[SCM] Samba Shared Repository - branch master updated

Simo Sorce idra at samba.org
Fri May 4 10:44:03 MDT 2012


The branch, master has been updated
       via  d0e7770 waf: Fix com_err detection with MIT krb5.
       via  822e679 s4:auth/kerberos: don't do tracing in MIT build
       via  21d383d s4:torture: auth/pac.c: use Kerberos wrapper for krb5_keyblock_init
       via  4875a12 Avoid using Heimdal-specific tests in MIT build
       via  5668845 s4:ntvfs: add missing headers to vfs_ipc
       via  27549b4 Fix direct access to krb5_principal structure
       via  eb9e3e8 auth-session: MIT doesn't have import/export cred yet
       via  5832c61c s4-auth: Use smb_krb5_cc_get_lifetime() wrapper.
       via  4d77466 krb5samba: Add a smb_krb5_cc_get_lifetime() function.
       via  6bec64b s4-auth-krb: Make srv_keytab.c build against MIT Kerberos
       via  38c7d8e krb5samba: Add compat function for krb5_kt_compare
       via  548046f Fix incompatible assignment warning
       via  b776bc5 krb5samba: Add compat krb5_make_principal for MIT build
       via  205b032 Fix compiler warning
       via  cf7d15e s4-auth-krb: Use compat code to initialize keyblock contents
       via  93de8e4 krb5samba: Add compat code to initialize keyblock contents
       via  62f3be7 s4-auth-krb: Disable code in MIT build
       via  c2f6632 Move keytab_copy to krb5samba lib
       via  94b9af6 Fix keytab_copy to compile with MIT librariues too
       via  07953e1 keytab_copy: Fix style, whitespaces
       via  57dc8aa kerberos_pac: Fix code to work with MIT too
       via  a2de8a1 s4-auth-krb: smb_rd_req_return_stuff is used only in gensec_krb5
       via  3109a3d Split normal kinit from s4u2 flavored kinit
       via  29d284c Move kerberos_kinit_password_cc to krb5samba lib
       via  38a5a2c Move kerberos_kinit_keyblock_cc to krb5samba lib
       via  aa1a0d8 krb-init: define out heimdal specific stuff in mitkrb build
       via  9a585a3 s4-auth-krb: avoid useless condition
       via  afa6c31 krb5samba: Remove unnecessary include file
       via  b7b0903 Fix krb5_samba.c build
      from  eb6e22b s4:torture: add a check for talloc success in test_session_reauth

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d0e7770017a1322ad78b13f0840c54514ee1d9bd
Author: Andreas Schneider <asn at samba.org>
Date:   Thu May 3 11:28:50 2012 +0200

    waf: Fix com_err detection with MIT krb5.
    
    Signed-off-by: Simo Sorce <idra at samba.org>
    
    Autobuild-User: Simo Sorce <idra at samba.org>
    Autobuild-Date: Fri May  4 18:43:05 CEST 2012 on sn-devel-104

commit 822e6794f09ff2440972453adbac38d3efd1c54e
Author: Alexander Bokovoy <ab at samba.org>
Date:   Thu May 3 12:33:42 2012 +0300

    s4:auth/kerberos: don't do tracing in MIT build
    
    Signed-off-by: Simo Sorce <idra at samba.org>

commit 21d383d04f21755418c755139824cfe7234ff474
Author: Alexander Bokovoy <ab at samba.org>
Date:   Wed May 2 21:40:13 2012 +0300

    s4:torture: auth/pac.c: use Kerberos wrapper for krb5_keyblock_init
    
    Signed-off-by: Simo Sorce <idra at samba.org>

commit 4875a12ab840c413b68040503333ca2ecd78db98
Author: Alexander Bokovoy <ab at samba.org>
Date:   Wed May 2 21:16:01 2012 +0300

