svn commit: samba r10907 - branches/SAMBA_3_0/source/libads
branches/SAMBA_3_0/source/libsmb trunk/source/libads
trunk/source/libsmb
gd at samba.org
gd at samba.org
Tue Oct 11 16:27:07 GMT 2005
Author: gd
Date: 2005-10-11 16:27:05 +0000 (Tue, 11 Oct 2005)
New Revision: 10907
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=10907
Log:
Handle the case when we can't verify the PAC signature because the
ticket was encrypted using a DES key (and the Windows KDC still puts
CKSUMTYPE_HMAC_MD5_ARCFOUR in the PAC).
In that case, return to old behaviour and ignore the PAC.
Thanks to Chengjie Liu <chengjie.liu at datadomain.com>.
Guenther
Modified:
branches/SAMBA_3_0/source/libads/kerberos_verify.c
branches/SAMBA_3_0/source/libsmb/clikrb5.c
trunk/source/libads/kerberos_verify.c
trunk/source/libsmb/clikrb5.c
Changeset:
Modified: branches/SAMBA_3_0/source/libads/kerberos_verify.c
===================================================================
--- branches/SAMBA_3_0/source/libads/kerberos_verify.c 2005-10-11 16:14:00 UTC (rev 10906)
+++ branches/SAMBA_3_0/source/libads/kerberos_verify.c 2005-10-11 16:27:05 UTC (rev 10907)
@@ -272,6 +272,7 @@
DATA_BLOB *session_key)
{
NTSTATUS sret = NT_STATUS_LOGON_FAILURE;
+ NTSTATUS pac_ret;
DATA_BLOB auth_data;
krb5_context context = NULL;
krb5_auth_context auth_context = NULL;
@@ -400,7 +401,8 @@
#endif
/* continue when no PAC is retrieved
- (like accounts that have the UF_NO_AUTH_DATA_REQUIRED flag set) */
+ (like accounts that have the UF_NO_AUTH_DATA_REQUIRED flag set,
+ or Kerberos tickets encryped using a DES key) - Guenther */
got_auth_data = get_auth_data_from_tkt(mem_ctx, &auth_data, tkt);
if (!got_auth_data) {
@@ -409,10 +411,10 @@
if (got_auth_data && pac_data != NULL) {
- sret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data);
- if (!NT_STATUS_IS_OK(sret)) {
- DEBUG(0,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(sret)));
- goto out;
+ pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data);
+ if (!NT_STATUS_IS_OK(pac_ret)) {
+ DEBUG(3,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(pac_ret)));
+ *pac_data = NULL;
}
data_blob_free(&auth_data);
}
Modified: branches/SAMBA_3_0/source/libsmb/clikrb5.c
===================================================================
--- branches/SAMBA_3_0/source/libsmb/clikrb5.c 2005-10-11 16:14:00 UTC (rev 10906)
+++ branches/SAMBA_3_0/source/libsmb/clikrb5.c 2005-10-11 16:27:05 UTC (rev 10907)
@@ -689,6 +689,12 @@
&input,
cksum,
&checksum_valid);
+ if (ret) {
+ DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n",
+ error_message(ret)));
+ return ret;
+ }
+
if (!checksum_valid)
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
}
Modified: trunk/source/libads/kerberos_verify.c
===================================================================
--- trunk/source/libads/kerberos_verify.c 2005-10-11 16:14:00 UTC (rev 10906)
+++ trunk/source/libads/kerberos_verify.c 2005-10-11 16:27:05 UTC (rev 10907)
@@ -272,6 +272,7 @@
DATA_BLOB *session_key)
{
NTSTATUS sret = NT_STATUS_LOGON_FAILURE;
+ NTSTATUS pac_ret;
DATA_BLOB auth_data;
krb5_context context = NULL;
krb5_auth_context auth_context = NULL;
@@ -400,7 +401,8 @@
#endif
/* continue when no PAC is retrieved
- (like accounts that have the UF_NO_AUTH_DATA_REQUIRED flag set) */
+ (like accounts that have the UF_NO_AUTH_DATA_REQUIRED flag set,
+ or Kerberos tickets encryped using a DES key) - Guenther */
got_auth_data = get_auth_data_from_tkt(mem_ctx, &auth_data, tkt);
if (!got_auth_data) {
@@ -409,10 +411,10 @@
if (got_auth_data && pac_data != NULL) {
- sret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data);
- if (!NT_STATUS_IS_OK(sret)) {
- DEBUG(0,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(sret)));
- goto out;
+ pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data);
+ if (!NT_STATUS_IS_OK(pac_ret)) {
+ DEBUG(3,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(pac_ret)));
+ *pac_data = NULL;
}
data_blob_free(&auth_data);
}
Modified: trunk/source/libsmb/clikrb5.c
===================================================================
--- trunk/source/libsmb/clikrb5.c 2005-10-11 16:14:00 UTC (rev 10906)
+++ trunk/source/libsmb/clikrb5.c 2005-10-11 16:27:05 UTC (rev 10907)
@@ -689,6 +689,12 @@
&input,
cksum,
&checksum_valid);
+ if (ret) {
+ DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n",
+ error_message(ret)));
+ return ret;
+ }
+
if (!checksum_valid)
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
}
More information about the samba-cvs
mailing list