[SCM] Samba Shared Repository - branch master updated
Simo Sorce
idra at samba.org
Mon Apr 23 18:57:03 MDT 2012
The branch, master has been updated
via adbace2 Fix pam_winbind build against newer iniparser library
via 360c11e Avoid warning about KRB5_DEPRECATE with MIT libs
via 87c95e4 Cracknames: use krb wrapper functions so it works with MIT
via d43c2c0 krb5_samba: Add support for krb5_princ_size when using Heimdal
via 08c733d Make krb5 wrapper library common so they can be used all over
via f7070c9 For now just disable this Heindal specific stuff in the MIT build
via 110dad8 Make krb5 context initialization not heimdal specific
via 090f907 Make sure krb5_principal_get_num_comp is identified as present for Heimdal build
via 5cae929 waf: rename SAMBA4_INTERNAL_HEIMDAL to SAMBA4_USES_HEIMDAL
via 4291fdc waf: move krb5 checks to a separate waf file
from 5b5b696 Fix bug #8882 - Broken processing of %U with vfs_full_audit when force user is set.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit adbace20a24b6ae4fbd6d17b7153833f4ac8c88d
Author: Simo Sorce <idra at samba.org>
Date: Mon Apr 23 17:23:35 2012 -0400
Fix pam_winbind build against newer iniparser library
iniparser_getstr is deprecated and has been removed in newer libraries
available in Fedora. Use iniparse_getstring instead.
Autobuild-User: Simo Sorce <idra at samba.org>
Autobuild-Date: Tue Apr 24 02:56:10 CEST 2012 on sn-devel-104
commit 360c11eaaafb0b74d2cc2e733eea922553407b16
Author: Simo Sorce <idra at samba.org>
Date: Sun Apr 22 19:05:31 2012 -0400
Avoid warning about KRB5_DEPRECATE with MIT libs
commit 87c95e49efbcbdbf76e66a240e769f6cb80a40b4
Author: Simo Sorce <idra at samba.org>
Date: Sat Apr 21 16:55:35 2012 -0400
Cracknames: use krb wrapper functions so it works with MIT
Also avoid a silly game with directly modifying the principal and
then calling krb5_principal_unparse_flags to get out a string.
If we already assume it is a 2 components name and know what outcome we are
going to get, just go ahead and talloc_asprintf the linearized string.
commit d43c2c094558fcb83aa18358bc724195a9c26001
Author: Simo Sorce <idra at samba.org>
Date: Sun Apr 22 21:38:29 2012 -0400
krb5_samba: Add support for krb5_princ_size when using Heimdal
commit 08c733d75fd83fd5e32ced9712d41dd595e0f182
Author: Simo Sorce <idra at samba.org>
Date: Sat Apr 21 17:26:18 2012 -0400
Make krb5 wrapper library common so they can be used all over
commit f7070c90b94954835478a09e89a85c03f0f85500
Author: Simo Sorce <idra at samba.org>
Date: Sat Apr 21 16:35:48 2012 -0400
For now just disable this Heindal specific stuff in the MIT build
commit 110dad8c9eb95e6729e589b52ef204d369803bdb
Author: Simo Sorce <idra at samba.org>
Date: Fri Apr 20 13:14:30 2012 -0400
Make krb5 context initialization not heimdal specific
Turn the logging data to an opaque pointer.
Ifdef code and use MIT logging function when built against system MIT.
commit 090f9072da6974b506901547c0091e3e1b8a11cc
Author: Alexander Bokovoy <ab at samba.org>
Date: Mon Apr 23 15:01:07 2012 +0300
Make sure krb5_principal_get_num_comp is identified as present for Heimdal build
Common wrappers for MIT / Heimdal use krb5_principal_get_num_comp() to replace krb5_princ_size
but rely on krb5_principal_get_num_comp() identified by the build. As we know it exists in Heimdal,
define it for waf build.