    Avoid using Heimdal-specific tests in MIT build

commit 566884553ccb9c99cc3b05bc6fc84bf5efa9fae2
Author: Alexander Bokovoy <ab at samba.org>
Date:   Wed May 2 20:59:00 2012 +0300

    s4:ntvfs: add missing headers to vfs_ipc
    
    vfs_ipc.c had system/kerberos.h and system/filesys.h missing
    
    Signed-off-by: Simo Sorce <idra at samba.org>

commit 27549b4e31b47fab23af0bce6bf888e4148f88e9
Author: Simo Sorce <idra at samba.org>
Date:   Wed May 2 13:22:08 2012 -0400

    Fix direct access to krb5_principal structure

commit eb9e3e8a54aa7d6b805d280fd5586f9d1a2a094a
Author: Simo Sorce <idra at samba.org>
Date:   Wed May 2 12:24:34 2012 -0400

    auth-session: MIT doesn't have import/export cred yet
    
    For now let's just loose this functionality with the MIT build.
    gss_import/export_cred should be availa ble when MIT 1.11 is released and this
    code is used only in some proxy scenario. Not normally needed for common
    configurations.

commit 5832c61c5f9905f91ae6a010f5c90c674cdace91
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Apr 27 20:29:47 2012 +0200

    s4-auth: Use smb_krb5_cc_get_lifetime() wrapper.
    
    Signed-off-by: Simo Sorce <idra at samba.org>

commit 4d77466dafdb4def6681534e47c06aa07ccf6e17
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Apr 27 16:52:26 2012 +0200

    krb5samba: Add a smb_krb5_cc_get_lifetime() function.
    
    Signed-off-by: Simo Sorce <idra at samba.org>

commit 6bec64b12a90ba81996ca6d049b56f168ef70bc0
Author: Simo Sorce <idra at samba.org>
Date:   Thu Apr 26 18:11:09 2012 -0400

    s4-auth-krb: Make srv_keytab.c build against MIT Kerberos

commit 38c7d8e4fdf6facd37310aa848eb5b2459d4fbe7
Author: Simo Sorce <idra at samba.org>
Date:   Thu Apr 26 18:22:43 2012 -0400

    krb5samba: Add compat function for krb5_kt_compare

commit 548046ff4df23f08e1f652136e7322623885d7ab
Author: Simo Sorce <idra at samba.org>
Date:   Thu Apr 26 17:56:38 2012 -0400

    Fix incompatible assignment warning

commit b776bc5f72efac87244393a2bf1e5c9278bdaf15
Author: Simo Sorce <idra at samba.org>
Date:   Thu Apr 26 17:21:22 2012 -0400

    krb5samba: Add compat krb5_make_principal for MIT build

commit 205b032061bffe68fd784ebdc33d485acd57a5b1
Author: Simo Sorce <idra at samba.org>
Date:   Thu Apr 26 16:54:42 2012 -0400

    Fix compiler warning

commit cf7d15e0758040c91c262749f7ceea3ca7d3fab8
Author: Simo Sorce <idra at samba.org>
Date:   Thu Apr 26 16:52:55 2012 -0400

    s4-auth-krb: Use compat code to initialize keyblock contents

commit 93de8e45707ab834eb9d4e2a442025d109955382
Author: Simo Sorce <idra at samba.org>
Date:   Thu Apr 26 16:52:37 2012 -0400

    krb5samba: Add compat code to initialize keyblock contents

commit 62f3be7af3f743ddc2ec0c4d8e6a431fae583282
Author: Simo Sorce <idra at samba.org>
Date:   Thu Apr 26 16:50:53 2012 -0400

    s4-auth-krb: Disable code in MIT build
    
    Unfortunately these functions are not available in MIT and there is no easy
    workaround or compat funciton I can see at this stage. Will fix properly once
    MIT gets the necessary functions or if another workaround can be found.

commit c2f663263c60e6a4b83d85d70fc1e091d77618f5
Author: Simo Sorce <idra at samba.org>
Date:   Thu Apr 26 15:05:11 2012 -0400

    Move keytab_copy to krb5samba lib
    
    This is a helper fucntion that uses purely krb5 code, so it belongs to
    krb5samba which is the krb5 wrapper for samba.

