBS)
+	AC_CHECK_FUNC_EXT(krb5_free_error_string, $KRB5_LIBS)
 
 	LIBS="$LIBS $KRB5_LIBS"
   

Modified: branches/SAMBA_4_0/source/libcli/auth/clikrb5.c
===================================================================
--- branches/SAMBA_4_0/source/libcli/auth/clikrb5.c	2005-03-28 03:31:44 UTC (rev 6093)
+++ branches/SAMBA_4_0/source/libcli/auth/clikrb5.c	2005-03-28 06:40:18 UTC (rev 6094)
@@ -461,4 +461,18 @@
 #endif
 }
 
+ char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx) 
+{
+	char *ret;
+	
+#if defined(HAVE_KRB5_GET_ERROR_STRING) && defined(HAVE_KRB5_FREE_ERROR_STRING) 	
+	char *context_error = krb5_get_error_string(context);
+	ret = talloc_asprintf(mem_ctx, "%s: %s", error_message(code), context_error);
+	krb5_free_error_string(context, context_error);
+#else 
+	ret = talloc_strdup(mem_ctx, error_message(code));
 #endif
+	return ret;
+}
+
+#endif

Modified: branches/SAMBA_4_0/source/libcli/auth/kerberos.h
===================================================================
--- branches/SAMBA_4_0/source/libcli/auth/kerberos.h	2005-03-28 03:31:44 UTC (rev 6093)
+++ branches/SAMBA_4_0/source/libcli/auth/kerberos.h	2005-03-28 06:40:18 UTC (rev 6094)
@@ -94,5 +94,6 @@
 BOOL kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2);
 void kerberos_free_data_contents(krb5_context context, krb5_data *pdata);
 krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
+char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx);
 #endif /* HAVE_KRB5 */
 

Modified: branches/SAMBA_4_0/source/libcli/auth/kerberos_verify.c
===================================================================
--- branches/SAMBA_4_0/source/libcli/auth/kerberos_verify.c	2005-03-28 03:31:44 UTC (rev 6093)
+++ branches/SAMBA_4_0/source/libcli/auth/kerberos_verify.c	2005-03-28 06:40:18 UTC (rev 6094)
@@ -80,7 +80,6 @@
 						krb5_keyblock *keyblock)
 {
 	krb5_error_code ret = 0;
-	krb5_error_code our_ret = 0;
 	krb5_keytab keytab = NULL;
 	krb5_kt_cursor kt_cursor;
 	krb5_keytab_entry kt_entry;
@@ -89,6 +88,7 @@
 	const char *my_name, *my_fqdn;
 	int i;
 	int number_matched_principals = 0;
+	const char *last_error_message;
 
 	/* Generate the list of principal names which we expect
 	 * clients might want to use for authenticating to the file
@@ -111,7 +111,8 @@
 
 	ret = krb5_kt_default(context, &keytab);
 	if (ret) {
-		DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_default failed (%s)\n", error_message(ret)));
+		DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_default failed (%s)\n", 
+			  smb_get_krb5_error_message(context, ret, mem_ctx)));
 		goto out;
 	}
 
@@ -121,38 +122,44 @@
 
 	ret = krb5_kt_start_seq_get(context, keytab, &kt_cursor);
 	if (ret) {
-		DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (%s)\n", error_message(ret)));
+		last_error_message = smb_get_krb5_error_message(context, ret, mem_ctx);
+		DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (%s)\n", 
+			  last_error_message));
 		goto out;
 	}
   