Signed-off-by: Simo Sorce <idra at samba.org>
commit 5cae9293d118da8765b301f9872e77993f44ad86
Author: Alexander Bokovoy <ab at samba.org>
Date: Fri Apr 20 20:22:39 2012 +0300
waf: rename SAMBA4_INTERNAL_HEIMDAL to SAMBA4_USES_HEIMDAL
SAMBA4_INTERNAL_HEIMDAL is defined unconditionally regardless
where Heimdal comes from, system-wide or embedded version.
This define is not used anywhere. We'll use it to distinguish
between Heimdal and MIT Krb5 builds.
Signed-off-by: Simo Sorce <idra at samba.org>
commit 4291fdcf3910b37d7dc7ed3849847fb162b5569b
Author: Alexander Bokovoy <ab at samba.org>
Date: Fri Apr 20 12:53:11 2012 +0300
waf: move krb5 checks to a separate waf file
With PROCESS_SEPARATE_RULE in wafsamba it is now possible to simplify
configuration and checks for MIT/Heimdal Kerberos implementations.
1. Move MIT krb5 checks from source3/wscript to wscript_configure_krb5
2. Make sure they are called same way (--with-mit-krb5-checks)
3. If no configure checks identified MIT krb5 in system (or were disabled),
make sure Heimdal build is selected, embedded (default) or system-provided.
This makes logic of configuration unchanged for Heimdal builds but adds
less hacky way to use MIT krb5 builds. The latter does not work yet as we
need to untangle more subsystems from HDB/Heimdal-specific details but
lays out a foundation for that.
Signed-off-by: Simo Sorce <idra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_krb5.c | 1 +
auth/kerberos/gssapi_pac.c | 49 +++-
auth/kerberos/pac_utils.h | 8 +-
auth/kerberos/wscript_build | 2 +-
.../libsmb/clikrb5.c => lib/krb5_wrap/krb5_samba.c | 331 ++++++++++++++-----
.../krb5_protos.h => lib/krb5_wrap/krb5_samba.h | 114 ++++++-
lib/krb5_wrap/wscript_build | 7 +
libcli/auth/krb5_wrap.c | 243 --------------
libcli/auth/krb5_wrap.h | 62 ----
libcli/auth/wscript_build | 6 +-
libcli/smb/smb_seal.c | 2 +-
libcli/smb/wscript_build | 2 +-
nsswitch/pam_winbind.c | 8 +-
source3/Makefile.in | 3 +-
source3/configure.in | 1 +
source3/include/smb_krb5.h | 83 +-----
source3/libads/authdata.c | 1 +
source3/libads/kerberos.c | 37 +++-
source3/libads/kerberos_proto.h | 14 +-
source3/librpc/crypto/gse.c | 6 +-
source3/libsmb/cliconnect.c | 3 +-
source3/utils/ntlm_auth.c | 4 +-
source3/wscript | 180 -----------
source3/wscript_build | 14 +-
source4/auth/gensec/gensec_gssapi.c | 4 +
source4/auth/kerberos/kerberos.h | 3 +-
source4/auth/kerberos/kerberos_util.c | 6 +
source4/auth/kerberos/krb5_init_context.c | 77 ++++--
source4/auth/kerberos/krb5_init_context.h | 12 +-
source4/auth/kerberos/wscript_build | 11 +-
source4/dsdb/samdb/cracknames.c | 54 ++--
source4/dsdb/wscript_build | 2 +-
source4/heimdal_build/wscript_configure | 3 +-
source4/kdc/kdc.c | 2 +-
wscript | 9 +-
wscript_build | 19 +-
wscript_build_embedded_heimdal | 1 +
wscript_build_system_heimdal | 1 +
wscript_configure_krb5 | 187 +++++++++++
39 files changed, 805 insertions(+), 767 deletions(-)
rename source3/libsmb/clikrb5.c => lib/krb5_wrap/krb5_samba.c (84%)
rename source3/include/krb5_protos.h => lib/krb5_wrap/krb5_samba.h (64%)
create mode 100755 lib/krb5_wrap/wscript_build
delete mode 100644 libcli/auth/krb5_wrap.c
delete mode 100644 libcli/auth/krb5_wrap.h
mode change 100644 => 100755 libcli/auth/wscript_build
mode change 100644 => 100755 libcli/smb/wscript_build
mode change 100644 => 100755 source4/dsdb/wscript_build
mode change 100644 => 100755 wscript_build
create mode 100644 wscript_configure_krb5
