svn commit: samba r22558 - in branches/SAMBA_4_0/source/auth: credentials kerberos

[abartlet at samba.org]

Author: abartlet
Date: 2007-04-28 16:38:06 +0000 (Sat, 28 Apr 2007)
New Revision: 22558

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=22558

Log:
Move to a static list of enctypes to put into our keytab.  In future,
I'll allow this to be configured from the secrets.ldb, but it should
fix some user issues.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/credentials/credentials_krb5.c
   branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/credentials/credentials_krb5.c
===================================================================
--- branches/SAMBA_4_0/source/auth/credentials/credentials_krb5.c	2007-04-28 15:18:25 UTC (rev 22557)
+++ branches/SAMBA_4_0/source/auth/credentials/credentials_krb5.c	2007-04-28 16:38:06 UTC (rev 22558)
@@ -141,7 +141,10 @@
 		talloc_free(ccc);
 		return ret;
 	}
-	talloc_reference(ccc, ccc->smb_krb5_context);
+	if (!talloc_reference(ccc, ccc->smb_krb5_context)) {
+		talloc_free(ccc);
+		return ENOMEM;
+	}
 
 	if (name) {
 		ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, name, &ccc->ccache);
@@ -218,7 +221,10 @@
 		talloc_free(ccc);
 		return ret;
 	}
-	talloc_reference(ccc, ccc->smb_krb5_context);
+	if (!talloc_reference(ccc, ccc->smb_krb5_context)) {
+		talloc_free(ccc);
+		return ENOMEM;
+	}
 
 	ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, ccache_name, &ccc->ccache);
 	if (ret) {
@@ -394,6 +400,7 @@
 	krb5_error_code ret;
 	struct keytab_container *ktc;
 	struct smb_krb5_context *smb_krb5_context;
+	const char **enctype_strings;
 	TALLOC_CTX *mem_ctx;
 
 	if (cred->keytab_obtained >= (MAX(cred->principal_obtained, 
@@ -416,7 +423,11 @@
 		return ENOMEM;
 	}
 
-	ret = smb_krb5_create_memory_keytab(mem_ctx, cred, smb_krb5_context, &ktc);
+	enctype_strings = cli_credentials_get_enctype_strings(cred);
+	
+	ret = smb_krb5_create_memory_keytab(mem_ctx, cred, 
+					    smb_krb5_context, 
+					    enctype_strings, &ktc);
 	if (ret) {
 		talloc_free(mem_ctx);
 		return ret;
@@ -478,6 +489,7 @@
 	krb5_error_code ret;
 	struct keytab_container *ktc;
 	struct smb_krb5_context *smb_krb5_context;
+	const char **enctype_strings;
 	TALLOC_CTX *mem_ctx;
 	
 	mem_ctx = talloc_new(cred);
@@ -491,13 +503,15 @@
 		return ret;
 	}
 
+	enctype_strings = cli_credentials_get_enctype_strings(cred);
+	
 	ret = cli_credentials_get_keytab(cred, &ktc);
 	if (ret != 0) {
 		talloc_free(mem_ctx);
 		return ret;
 	}
 
-	ret = smb_krb5_update_keytab(mem_ctx, cred, smb_krb5_context, ktc);
+	ret = smb_krb5_update_keytab(mem_ctx, cred, smb_krb5_context, enctype_strings, ktc);
 
 	talloc_free(mem_ctx);
 	return ret;
@@ -594,6 +608,22 @@
 	return cred->kvno;
 }
 
+
+const char **cli_credentials_get_enctype_strings(struct cli_credentials *cred) 
+{
+	/* If this is ever made user-configurable, we need to add code
+	 * to remove/hide the other entries from the generated
+	 * keytab */
+	static const char *default_enctypes[] = {
+		"des-cbc-md5",
+		"aes256-cts-hmac-sha1-96",
+		"des3-cbc-sha1",
+		"arcfour-hmac-md5",
+		NULL
+	};
+	return default_enctypes;
+}
+
 const char *cli_credentials_get_salt_principal(struct cli_credentials *cred) 
 {
 	return cred->salt_principal;

Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c	2007-04-28 15:18:25 UTC (rev 22557)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c	2007-04-28 16:38:06 UTC (rev 22558)
@@ -273,17 +273,6 @@
 	return 0;
 }
 