 	ret = krb5_kt_start_seq_get(context, keytab, &kt_cursor);
 	if (ret != KRB5_KT_END && ret != ENOENT ) {
+		ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; /* Pick an error... */
 		while (ret && (krb5_kt_next_entry(context, keytab, &kt_entry, &kt_cursor) == 0)) {
-			ret = krb5_unparse_name(context, kt_entry.principal, &entry_princ_s);
-			if (ret) {
-				DEBUG(1, ("ads_keytab_verify_ticket: krb5_unparse_name failed (%s)\n", error_message(ret)));
+			krb5_error_code upn_ret;
+			upn_ret = krb5_unparse_name(context, kt_entry.principal, &entry_princ_s);
+			if (upn_ret) {
+				last_error_message = smb_get_krb5_error_message(context, ret, mem_ctx);
+				DEBUG(1, ("ads_keytab_verify_ticket: krb5_unparse_name failed (%s)\n", 
+					  last_error_message));
+				ret = upn_ret;
 				break;
 			}
-			ret = KRB5_BAD_ENCTYPE;
-			for (i = 0; i < sizeof(valid_princ_formats) / sizeof(valid_princ_formats[0]); i++) {
-				if (strequal(entry_princ_s, valid_princ_formats[i])) {
-					number_matched_principals++;
-					p_packet->length = ticket->length;
-					p_packet->data = (krb5_pointer)ticket->data;
-					*pp_tkt = NULL;
-					our_ret = krb5_rd_req(context, &auth_context, p_packet, kt_entry.principal, keytab, NULL, pp_tkt);
-					if (our_ret !=  KRB5_BAD_ENCTYPE) {
-						ret = our_ret;
-					}
-					if (our_ret) {
-						DEBUG(10, ("ads_keytab_verify_ticket: krb5_rd_req(%s) failed: %s\n",
-							entry_princ_s, error_message(our_ret)));
-					} else {
-						DEBUG(3,("ads_keytab_verify_ticket: krb5_rd_req succeeded for principal %s\n",
-							entry_princ_s));
-						break;
-					}
+			for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
+				if (!strequal(entry_princ_s, valid_princ_formats[i])) {
+					continue;
 				}
+
+				number_matched_principals++;
+				p_packet->length = ticket->length;
+				p_packet->data = (krb5_pointer)ticket->data;
+				*pp_tkt = NULL;
+				ret = krb5_rd_req(context, &auth_context, p_packet, kt_entry.principal, keytab, NULL, pp_tkt);
+				if (ret) {
+					last_error_message = smb_get_krb5_error_message(context, ret, mem_ctx);
+					DEBUG(10, ("ads_keytab_verify_ticket: krb5_rd_req(%s) failed: %s\n",
+						   entry_princ_s, last_error_message));
+				} else {
+					DEBUG(3,("ads_keytab_verify_ticket: krb5_rd_req succeeded for principal %s\n",
+						 entry_princ_s));
+					break;
+				}
 			}
 
 			/* Free the name we parsed. */
@@ -177,7 +184,7 @@
 			DEBUG(3, ("ads_keytab_verify_ticket: krb5_rd_req failed for all %d matched keytab principals\n",
 				number_matched_principals));
 		}
-		DEBUG(3, ("ads_keytab_verify_ticket: last error: %s\n", error_message(ret)));
+		DEBUG(3, ("ads_keytab_verify_ticket: last error: %s\n", last_error_message));
 	}
 
 	if (entry_princ_s) {
@@ -304,7 +311,7 @@
 	
 		DEBUG((our_ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
 				("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
-				(unsigned int)enctypes[i], error_message(our_ret)));
+				 (unsigned int)enctypes[i], smb_get_krb5_error_message(context, our_ret, mem_ctx)));
 
 		if (our_ret !=  KRB5_BAD_ENCTYPE) {
 			ret = our_ret;
@@ -355,7 +362,7 @@
 	ret = krb5_parse_name(context, host_princ_s, &host_princ);
 	if (ret) {
 		DEBUG(1,("ads_verify_ticket: krb5_parse_name(%s) failed (%s)\n",
-					host_princ_s, error_message(ret)));
+			 host_princ_s, error_message(ret)));
 		goto out;
 	}
 
@@ -400,14 +407,14 @@
 
 	if (ret) {
 		DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n", 
-			 error_message(ret)));
+			 smb_get_krb5_error_message(context, ret, mem_ctx)));
 		goto out;
 	}
 
 	ret = krb5_mk_rep(context, auth_context, &packet);
 	if (ret) {
 		DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n",
-			error_message(ret)));
+			 smb_get_krb5_error_message(context, ret, mem_ctx)));
 		goto out;
 	}
 
@@ -434,7 +441,7 @@
 	if ((ret = krb5_unparse_name(context, get_principal_from_tkt(tkt),
 				     &malloc_principal))) {
 		DEBUG(3,("ads_verify_ticket: krb5_unparse_name failed (%s)\n", 
-			 error_message(ret)));
+			 smb_get_krb5_error_message(context, ret, mem_ctx)));
 		sret = NT_STATUS_LOGON_FAILURE;
 		goto out;
 	}

More information about the samba-cvs mailing list