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index c8b685e..480d7c5 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -30,6 +30,7 @@
#include "auth/kerberos/kerberos_credentials.h"
#include "auth/kerberos/kerberos_srv_keytab.h"
#include "auth/kerberos/kerberos_util.h"
+#include "auth/kerberos/pac_utils.h"
#include "param/param.h"
static void cli_credentials_invalidate_client_gss_creds(
diff --git a/auth/kerberos/gssapi_pac.c b/auth/kerberos/gssapi_pac.c
index 05065b2..d1a7950 100644
--- a/auth/kerberos/gssapi_pac.c
+++ b/auth/kerberos/gssapi_pac.c
@@ -21,7 +21,7 @@
#include "includes.h"
#ifdef HAVE_KRB5
-#include "libcli/auth/krb5_wrap.h"
+#include "lib/krb5_wrap/krb5_samba.h"
#include "auth/kerberos/pac_utils.h"
#if 0
@@ -271,4 +271,49 @@ NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
-#endif
+
+char *gssapi_error_string(TALLOC_CTX *mem_ctx,
+ OM_uint32 maj_stat, OM_uint32 min_stat,
+ const gss_OID mech)
+{
+ OM_uint32 disp_min_stat, disp_maj_stat;
+ gss_buffer_desc maj_error_message;
+ gss_buffer_desc min_error_message;
+ char *maj_error_string, *min_error_string;
+ OM_uint32 msg_ctx = 0;
+
+ char *ret;
+
+ maj_error_message.value = NULL;
+ min_error_message.value = NULL;
+ maj_error_message.length = 0;
+ min_error_message.length = 0;
+
+ disp_maj_stat = gss_display_status(&disp_min_stat, maj_stat,
+ GSS_C_GSS_CODE, mech,
+ &msg_ctx, &maj_error_message);
+ disp_maj_stat = gss_display_status(&disp_min_stat, min_stat,
+ GSS_C_MECH_CODE, mech,
+ &msg_ctx, &min_error_message);
+
+ maj_error_string = talloc_strndup(mem_ctx,
+ (char *)maj_error_message.value,
+ maj_error_message.length);
+
+ min_error_string = talloc_strndup(mem_ctx,
+ (char *)min_error_message.value,
+ min_error_message.length);
+
+ ret = talloc_asprintf(mem_ctx, "%s: %s",
+ maj_error_string, min_error_string);
+
+ talloc_free(maj_error_string);
+ talloc_free(min_error_string);
+
+ gss_release_buffer(&disp_min_stat, &maj_error_message);
+ gss_release_buffer(&disp_min_stat, &min_error_message);
+
+ return ret;
+}
+
+#endif /* HAVE_KRB5 */
diff --git a/auth/kerberos/pac_utils.h b/auth/kerberos/pac_utils.h
index 9fe08de..bb95459 100644
--- a/auth/kerberos/pac_utils.h
+++ b/auth/kerberos/pac_utils.h
@@ -21,7 +21,7 @@
#ifndef _PAC_UTILS_H
#define _PAC_UTILS_H
-#include "libcli/auth/krb5_wrap.h"
+#include "lib/krb5_wrap/krb5_samba.h"
struct PAC_SIGNATURE_DATA;
struct PAC_DATA;
@@ -47,4 +47,10 @@ NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx,
gss_ctx_id_t gssapi_context,
DATA_BLOB *session_key,
uint32_t *keytype);
+
+/* not the best place here, need to move to a more generic gssapi
+ * wrapper later */
+char *gssapi_error_string(TALLOC_CTX *mem_ctx,
+ OM_uint32 maj_stat, OM_uint32 min_stat,
+ const gss_OID mech);
#endif /* _PAC_UTILS_H */
diff --git a/auth/kerberos/wscript_build b/auth/kerberos/wscript_build
index f49cc51..97b8879 100755
--- a/auth/kerberos/wscript_build
+++ b/auth/kerberos/wscript_build
@@ -1,4 +1,4 @@
#!/usr/bin/env python
bld.SAMBA_SUBSYSTEM('KRB5_PAC',
source='gssapi_pac.c kerberos_pac.c',
- deps='gssapi_krb5 krb5 ndr-krb5pac com_err')
+ deps='gssapi_krb5 ndr-krb5pac krb5samba')
diff --git a/source3/libsmb/clikrb5.c b/lib/krb5_wrap/krb5_samba.c
similarity index 84%
rename from source3/libsmb/clikrb5.c
rename to lib/krb5_wrap/krb5_samba.c
index 792400b..4e555b2 100644
--- a/source3/libsmb/clikrb5.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1,30 +1,29 @@
-/*
+/*
Unix SMB/CIFS implementation.