-struct enctypes_container {
-	struct smb_krb5_context *smb_krb5_context;
-	krb5_enctype *enctypes;
-};
-
-static int free_enctypes(struct enctypes_container *etc)
-{
-	free_kerberos_etypes(etc->smb_krb5_context->krb5_context, etc->enctypes);
-	return 0;
-}
-
 static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
 				       const char *princ_string,
 				       krb5_principal princ,
@@ -291,45 +280,34 @@
 				       int kvno,
 				       const char *password_s,
 				       struct smb_krb5_context *smb_krb5_context,
+				       const char **enctype_strings,
 				       krb5_keytab keytab)
 {
 	int i;
 	krb5_error_code ret;
-	krb5_enctype *enctypes;
-	char *enctype_string;
-	struct enctypes_container *etc;
 	krb5_data password;
 	TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 	if (!mem_ctx) {
 		return ENOMEM;
 	}
 
-	etc = talloc(mem_ctx, struct enctypes_container);
-	if (!etc) {
-		talloc_free(mem_ctx);
-		return ENOMEM;
-	}
-	ret = get_kerberos_allowed_etypes(smb_krb5_context->krb5_context, 
-					  &enctypes);
-	if (ret != 0) {
-		DEBUG(1,("keytab_add_keys: getting encrption types failed (%s)\n",
-			 error_message(ret)));
-		talloc_free(mem_ctx);
-		return ret;
-	}
-
-	etc->smb_krb5_context = talloc_reference(etc, smb_krb5_context);
-	etc->enctypes = enctypes;
-
-	talloc_set_destructor(etc, free_enctypes);
-
 	password.data = discard_const_p(char *, password_s);
 	password.length = strlen(password_s);
 
-	for (i=0; enctypes[i]; i++) {
+	for (i=0; enctype_strings[i]; i++) {
 		krb5_keytab_entry entry;
+		krb5_enctype enctype;
+		ret = krb5_string_to_enctype(smb_krb5_context->krb5_context, enctype_strings[i], &enctype);
+		if (ret != 0) {
+			DEBUG(1, ("Failed to interpret %s as a krb5 encryption type: %s\n",				  
+				  enctype_strings[i],
+				  smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
+							     ret, mem_ctx)));
+			talloc_free(mem_ctx);
+			return ret;
+		}
 		ret = create_kerberos_key_from_string(smb_krb5_context->krb5_context, 
-						      salt_princ, &password, &entry.keyblock, enctypes[i]);
+						      salt_princ, &password, &entry.keyblock, enctype);
 		if (ret != 0) {
 			talloc_free(mem_ctx);
 			return ret;
@@ -338,25 +316,21 @@
                 entry.principal = princ;
                 entry.vno       = kvno;
 		ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, keytab, &entry);
-		enctype_string = NULL;
-		krb5_enctype_to_string(smb_krb5_context->krb5_context, enctypes[i], &enctype_string);
 		if (ret != 0) {
 			DEBUG(1, ("Failed to add %s entry for %s(kvno %d) to keytab: %s\n",
-				  enctype_string,
+				  enctype_strings[i],
 				  princ_string,
 				  kvno,
 				  smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
 							     ret, mem_ctx)));
 			talloc_free(mem_ctx);
-			free(enctype_string);		
 			krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
 			return ret;
 		}
 
 		DEBUG(5, ("Added %s(kvno %d) to keytab (%s)\n", 
 			  princ_string, kvno,
-			  enctype_string));
-		free(enctype_string);		
+			  enctype_strings[i]));
 		