commit 94b9af6ac6e7d524398d971c44cc5569cf70346f
Author: Simo Sorce <idra at samba.org>
Date:   Thu Apr 26 15:01:48 2012 -0400

    Fix keytab_copy to compile with MIT librariues too

commit 07953e19fc01ee424f0ae5e65799ea7c029082f2
Author: Simo Sorce <idra at samba.org>
Date:   Thu Apr 26 12:50:03 2012 -0400

    keytab_copy: Fix style, whitespaces

commit 57dc8aa1b21d1771ed8533100be122c8a7dac4ce
Author: Simo Sorce <idra at samba.org>
Date:   Thu Apr 26 12:41:25 2012 -0400

    kerberos_pac: Fix code to work with MIT too

commit a2de8a12d3a218f172cf41fbf896ccf2b3bddfc8
Author: Simo Sorce <idra at samba.org>
Date:   Thu Apr 26 12:27:05 2012 -0400

    s4-auth-krb: smb_rd_req_return_stuff is used only in gensec_krb5
    
    Make it clearly a gensec_krb5 accessory file.
    This function should never be used anywhere else.
    This function was copied out from the Heimdal tree and is kept in a separate
    file for clarity and to keep the original license boilerplate.

commit 3109a3de1f362e9dc42bceb81a393e2dbf80b7b2
Author: Simo Sorce <idra at samba.org>
Date:   Thu Apr 26 12:06:24 2012 -0400

    Split normal kinit from s4u2 flavored kinit
    
    This makes it simpler to slowly integrate MIT support and also amkes it
    somewhat clearer what operation is really requested.
    The 24u2 part is really only used by the cifs proxy code so we can temporarily
    disable it in the MIT build w/o major consequences.

commit 29d284c245c1b3458712c8140cd7b0d1ae175d1f
Author: Simo Sorce <idra at samba.org>
Date:   Thu Apr 26 11:05:51 2012 -0400

    Move kerberos_kinit_password_cc to krb5samba lib

commit 38a5a2c5c59029889d6c7c6dc80ab087956ca651
Author: Simo Sorce <idra at samba.org>
Date:   Wed Apr 25 17:29:09 2012 -0400

    Move kerberos_kinit_keyblock_cc to krb5samba lib
    
    Make it also work with MIT where krb5_get_in_tkt_with_keyblock is not
    available.

commit aa1a0d80de8b8c9116f5d5b576e2422d104e6b75
Author: Simo Sorce <idra at samba.org>
Date:   Wed Apr 25 10:31:12 2012 -0400

    krb-init: define out heimdal specific stuff in mitkrb build

commit 9a585a314142637a0c15f04289fea2bc16d3295d
Author: Simo Sorce <idra at samba.org>
Date:   Wed Apr 25 10:19:07 2012 -0400

    s4-auth-krb: avoid useless condition
    
    Code bails out with ENOMEM 2 lines a bove if config_file is NULL anyways

commit afa6c31e6e35c8105ae5b96de1e6f0ac998d10a6
Author: Simo Sorce <idra at samba.org>
Date:   Thu May 3 11:38:35 2012 -0400

    krb5samba: Remove unnecessary include file

commit b7b090395a830ad265c189793f25d4042c8f403e
Author: Simo Sorce <idra at samba.org>
Date:   Wed May 2 14:53:45 2012 -0400