simple kerberos5 routines for active directory
Copyright (C) Andrew Tridgell 2001
Copyright (C) Luke Howard 2002-2003
Copyright (C) Andrew Bartlett <abartlet at samba.org> 2005
Copyright (C) Guenther Deschner 2005-2009
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
-#include "smb_krb5.h"
-#include "../librpc/gen_ndr/krb5pac.h"
-#include "../lib/util/asn1.h"
-#include "libsmb/nmblib.h"
+#include "krb5_samba.h"
+#include "librpc/gen_ndr/krb5pac.h"
+#include "lib/util/asn1.h"
#ifndef KRB5_AUTHDATA_WIN2K_PAC
#define KRB5_AUTHDATA_WIN2K_PAC 128
@@ -44,12 +43,17 @@
/* MIT krb5 1.7beta3 (in Ubuntu Karmic) is missing the prototype,
but still has the symbol */
#if !HAVE_DECL_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE
-krb5_error_code krb5_auth_con_set_req_cksumtype(
+krb5_error_code krb5_auth_con_set_req_cksumtype(
krb5_context context,
- krb5_auth_context auth_context,
+ krb5_auth_context auth_context,
krb5_cksumtype cksumtype);
#endif
+#if !defined(SMB_MALLOC)
+#undef malloc
+#define SMB_MALLOC(s) malloc((s))
+#endif
+
#if !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES)
#if defined(HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES)
@@ -102,7 +106,7 @@ krb5_error_code krb5_auth_con_set_req_cksumtype(
}
#elif defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS)
/* MIT */
- bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr)
+bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr)
{
memset(pkaddr, '\0', sizeof(krb5_address));
#if defined(HAVE_IPV6) && defined(ADDRTYPE_INET6)
@@ -125,46 +129,61 @@ krb5_error_code krb5_auth_con_set_req_cksumtype(
#error UNKNOWN_ADDRTYPE
#endif
- int create_kerberos_key_from_string(krb5_context context,
- krb5_principal host_princ,
- krb5_data *password,
- krb5_keyblock *key,
- krb5_enctype enctype,
- bool no_salt)
+#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_C_STRING_TO_KEY)
+/* MIT */
+int create_kerberos_key_from_string_direct(krb5_context context,
+ krb5_principal host_princ,
+ krb5_data *password,
+ krb5_keyblock *key,
+ krb5_enctype enctype)
{
- krb5_principal salt_princ = NULL;
- int ret;
- /*
- * Check if we've determined that the KDC is salting keys for this
- * principal/enctype in a non-obvious way. If it is, try to match
- * its behavior.
