svn commit: samba r24432 - in branches: SAMBA_3_2/source/libads
SAMBA_3_2/source/utils SAMBA_3_2_0/source/libads
SAMBA_3_2_0/source/utils
gd at samba.org
gd at samba.org
Tue Aug 14 19:47:58 GMT 2007
Author: gd
Date: 2007-08-14 19:47:57 +0000 (Tue, 14 Aug 2007)
New Revision: 24432
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24432
Log:
Expand kerberos_return_pac() so that it can be used in winbindd.
Guenther
Modified:
branches/SAMBA_3_2/source/libads/authdata.c
branches/SAMBA_3_2/source/utils/net_ads.c
branches/SAMBA_3_2_0/source/libads/authdata.c
branches/SAMBA_3_2_0/source/utils/net_ads.c
Changeset:
Modified: branches/SAMBA_3_2/source/libads/authdata.c
===================================================================
--- branches/SAMBA_3_2/source/libads/authdata.c 2007-08-14 19:45:24 UTC (rev 24431)
+++ branches/SAMBA_3_2/source/libads/authdata.c 2007-08-14 19:47:57 UTC (rev 24432)
@@ -962,6 +962,12 @@
const char *name,
const char *pass,
time_t time_offset,
+ time_t *expire_time,
+ time_t *renew_till_time,
+ const char *cache_name,
+ BOOL request_pac,
+ BOOL add_netbios_addr,
+ time_t renewable_time,
PAC_DATA **pac_ret)
{
krb5_error_code ret;
@@ -982,6 +988,10 @@
return NT_STATUS_INVALID_PARAMETER;
}
+ if (cache_name) {
+ cc = cache_name;
+ }
+
if (!strchr_m(name, '@')) {
auth_princ = talloc_asprintf(mem_ctx, "%s@%s", name,
lp_realm());
@@ -997,18 +1007,41 @@
ret = kerberos_kinit_password_ext(auth_princ,
pass,
time_offset,
- NULL,
- NULL,
+ expire_time,
+ renew_till_time,
cc,
- True,
- True,
- 0,
+ request_pac,
+ add_netbios_addr,
+ renewable_time,
&status);
if (ret) {
+ DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
+ auth_princ, error_message(ret), ret));
/* status already set */
goto out;
}
+ DEBUG(10,("got TGT for %s in %s\n", auth_princ, cc));
+ if (expire_time) {
+ DEBUGADD(10,("\tvalid until: %s (%d)\n",
+ http_timestring(*expire_time),
+ (int)*expire_time));
+ }
+ if (renew_till_time) {
+ DEBUGADD(10,("\trenewable till: %s (%d)\n",
+ http_timestring(*renew_till_time),
+ (int)*renew_till_time));
+ }
+
+ /* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set,
+ * in that case fallback to NTLM - gd */
+
+ if (expire_time && renew_till_time &&
+ (*expire_time == 0) && (*renew_till_time == 0)) {
+ return NT_STATUS_INVALID_LOGON_TYPE;
+ }
+
+
ret = cli_krb5_get_ticket(local_service,
time_offset,
&tkt,
@@ -1017,6 +1050,8 @@
cc,
NULL);
if (ret) {
+ DEBUG(1,("failed to get ticket for %s: %s\n",
+ local_service, error_message(ret)));
status = krb5_to_nt_status(ret);
goto out;
}
@@ -1031,10 +1066,13 @@
&sesskey2,
False);
if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1,("ads_verify_ticket failed: %s\n",
+ nt_errstr(status)));
goto out;
}
if (!pac_data) {
+ DEBUG(1,("no PAC\n"));
status = NT_STATUS_INVALID_PARAMETER;
goto out;
}
@@ -1042,7 +1080,9 @@
*pac_ret = pac_data;
out:
- ads_kdestroy(cc);
+ if (cc != cache_name) {
+ ads_kdestroy(cc);
+ }
data_blob_free(&tkt);
