svn commit: samba r19568 - in branches/SAMBA_4_0/source/auth/kerberos: .

Mon Nov 6 11:18:32 GMT 2006

Author: abartlet
Date: 2006-11-06 11:18:32 +0000 (Mon, 06 Nov 2006)
New Revision: 19568

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=19568

Log:
When we get back a skew error, try with no skew.  This allows us to
recover from inheriting an invalid skew from a ccache.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/kerberos/kerberos.h
   branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos.h
===================================================================

--- branches/SAMBA_4_0/source/auth/kerberos/kerberos.h	2006-11-06 10:38:13 UTC (rev 19567)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos.h	2006-11-06 11:18:32 UTC (rev 19568)
@@ -122,10 +122,6 @@
 			  struct cli_credentials *credentials,
 			  struct smb_krb5_context *smb_krb5_context,
 				 krb5_ccache ccache);
-krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx, 
-						struct cli_credentials *machine_account, 
-						struct smb_krb5_context *smb_krb5_context,
-						krb5_principal *salt_princ);
 krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx, 
 					   struct cli_credentials *credentials, 
 					   struct smb_krb5_context *smb_krb5_context,

Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c	2006-11-06 10:38:13 UTC (rev 19567)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c	2006-11-06 11:18:32 UTC (rev 19568)
@@ -24,7 +24,7 @@
 #include "includes.h"
 #include "system/kerberos.h"
 #include "auth/kerberos/kerberos.h"
-#include "auth/auth.h"
+#include "auth/credentials/credentials.h"
 
 struct principal_container {
 	struct smb_krb5_context *smb_krb5_context;
@@ -39,10 +39,10 @@
 	return 0;
 }
 
-krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx, 
-						struct cli_credentials *machine_account, 
-						struct smb_krb5_context *smb_krb5_context,
-						krb5_principal *salt_princ)
+static krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx, 
+						       struct cli_credentials *machine_account, 
+						       struct smb_krb5_context *smb_krb5_context,
+						       krb5_principal *salt_princ)
 {
 	krb5_error_code ret;
 	char *machine_username;
@@ -150,7 +150,7 @@
 	const char *password;
 	time_t kdc_time = 0;
 	krb5_principal princ;
-
+	int tries;
 	TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 
 	if (!mem_ctx) {
@@ -164,43 +164,47 @@
 	}
 
 	password = cli_credentials_get_password(credentials);
-	
-	if (password) {
-		ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache, 
-						 princ, 
-						 password, NULL, &kdc_time);
-	} else {
-		/* No password available, try to use a keyblock instead */
 
-		krb5_keyblock keyblock;
-		const struct samr_Password *mach_pwd;
-		mach_pwd = cli_credentials_get_nt_hash(credentials, mem_ctx);
-		if (!mach_pwd) {
-			talloc_free(mem_ctx);
-			DEBUG(1, ("kinit_to_ccache: No password available for kinit\n"));
-			return EINVAL;
+	tries = 2;
+	while (tries--) {
+		if (password) {
+			ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache, 
+							 princ, 
+							 password, NULL, &kdc_time);
+		} else {
+			/* No password available, try to use a keyblock instead */
+			
+			krb5_keyblock keyblock;
+			const struct samr_Password *mach_pwd;
+			mach_pwd = cli_credentials_get_nt_hash(credentials, mem_ctx);
+			if (!mach_pwd) {
+				talloc_free(mem_ctx);
+				DEBUG(1, ("kinit_to_ccache: No password available for kinit\n"));
+				return EINVAL;
+			}
+			ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
+						 ETYPE_ARCFOUR_HMAC_MD5,
+						 mach_pwd->hash, sizeof(mach_pwd->hash), 
+						 &keyblock);
+			
+			if (ret == 0) {
+				ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, ccache, 
+								 princ,
+								 &keyblock, NULL, &kdc_time);
+				krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &keyblock);
+			}
 		}
-		ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
-					 ETYPE_ARCFOUR_HMAC_MD5,
-					 mach_pwd->hash, sizeof(mach_pwd->hash), 
-					 &keyblock);
-		
-		if (ret == 0) {
-			ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, ccache, 
-							 princ,
-							 &keyblock, NULL, &kdc_time);
-			krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &keyblock);
+
+		if (ret == KRB5KRB_AP_ERR_SKEW || ret == KRB5_KDCREP_SKEW) {
+			/* Perhaps we have been given an invalid skew, so try again without it */
+			time_t t = time(NULL);
+			krb5_set_real_time(smb_krb5_context->krb5_context, t, 0);
+		} else {
+			/* not a skew problem */
+			break;
 		}
 	}
 
-	/* cope with ticket being in the future due to clock skew */
-	if ((unsigned)kdc_time > time(NULL)) {
-		time_t t = time(NULL);
-		int time_offset =(unsigned)kdc_time-t;
-		DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
-		krb5_set_real_time(smb_krb5_context->krb5_context, t + time_offset + 1, 0);
-	}
-	
 	if (ret == KRB5KRB_AP_ERR_SKEW || ret == KRB5_KDCREP_SKEW) {
 		DEBUG(1,("kinit for %s failed (%s)\n", 
 			 cli_credentials_get_principal(credentials, mem_ctx), 
@@ -210,6 +214,14 @@
 		return ret;
 	}
 
+	/* cope with ticket being in the future due to clock skew */
+	if ((unsigned)kdc_time > time(NULL)) {
+		time_t t = time(NULL);
+		int time_offset =(unsigned)kdc_time-t;
+		DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
+		krb5_set_real_time(smb_krb5_context->krb5_context, t + time_offset + 1, 0);
+	}
+	
 	if (ret == KRB5KDC_ERR_PREAUTH_FAILED && cli_credentials_wrong_password(credentials)) {
 		ret = kinit_to_ccache(parent_ctx,
 				      credentials,