    Fix krb5_samba.c build

-----------------------------------------------------------------------

Summary of changes:
 auth/credentials/credentials_krb5.c                |    4 +-
 .../keytab_copy.c => lib/krb5_wrap/keytab_util.c   |   79 ++-
 lib/krb5_wrap/krb5_samba.c                         |  625 +++++++++++++++++++-
 lib/krb5_wrap/krb5_samba.h                         |   75 +++
 lib/krb5_wrap/wscript_build                        |    2 +-
 source3/configure.in                               |    4 +
 source4/auth/gensec/gensec_krb5.c                  |    1 +
 .../gensec_krb5_util.c}                            |    0
 source4/auth/gensec/gensec_krb5_util.h             |   10 +
 source4/auth/gensec/wscript_build                  |    2 +-
 source4/auth/kerberos/kerberos.c                   |  469 ---------------
 source4/auth/kerberos/kerberos.h                   |   12 -
 source4/auth/kerberos/kerberos_pac.c               |    6 +-
 source4/auth/kerberos/kerberos_util.c              |   37 +-
 source4/auth/kerberos/krb5_init_context.c          |   32 +-
 source4/auth/kerberos/srv_keytab.c                 |   21 +-
 source4/auth/kerberos/wscript_build                |    2 +-
 source4/auth/session.c                             |    8 +-
 source4/heimdal_build/wscript_configure            |    6 +
 source4/ntvfs/ipc/vfs_ipc.c                        |    2 +
 source4/rpc_server/drsuapi/writespn.c              |    6 +-
 source4/torture/auth/pac.c                         |    8 +-
 source4/torture/ndr/ndr.c                          |    2 +
 source4/torture/rpc/rpc.c                          |    2 +
 source4/torture/wscript_build                      |   13 +-
 wscript_configure_krb5                             |   13 +-
 26 files changed, 877 insertions(+), 564 deletions(-)
 rename source4/auth/kerberos/keytab_copy.c => lib/krb5_wrap/keytab_util.c (76%)
 rename source4/auth/{kerberos/kerberos_heimdal.c => gensec/gensec_krb5_util.c} (100%)
 create mode 100644 source4/auth/gensec/gensec_krb5_util.h
 mode change 100644 => 100755 source4/auth/gensec/wscript_build
 delete mode 100644 source4/auth/kerberos/kerberos.c
 mode change 100644 => 100755 source4/heimdal_build/wscript_configure
 mode change 100644 => 100755 source4/torture/wscript_build


Changeset truncated at 500 lines:

diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 86b33d4..684f244 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -303,8 +303,8 @@ _PUBLIC_ int cli_credentials_get_named_ccache(struct cli_credentials *cred,
 	    cred->ccache_obtained > CRED_UNINITIALISED) {
 		time_t lifetime;
 		bool expired = false;
-		ret = krb5_cc_get_lifetime(cred->ccache->smb_krb5_context->krb5_context, 
-					   cred->ccache->ccache, &lifetime);
+		ret = smb_krb5_cc_get_lifetime(cred->ccache->smb_krb5_context->krb5_context,
+					       cred->ccache->ccache, &lifetime);
 		if (ret == KRB5_CC_END) {
 			/* If we have a particular ccache set, without
 			 * an initial ticket, then assume there is a
diff --git a/source4/auth/kerberos/keytab_copy.c b/lib/krb5_wrap/keytab_util.c
similarity index 76%
rename from source4/auth/kerberos/keytab_copy.c
rename to lib/krb5_wrap/keytab_util.c
index d823e02..91e4990 100644
--- a/source4/auth/kerberos/keytab_copy.c
+++ b/lib/krb5_wrap/keytab_util.c
@@ -34,21 +34,22 @@
  */
 
 #include "includes.h"
-#include "system/kerberos.h"
-#include "auth/kerberos/kerberos.h"
+#include "krb5_samba.h"
 
 static krb5_boolean
 compare_keyblock(const krb5_keyblock *a, const krb5_keyblock *b)
 {
-    if(a->keytype != b->keytype ||
-       a->keyvalue.length != b->keyvalue.length ||
-       memcmp(a->keyvalue.data, b->keyvalue.data, a->keyvalue.length) != 0)
-	return FALSE;
-    return TRUE;
+    if (KRB5_KEY_TYPE(a) != KRB5_KEY_TYPE(b) ||
+        KRB5_KEY_LENGTH(a) != KRB5_KEY_LENGTH(b) ||
+        memcmp(KRB5_KEY_DATA(a), KRB5_KEY_DATA(b), KRB5_KEY_LENGTH(a)) != 0)
+	return false;
+    return true;
 }
 