data_blob_free(&ap_rep);
@@ -1061,6 +1101,12 @@
const char *name,
const char *pass,
time_t time_offset,
+ time_t *expire_time,
+ time_t *renew_till_time,
+ const char *cache_name,
+ BOOL request_pac,
+ BOOL add_netbios_addr,
+ time_t renewable_time,
PAC_LOGON_INFO **logon_info)
{
NTSTATUS status;
@@ -1071,17 +1117,25 @@
name,
pass,
time_offset,
+ expire_time,
+ renew_till_time,
+ cache_name,
+ request_pac,
+ add_netbios_addr,
+ renewable_time,
&pac_data);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (!pac_data) {
+ DEBUG(3,("no pac\n"));
return NT_STATUS_INVALID_USER_BUFFER;
}
info = get_logon_info_from_pac(pac_data);
if (!info) {
+ DEBUG(1,("no logon_info\n"));
return NT_STATUS_INVALID_USER_BUFFER;
}
@@ -1097,6 +1151,12 @@
const char *name,
const char *pass,
time_t time_offset,
+ time_t *expire_time,
+ time_t *renew_till_time,
+ const char *cache_name,
+ BOOL request_pac,
+ BOOL add_netbios_addr,
+ time_t renewable_time,
NET_USER_INFO_3 **info3)
{
NTSTATUS status;
@@ -1106,6 +1166,12 @@
name,
pass,
time_offset,
+ expire_time,
+ renew_till_time,
+ cache_name,
+ request_pac,
+ add_netbios_addr,
+ renewable_time,
&logon_info);
if (!NT_STATUS_IS_OK(status)) {
return status;
Modified: branches/SAMBA_3_2/source/utils/net_ads.c
===================================================================
--- branches/SAMBA_3_2/source/utils/net_ads.c 2007-08-14 19:45:24 UTC (rev 24431)
+++ branches/SAMBA_3_2/source/utils/net_ads.c 2007-08-14 19:47:57 UTC (rev 24432)
@@ -2547,7 +2547,14 @@
status = kerberos_return_pac(mem_ctx,
opt_user_name,
opt_password,
- 0, &pac);
+ 0,
+ NULL,
+ NULL,
+ NULL,
+ True,
+ True,
+ 2592000, /* one month */
+ &pac);
if (!NT_STATUS_IS_OK(status)) {
d_printf("failed to query kerberos PAC: %s\n",
nt_errstr(status));
Modified: branches/SAMBA_3_2_0/source/libads/authdata.c
===================================================================
--- branches/SAMBA_3_2_0/source/libads/authdata.c 2007-08-14 19:45:24 UTC (rev 24431)
+++ branches/SAMBA_3_2_0/source/libads/authdata.c 2007-08-14 19:47:57 UTC (rev 24432)
@@ -962,6 +962,12 @@
const char *name,
const char *pass,
time_t time_offset,
+ time_t *expire_time,
+ time_t *renew_till_time,
+ const char *cache_name,
+ BOOL request_pac,
+ BOOL add_netbios_addr,
+ time_t renewable_time,
PAC_DATA **pac_ret)
{
krb5_error_code ret;
@@ -982,6 +988,10 @@
return NT_STATUS_INVALID_PARAMETER;
}
+ if (cache_name) {
+ cc = cache_name;
+ }
+
if (!strchr_m(name, '@')) {
auth_princ = talloc_asprintf(mem_ctx, "%s@%s", name,
lp_realm());
@@ -997,18 +1007,41 @@
ret = kerberos_kinit_password_ext(auth_princ,
pass,
time_offset,
- NULL,
- NULL,
+ expire_time,
+ renew_till_time,
cc,
- True,
- True,
- 0,
+ request_pac,
+ add_netbios_addr,
+ renewable_time,
&status);
if (ret) {
+ DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
+ auth_princ, error_message(ret), ret));
/* status already set */
goto out;
}
+ DEBUG(10,("got TGT for %s in %s\n", auth_princ, cc));
+ if (expire_time) {