- */
- if (no_salt) {
- KRB5_KEY_DATA(key) = (KRB5_KEY_DATA_CAST *)SMB_MALLOC(password->length);
- if (!KRB5_KEY_DATA(key)) {
- return ENOMEM;
- }
- memcpy(KRB5_KEY_DATA(key), password->data, password->length);
- KRB5_KEY_LENGTH(key) = password->length;
- KRB5_KEY_TYPE(key) = enctype;
- return 0;
+ int ret = 0;
+ krb5_data salt;
+
+ ret = krb5_principal2salt(context, host_princ, &salt);
+ if (ret) {
+ DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
+ return ret;
}
- salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype);
- ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype);
- if (salt_princ) {
- krb5_free_principal(context, salt_princ);
+ ret = krb5_c_string_to_key(context, enctype, password, &salt, key);
+ SAFE_FREE(salt.data);
+
+ return ret;
+}
+#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
+/* Heimdal */
+int create_kerberos_key_from_string_direct(krb5_context context,
+ krb5_principal host_princ,
+ krb5_data *password,
+ krb5_keyblock *key,
+ krb5_enctype enctype)
+{
+ int ret;
+ krb5_salt salt;
+
+ ret = krb5_get_pw_salt(context, host_princ, &salt);
+ if (ret) {
+ DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
+ return ret;
}
+
+ ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
+ krb5_free_salt(context, salt);
+
return ret;
}
+#else
+#error UNKNOWN_CREATE_KEY_FUNCTIONS
+#endif
#if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
- krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
+ krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
krb5_enctype **enctypes)
{
return krb5_get_permitted_enctypes(context, enctypes);
}
#elif defined(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES)
- krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
+ krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
krb5_enctype **enctypes)
{
#ifdef HAVE_KRB5_PDU_NONE_DECL
@@ -186,8 +205,8 @@ krb5_error_code krb5_auth_con_set_req_cksumtype(
}
#endif
-bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
- DATA_BLOB *edata,
+bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
+ DATA_BLOB *edata,
DATA_BLOB *edata_out)
{
DATA_BLOB edata_contents;
@@ -195,7 +214,7 @@ bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
int edata_type;
if (!edata->length) {
- return False;
+ return false;
}
data = asn1_init(mem_ctx);
@@ -209,12 +228,12 @@ bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
asn1_read_Integer(data, &edata_type);
if (edata_type != KRB5_PADATA_PW_SALT) {
- DEBUG(0,("edata is not of required type %d but of type %d\n",
+ DEBUG(0,("edata is not of required type %d but of type %d\n",
KRB5_PADATA_PW_SALT, edata_type));
asn1_free(data);
- return False;
+ return false;
}
-
+
asn1_start_tag(data, ASN1_CONTEXT(2));
asn1_read_OctetString(data, talloc_tos(), &edata_contents);
asn1_end_tag(data);
@@ -226,11 +245,11 @@ bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
data_blob_free(&edata_contents);
- return True;
+ return true;
}
-static bool ads_cleanup_expired_creds(krb5_context context,
+static bool ads_cleanup_expired_creds(krb5_context context,
krb5_ccache ccache,
krb5_creds *credsp)
{
@@ -245,16 +264,16 @@ static bool ads_cleanup_expired_creds(krb5_context context,
will expire within 10 seconds.
*/
if (credsp->times.endtime >= (time(NULL) + 10))
- return False;
+ return false;
- /* heimdal won't remove creds from a file ccache, and
- perhaps we shouldn't anyway, since internally we
+ /* heimdal won't remove creds from a file ccache, and
+ perhaps we shouldn't anyway, since internally we
use memory ccaches, and a FILE one probably means that
we're using creds obtained outside of our exectuable
*/
if (strequal(cc_type, "FILE")) {
DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a %s ccache\n", cc_type));
- return False;
+ return false;
}
retval = krb5_cc_remove_cred(context, ccache, 0, credsp);
@@ -264,7 +283,7 @@ static bool ads_cleanup_expired_creds(krb5_context context,
/* If we have an error in this, we want to display it,
but continue as though we deleted it */
}
- return True;
+ return true;
}
/* Allocate and setup the auth context into the state we need. */
@@ -345,15 +364,92 @@ static krb5_error_code create_gss_checksum(krb5_data *in_data, /* [inout] */
}
#endif
+/**************************************************************
+ krb5_parse_name that takes a UNIX charset.