-static krb5_error_code copy_one_entry(krb5_context context, 
-				      krb5_keytab src_keytab, krb5_keytab dst_keytab, krb5_keytab_entry entry) 
+static krb5_error_code copy_one_entry(krb5_context context,
+				      krb5_keytab src_keytab,
+				      krb5_keytab dst_keytab,
+				      krb5_keytab_entry entry)
 {
     krb5_error_code ret;
     krb5_keytab_entry dummy;
@@ -61,7 +62,9 @@ static krb5_error_code copy_one_entry(krb5_context context,
 	name_str = NULL; /* XXX */
 	return ret;
     }
-    ret = krb5_enctype_to_string(context, entry.keyblock.keytype, &etype_str);
+    ret = smb_krb5_enctype_to_string(context,
+					KRB5_KEY_TYPE(KRB5_KT_KEY(&entry)),
+					&etype_str);
     if(ret) {
 	krb5_set_error_message(context, ret, "krb5_enctype_to_string");
 	etype_str = NULL; /* XXX */
@@ -70,16 +73,16 @@ static krb5_error_code copy_one_entry(krb5_context context,
     ret = krb5_kt_get_entry(context, dst_keytab,
 			    entry.principal,
 			    entry.vno,
-			    entry.keyblock.keytype,
+			    KRB5_KEY_TYPE(KRB5_KT_KEY(&entry)),
 			    &dummy);
     if(ret == 0) {
 	/* this entry is already in the new keytab, so no need to
 	   copy it; if the keyblocks are not the same, something
 	   is weird, so complain about that */
-	if(!compare_keyblock(&entry.keyblock, &dummy.keyblock)) {
-		krb5_warn(context, 0, "entry with different keyvalue "
+	if (!compare_keyblock(KRB5_KT_KEY(&entry), KRB5_KT_KEY(&dummy))) {
+		DEBUG(2, ("copy_one_entry: entry with different keyvalue "
 			  "already exists for %s, keytype %s, kvno %d",
-			  name_str, etype_str, entry.vno);
+			  name_str, etype_str, entry.vno));
 	}
 	krb5_kt_free_entry(context, &dummy);
 	krb5_kt_free_entry (context, &entry);
@@ -93,7 +96,7 @@ static krb5_error_code copy_one_entry(krb5_context context,
 	free(name_str);
 	free(etype_str);
 	return ret;
-    } 
+    }
     ret = krb5_kt_add_entry (context, dst_keytab, &entry);
     krb5_kt_free_entry (context, &entry);
     if (ret) {
@@ -108,7 +111,7 @@ static krb5_error_code copy_one_entry(krb5_context context,
     return ret;
 }
 
-krb5_error_code kt_copy (krb5_context context, const char *from, const char *to)
+krb5_error_code kt_copy(krb5_context context, const char *from, const char *to)
 {
     krb5_error_code ret;
     krb5_keytab src_keytab, dst_keytab;
@@ -154,8 +157,12 @@ krb5_error_code kt_copy (krb5_context context, const char *from, const char *to)
     return ret;
 }
 
-krb5_error_code kt_copy_one_principal (krb5_context context, const char *from, const char *to, 
-				       const char *principal, krb5_kvno kvno, krb5_enctype *enctypes)
+krb5_error_code kt_copy_one_principal(krb5_context context,
+				      const char *from,
+				      const char *to,
+				      const char *principal,
+				      krb5_kvno kvno,
+				      krb5_enctype *enctypes)
 {
     krb5_error_code ret;
     krb5_keytab src_keytab, dst_keytab;
@@ -205,10 +212,13 @@ krb5_error_code kt_copy_one_principal (krb5_context context, const char *from, c
 	    char *princ_string;
 	    int ret2 = krb5_unparse_name (context, princ, &princ_string);
 	    if (ret2) {
-		krb5_set_error_message(context, ret, "failed to fetch principal %s", princ_string);
+		krb5_set_error_message(context, ret,
+					"failed to fetch principal %s",
+					princ_string);
 	    }
 	} else {
-	    /* Not finding an enc type is not an error, as long as we copied one for the principal */
+	    /* Not finding an enc type is not an error,
+	     * as long as we copied one for the principal */
 	    ret = 0;
 	}
     }
@@ -217,3 +227,32 @@ krb5_error_code kt_copy_one_principal (krb5_context context, const char *from, c
     krb5_kt_close (context, dst_keytab);
     return ret;
 }
+
+#if !defined(HAVE_KRB5_KT_COMPARE)
+krb5_boolean smb_krb5_kt_compare(krb5_context context,
+				 krb5_keytab_entry *entry,
+				 krb5_const_principal principal,
+				 krb5_kvno kvno,
+				 krb5_enctype enctype)
+{
+	if (principal) {
+		if (!krb5_principal_compare(context,
+					    entry->principal, principal)) {
+			return false;
+		}
+	}
+	if (kvno) {
+		if (entry->vno != kvno) {
+			return false;
+		}
+	}
+	if (enctype) {
+		if (KRB5_KEY_TYPE(KRB5_KT_KEY(entry)) != enctype) {
+			return false;
+		}
+	}
+
+	return true;
+}
+#endif
+
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 10207b5..ddebdd8 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -22,7 +22,6 @@
 