+ DEBUGADD(10,("\tvalid until: %s (%d)\n",
+ http_timestring(*expire_time),
+ (int)*expire_time));
+ }
+ if (renew_till_time) {
+ DEBUGADD(10,("\trenewable till: %s (%d)\n",
+ http_timestring(*renew_till_time),
+ (int)*renew_till_time));
+ }
+
+ /* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set,
+ * in that case fallback to NTLM - gd */
+
+ if (expire_time && renew_till_time &&
+ (*expire_time == 0) && (*renew_till_time == 0)) {
+ return NT_STATUS_INVALID_LOGON_TYPE;
+ }
+
+
ret = cli_krb5_get_ticket(local_service,
time_offset,
&tkt,
@@ -1017,6 +1050,8 @@
cc,
NULL);
if (ret) {
+ DEBUG(1,("failed to get ticket for %s: %s\n",
+ local_service, error_message(ret)));
status = krb5_to_nt_status(ret);
goto out;
}
@@ -1031,10 +1066,13 @@
&sesskey2,
False);
if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1,("ads_verify_ticket failed: %s\n",
+ nt_errstr(status)));
goto out;
}
if (!pac_data) {
+ DEBUG(1,("no PAC\n"));
status = NT_STATUS_INVALID_PARAMETER;
goto out;
}
@@ -1042,7 +1080,9 @@
*pac_ret = pac_data;
out:
- ads_kdestroy(cc);
+ if (cc != cache_name) {
+ ads_kdestroy(cc);
+ }
data_blob_free(&tkt);
data_blob_free(&ap_rep);
@@ -1061,6 +1101,12 @@
const char *name,
const char *pass,
time_t time_offset,
+ time_t *expire_time,
+ time_t *renew_till_time,
+ const char *cache_name,
+ BOOL request_pac,
+ BOOL add_netbios_addr,
+ time_t renewable_time,
PAC_LOGON_INFO **logon_info)
{
NTSTATUS status;
@@ -1071,17 +1117,25 @@
name,
pass,
time_offset,
+ expire_time,
+ renew_till_time,
+ cache_name,
+ request_pac,
+ add_netbios_addr,
+ renewable_time,
&pac_data);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (!pac_data) {
+ DEBUG(3,("no pac\n"));
return NT_STATUS_INVALID_USER_BUFFER;
}
info = get_logon_info_from_pac(pac_data);
if (!info) {
+ DEBUG(1,("no logon_info\n"));
return NT_STATUS_INVALID_USER_BUFFER;
}
@@ -1097,6 +1151,12 @@
const char *name,
const char *pass,
time_t time_offset,
+ time_t *expire_time,
+ time_t *renew_till_time,
+ const char *cache_name,
+ BOOL request_pac,
+ BOOL add_netbios_addr,
+ time_t renewable_time,
NET_USER_INFO_3 **info3)
{
NTSTATUS status;
@@ -1106,6 +1166,12 @@
name,
pass,
time_offset,
+ expire_time,
+ renew_till_time,
+ cache_name,
+ request_pac,
+ add_netbios_addr,
+ renewable_time,
&logon_info);
if (!NT_STATUS_IS_OK(status)) {
return status;
Modified: branches/SAMBA_3_2_0/source/utils/net_ads.c
===================================================================
--- branches/SAMBA_3_2_0/source/utils/net_ads.c 2007-08-14 19:45:24 UTC (rev 24431)
+++ branches/SAMBA_3_2_0/source/utils/net_ads.c 2007-08-14 19:47:57 UTC (rev 24432)
@@ -2547,7 +2547,14 @@
status = kerberos_return_pac(mem_ctx,
opt_user_name,
opt_password,
- 0, &pac);
+ 0,
+ NULL,
+ NULL,
+ NULL,
+ True,
+ True,
+ 2592000, /* one month */
+ &pac);
if (!NT_STATUS_IS_OK(status)) {
d_printf("failed to query kerberos PAC: %s\n",
nt_errstr(status));
More information about the samba-cvs
mailing list