+**************************************************************/
+
+krb5_error_code smb_krb5_parse_name(krb5_context context,
+ const char *name, /* in unix charset */
+ krb5_principal *principal)
+{
+ krb5_error_code ret;
+ char *utf8_name;
+ size_t converted_size;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ if (!push_utf8_talloc(frame, &utf8_name, name, &converted_size)) {
+ talloc_free(frame);
+ return ENOMEM;
+ }
+
+ ret = krb5_parse_name(context, utf8_name, principal);
+ TALLOC_FREE(frame);
+ return ret;
+}
+
+#if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
+void krb5_free_unparsed_name(krb5_context context, char *val)
+{
+ SAFE_FREE(val);
+}
+#endif
+
+/**************************************************************
+ krb5_parse_name that returns a UNIX charset name. Must
+ be freed with talloc_free() call.
+**************************************************************/
+
+krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
+ krb5_context context,
+ krb5_const_principal principal,
+ char **unix_name)
+{
+ krb5_error_code ret;
+ char *utf8_name;
+ size_t converted_size;
+
+ *unix_name = NULL;
+ ret = krb5_unparse_name(context, principal, &utf8_name);
+ if (ret) {
+ return ret;
+ }
+
+ if (!pull_utf8_talloc(mem_ctx, unix_name, utf8_name, &converted_size)) {
+ krb5_free_unparsed_name(context, utf8_name);
+ return ENOMEM;
+ }
+ krb5_free_unparsed_name(context, utf8_name);
+ return 0;
+}
+
+krb5_error_code smb_krb5_parse_name_norealm(krb5_context context,
+ const char *name,
+ krb5_principal *principal)
+{
+ /* we are cheating here because parse_name will in fact set the realm.
+ * We don't care as the only caller of smb_krb5_parse_name_norealm
+ * ignores the realm anyway when calling
+ * smb_krb5_principal_compare_any_realm later - Guenther */
+
+ return smb_krb5_parse_name(context, name, principal);
+}
+
+bool smb_krb5_principal_compare_any_realm(krb5_context context,
+ krb5_const_principal princ1,
+ krb5_const_principal princ2)
+{
+ return krb5_principal_compare_any_realm(context, princ1, princ2);
+}
+
/*
we can't use krb5_mk_req because w2k wants the service to be in a particular format
*/
-static krb5_error_code ads_krb5_mk_req(krb5_context context,
- krb5_auth_context *auth_context,
+static krb5_error_code ads_krb5_mk_req(krb5_context context,
+ krb5_auth_context *auth_context,
const krb5_flags ap_req_options,
const char *principal,
- krb5_ccache ccache,
- krb5_data *outbuf,
+ krb5_ccache ccache,
+ krb5_data *outbuf,
time_t *expire_time,
const char *impersonate_princ_s)
{
@@ -363,7 +459,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
krb5_creds * credsp;
krb5_creds creds;
krb5_data in_data;
- bool creds_ready = False;
+ bool creds_ready = false;
int i = 0, maxtries = 3;
ZERO_STRUCT(in_data);
@@ -386,11 +482,11 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
/* obtain ticket & session key */
ZERO_STRUCT(creds);
if ((retval = krb5_copy_principal(context, server, &creds.server))) {
- DEBUG(1,("ads_krb5_mk_req: krb5_copy_principal failed (%s)\n",
+ DEBUG(1,("ads_krb5_mk_req: krb5_copy_principal failed (%s)\n",
error_message(retval)));
goto cleanup_princ;
}
-
+
if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) {
/* This can commonly fail on smbd startup with no ticket in the cache.
* Report at higher level than 1. */
@@ -420,7 +516,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
}
if (!ads_cleanup_expired_creds(context, ccache, credsp)) {
- creds_ready = True;
+ creds_ready = true;
}
i++;
@@ -525,7 +621,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
}
#endif
- retval = krb5_mk_req_extended(context, auth_context, ap_req_options,
+ retval = krb5_mk_req_extended(context, auth_context, ap_req_options,
&in_data, credsp, outbuf);
if (retval) {
DEBUG(1,("ads_krb5_mk_req: krb5_mk_req_extended failed (%s)\n",
@@ -555,6 +651,19 @@ cleanup_princ:
return retval;
}
+void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
+{
+#if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
+ if (pdata->data) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list