 #include "includes.h"
 #include "krb5_samba.h"
-#include "librpc/gen_ndr/krb5pac.h"
 #include "lib/util/asn1.h"
 
 #ifndef KRB5_AUTHDATA_WIN2K_PAC
@@ -55,6 +54,10 @@ krb5_error_code krb5_auth_con_set_req_cksumtype(
 #define SMB_MALLOC(s) malloc((s))
 #endif
 
+#ifndef SMB_STRDUP
+#define SMB_STRDUP(s) strdup(s)
+#endif
+
 #if !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES)
 
 #if defined(HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES)
@@ -1552,6 +1555,626 @@ krb5_error_code smb_krb5_get_creds(const char *server_s,
 	return ret;
 }
 
+
+krb5_error_code smb_krb5_keyblock_init_contents(krb5_context context,
+						krb5_enctype enctype,
+						const void *data,
+						size_t length,
+						krb5_keyblock *key)
+{
+#if defined(HAVE_KRB5_KEYBLOCK_INIT)
+	return krb5_keyblock_init(context, enctype, data, length, key);
+#else
+	memset(key, 0, sizeof(krb5_keyblock));
+	KRB5_KEY_DATA(key) = SMB_MALLOC(length);
+	if (NULL == KRB5_KEY_DATA(key)) {
+		return ENOMEM;
+	}
+	memcpy(KRB5_KEY_DATA(key), data, length);
+	KRB5_KEY_LENGTH(key) = length;
+	KRB5_KEY_TYPE(key) = enctype;
+	return 0;
+#endif
+}
+
+/*
+  simulate a kinit, putting the tgt in the given credentials cache.
+  Orignally by remus at snapserver.com
+
+  This version is built to use a keyblock, rather than needing the
+  original password.
+
+  The impersonate_principal is the principal if NULL, or the principal
+  to impersonate
+
+  The target_service defaults to the krbtgt if NULL, but could be
+   kpasswd/realm or the local service (if we are doing s4u2self)
+*/
+krb5_error_code kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc,
+					   krb5_principal principal,
+					   krb5_keyblock *keyblock,
+					   const char *target_service,
+					   krb5_get_init_creds_opt *krb_options,
+					   time_t *expire_time,
+					   time_t *kdc_time)
+{
+	krb5_error_code code = 0;
+	krb5_creds my_creds;
+
+#if defined(HAVE_KRB5_GET_INIT_CREDS_KEYBLOCK)
+	code = krb5_get_init_creds_keyblock(ctx, &my_creds, principal,
+					    keyblock, 0, target_service,
+					    krb_options);
+#elif defined(HAVE_KRB5_GET_INIT_CREDS_KEYTAB)
+{
+#define SMB_CREDS_KEYTAB "MEMORY:tmp_smb_creds_XXXXXX"
+	char tmp_name[sizeof(SMB_CREDS_KEYTAB)];
+	krb5_keytab_entry entry;
+	krb5_keytab keytab;
+
+	memset(&entry, 0, sizeof(entry));
+	entry.principal = principal;
+	*(KRB5_KT_KEY(&entry)) = *keyblock;
+
+	memcpy(tmp_name, SMB_CREDS_KEYTAB, sizeof(SMB_CREDS_KEYTAB));
+	mktemp(tmp_name);
+	if (tmp_name[0] == 0) {
+		return KRB5_KT_BADNAME;
+	}
+	code = krb5_kt_resolve(ctx, tmp_name, &keytab);
+	if (code) {
+		return code;
+	}
+
+	code = krb5_kt_add_entry(ctx, keytab, &entry);
+	if (code) {
+		(void)krb5_kt_close(ctx, keytab);
+		goto done;
+	}
+
+	code = krb5_get_init_creds_keytab(ctx, &my_creds, principal,
+					  keytab, 0, target_service,
+					  krb_options);