 		krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
 	}
@@ -367,12 +341,12 @@
 static int create_keytab(TALLOC_CTX *parent_ctx,
 			 struct cli_credentials *machine_account,
 			 struct smb_krb5_context *smb_krb5_context,
+			 const char **enctype_strings,
 			 krb5_keytab keytab,
 			 BOOL add_old) 
 {
 	krb5_error_code ret;
 	const char *password_s;
-	char *enctype_string;
 	const char *old_secret;
 	int kvno;
 	krb5_principal salt_princ;
@@ -410,11 +384,18 @@
 	/* Finally, do the dance to get the password to put in the entry */
 	password_s = cli_credentials_get_password(machine_account);
 	if (!password_s) {
-		/* If we don't have the plaintext password, try for
-		 * the MD4 password hash */
-
 		krb5_keytab_entry entry;
 		const struct samr_Password *mach_pwd;
+
+		if (!str_list_check(enctype_strings, "arcfour-hmac-md5")) {
+			DEBUG(1, ("Asked to create keytab, but with only an NT hash supplied, "
+				  "but not listing arcfour-hmac-md5 as an enc type to include in the keytab!\n"));
+			talloc_free(mem_ctx);
+			return EINVAL;
+		}
+
+		/* If we don't have the plaintext password, try for
+		 * the MD4 password hash */
 		mach_pwd = cli_credentials_get_nt_hash(machine_account, mem_ctx);
 		if (!mach_pwd) {
 			/* OK, nothing to do here */
@@ -446,14 +427,9 @@
 			return ret;
 		}
 		
-		krb5_enctype_to_string(smb_krb5_context->krb5_context, 
-				       ETYPE_ARCFOUR_HMAC_MD5,
-				       &enctype_string);
-		DEBUG(5, ("Added %s(kvno %d) to keytab (%s)\n", 
+		DEBUG(5, ("Added %s(kvno %d) to keytab (arcfour-hmac-md5)\n", 
 			  cli_credentials_get_principal(machine_account, mem_ctx),
-			  cli_credentials_get_kvno(machine_account),
-			  enctype_string));
-		free(enctype_string);		
+			  cli_credentials_get_kvno(machine_account)));
 
 		krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
 
@@ -465,7 +441,8 @@
 	kvno = cli_credentials_get_kvno(machine_account);
 	/* good, we actually have the real plaintext */
 	ret = keytab_add_keys(mem_ctx, princ_string, princ, salt_princ, 
-			      kvno, password_s, smb_krb5_context, keytab);
+			      kvno, password_s, smb_krb5_context, 
+			      enctype_strings, keytab);
 	if (!ret) {
 		talloc_free(mem_ctx);
 		return ret;
@@ -483,7 +460,8 @@
 	}
 	
 	ret = keytab_add_keys(mem_ctx, princ_string, princ, salt_princ, 
-			      kvno - 1, old_secret, smb_krb5_context, keytab);
+			      kvno - 1, old_secret, smb_krb5_context, 
+			      enctype_strings, keytab);
 	if (!ret) {
 		talloc_free(mem_ctx);
 		return ret;
@@ -627,6 +605,7 @@
 int smb_krb5_update_keytab(TALLOC_CTX *parent_ctx,
 			   struct cli_credentials *machine_account,
 			   struct smb_krb5_context *smb_krb5_context,
+			   const char **enctype_strings,
 			   struct keytab_container *keytab_container) 
 {
 	krb5_error_code ret;
@@ -635,7 +614,7 @@
 	if (!mem_ctx) {
 		return ENOMEM;
 	}
-	
+
 	ret = remove_old_entries(mem_ctx, machine_account, 
 				 smb_krb5_context, keytab_container->keytab, &found_previous);
 	if (ret != 0) {
@@ -648,6 +627,7 @@
 	 * Otherwise, add kvno, and kvno -1 */
 	
 	ret = create_keytab(mem_ctx, machine_account, smb_krb5_context, 
+			    enctype_strings, 
 			    keytab_container->keytab, 
 			    found_previous ? False : True);
 	talloc_free(mem_ctx);
@@ -655,9 +635,10 @@
 }
 
 _PUBLIC_ int smb_krb5_create_memory_keytab(TALLOC_CTX *parent_ctx,
-				  struct cli_credentials *machine_account,
-				  struct smb_krb5_context *smb_krb5_context,
-				  struct keytab_container **keytab_container) 
+					   struct cli_credentials *machine_account,
+					   struct smb_krb5_context *smb_krb5_context,
+					   const char **enctype_strings,
+					   struct keytab_container **keytab_container) 
 {
 	krb5_error_code ret;
 	TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
@@ -687,7 +668,7 @@
 		return ret;
 	}
 
-	ret = smb_krb5_update_keytab(mem_ctx, machine_account, smb_krb5_context, *keytab_container);
+	ret = smb_krb5_update_keytab(mem_ctx, machine_account, smb_krb5_context, enctype_strings, *keytab_container);
 	if (ret == 0) {
 		talloc_steal(parent_ctx, *keytab_container);
 	} else {