+	(void)krb5_kt_close(ctx, keytab);
+}
+#else
+#error krb5_get_init_creds_keyblock not available!
+#endif
+	if (code) {
+		return code;
+	}
+
+	code = krb5_cc_initialize(ctx, cc, principal);
+	if (code) {
+		goto done;
+	}
+
+	code = krb5_cc_store_cred(ctx, cc, &my_creds);
+	if (code) {
+		goto done;
+	}
+
+	if (expire_time) {
+		*expire_time = (time_t) my_creds.times.endtime;
+	}
+
+	if (kdc_time) {
+		*kdc_time = (time_t) my_creds.times.starttime;
+	}
+
+	code = 0;
+done:
+	krb5_free_cred_contents(ctx, &my_creds);
+	return code;
+}
+
+krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc,
+					   krb5_principal principal,
+					   const char *password,
+					   const char *target_service,
+					   krb5_get_init_creds_opt *krb_options,
+					   time_t *expire_time,
+					   time_t *kdc_time)
+{
+	krb5_error_code code = 0;
+	krb5_creds my_creds;
+
+	code = krb5_get_init_creds_password(ctx, &my_creds, principal,
+					    password, NULL, NULL, 0,
+					    target_service, krb_options);
+	if (code) {
+		return code;
+	}
+
+	code = krb5_cc_initialize(ctx, cc, principal);
+	if (code) {
+		goto done;
+	}
+
+	code = krb5_cc_store_cred(ctx, cc, &my_creds);
+	if (code) {
+		goto done;
+	}
+
+	if (expire_time) {
+		*expire_time = (time_t) my_creds.times.endtime;
+	}
+
+	if (kdc_time) {
+		*kdc_time = (time_t) my_creds.times.starttime;
+	}
+
+	code = 0;
+done:
+	krb5_free_cred_contents(ctx, &my_creds);
+	return code;
+}
+
+#ifdef SAMBA4_USES_HEIMDAL
+/*
+  simulate a kinit, putting the tgt in the given credentials cache.
+  Orignally by remus at snapserver.com
+
+  The impersonate_principal is the principal
+
+  The self_service, should be the local service (for S4U2Self if
+  impersonate_principal is given).
+
+  The target_service defaults to the krbtgt if NULL, but could be
+  kpasswd/realm or a remote service (for S4U2Proxy)
+
+*/
+krb5_error_code kerberos_kinit_s4u2_cc(krb5_context ctx,
+					krb5_ccache store_cc,
+					krb5_principal init_principal,
+					const char *init_password,
+					krb5_principal impersonate_principal,
+					const char *self_service,
+					const char *target_service,
+					krb5_get_init_creds_opt *krb_options,
+					time_t *expire_time,
+					time_t *kdc_time)
+{
+	krb5_error_code code = 0;
+	krb5_get_creds_opt options;
+	krb5_principal store_principal;
+	krb5_creds store_creds;
+	krb5_creds *s4u2self_creds;
+	Ticket s4u2self_ticket;
+	size_t s4u2self_ticketlen;
+	krb5_creds *s4u2proxy_creds;
+	krb5_principal self_princ;
+	bool s4u2proxy;
+	krb5_principal target_princ;
+	krb5_ccache tmp_cc;
+	const char *self_realm;
+	krb5_principal blacklist_principal = NULL;
+	krb5_principal whitelist_principal = NULL;
+
+	code = krb5_get_init_creds_password(ctx, &store_creds,
+					    init_principal,
+					    init_password,
+					    NULL, NULL,
+					    0,
+					    NULL,
+					    krb_options);
+	if (code != 0) {
+		return code;
+	}
+
+	store_principal = init_principal;
+
+	/*
+	 * We are trying S4U2Self now:
+	 *
+	 * As we do not want to expose our TGT in the
+	 * krb5_ccache, which is also holds the impersonated creds.
+	 *
+	 * Some low level krb5/gssapi function might use the TGT
+	 * identity and let the client act as our machine account.
+	 *
+	 * We need to avoid that and use a temporary krb5_ccache
+	 * in order to pass our TGT to the krb5_get_creds() function.
+	 */
+	code = krb5_cc_new_unique(ctx, NULL, NULL, &tmp_cc);
+	if (code != 0) {
+		krb5_free_cred_contents(ctx, &store_creds);
+		return code;
+	}
+
+	code = krb5_cc_initialize(ctx, tmp_cc, store_creds.client);
+	if (code != 0) {
+		krb5_cc_destroy(ctx, tmp_cc);
+		krb5_free_cred_contents(ctx, &store_creds);
+		return code;
+	}
+
+	code = krb5_cc_store_cred(ctx, tmp_cc, &store_creds);
+	if (code != 0) {
+		krb5_free_cred_contents(ctx, &store_creds);
+		krb5_cc_destroy(ctx, tmp_cc);
+		return code;
+	}
+
+	/*
+	 * we need to remember the client principal of our
+	 * TGT and make sure the KDC does not return this
+	 * in the impersonated tickets. This can happen
+	 * if the KDC does not support S4U2Self and S4U2Proxy.
+	 */
+	blacklist_principal = store_creds.client;
+	store_creds.client = NULL;
+	krb5_free_cred_contents(ctx, &store_creds);
+
+	/*
+	 * Check if we also need S4U2Proxy or if S4U2Self is
+	 * enough in order to get a ticket for the target.
+	 */
+	if (target_service == NULL) {
+		s4u2proxy = false;
+	} else if (strcmp(target_service, self_service) == 0) {
+		s4u2proxy = false;
+	} else {
+		s4u2proxy = true;
+	}
+
+	/*
+	 * For S4U2Self we need our own service principal,
+	 * which belongs to our own realm (available on
+	 * our client principal).
+	 */
+	self_realm = krb5_principal_get_realm(ctx, init_principal);
+
+	code = krb5_parse_name(ctx, self_service, &self_princ);
+	if (code != 0) {
+		krb5_free_principal(ctx, blacklist_principal);
+		krb5_cc_destroy(ctx, tmp_cc);
+		return code;
+	}
+
+	code = krb5_principal_set_realm(ctx, self_princ, self_realm);
+	if (code != 0) {
+		krb5_free_principal(ctx, blacklist_principal);
+		krb5_free_principal(ctx, self_princ);
+		krb5_cc_destroy(ctx, tmp_cc);
+		return code;
+	}
+
+	code = krb5_get_creds_opt_alloc(ctx, &options);
+	if (code != 0) {
+		krb5_free_principal(ctx, blacklist_principal);
+		krb5_free_principal(ctx, self_princ);
+		krb5_cc_destroy(ctx, tmp_cc);
+		return code;
+	}
+
+	if (s4u2proxy) {
+		/*
+		 * If we want S4U2Proxy, we need the forwardable flag
+		 * on the S4U2Self ticket.
+		 */
+		krb5_get_creds_opt_set_options(ctx, options, KRB5_GC_FORWARDABLE);
+	}
+
+	code = krb5_get_creds_opt_set_impersonate(ctx, options,
+						  impersonate_principal);
+	if (code != 0) {
+		krb5_get_creds_opt_free(ctx, options);


-- 
Samba Shared Repository


More information about the samba-cvs mailing list