[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Fri Aug 8 00:31:04 MDT 2014
The branch, master has been updated
via 9c5470b lib/krb5_wrap: provide krb5_warnx() replacement.
via c0d0006 lib/krb5_wrap: use krb5_copy_data_contents in smb_krb5_principal_set_realm.
via 7b1a517 lib/krb5_wrap: provide CKSUMTYPE_HMAC_MD5 type matching MIT.
via 6bc619d lib/krb5_wrap: define KRB5_PW_SALT if it is not already there.
via 0e25549 lib/krb5_wrap: add smb_krb5_principal_get_type().
via abc2d81 auth/credentials_krb5: silence a build warning.
via 763cae6 lib/krb5_wrap: add smb_krb5_principal_set_realm().
via 1a58585 lib/krb5_wrap: use const principal in smb_krb5_principal_get_realm().
via a6145a2 wscript: add check for krb5_keyblock_init.
via d487bce s4-gensec_krb5: fix memleak in gensec_krb5_session_info().
via 9fed7ed lib/krb5_wrap: add krb5_copy_data_contents.
via 57b6517 s4-heimdal: fix krb5_get_init_creds_opt_set_process_last_req().
via 759c9b0 s4-auth/kerberos: add a note how to implement krb5_get_init_creds_opt_set_win2k() with MIT.
via 7f61950 s4-kerberos: remove duplicate macros.
via feabae7 s4-dsdb/samdb: use smb_krb5_principal_get_comp_string in ldb ACL module.
via f5ce0ee lib/krb5_wrap: add smb_krb5_principal_get_comp_string().
via 5c66368 lib/krb5_wrap: move krb5_princ_size replacement code to lib/krb5_wrap/krb5_samba.c.
via fb2a8b3 auth/credentials-krb5: use get_kerberos_allowed_etypes().
via 3d56bcc s4-torture: use smb_krb5_get_allowed_weak_crypto() in remote PAC test.
via 561c746 lib/krb5_wrap: add smb_krb5_get_allowed_weak_crypto().
via 38d454e lib/krb5_wrap: remove unused create_kerberos_key_from_string_direct().
via 22c6766 samba: use smb_krb5_create_key_from_string() in some places.
via 016cd35 lib/krb5_wrap: add smb_krb5_create_key_from_string().
via 6b3d985 lib/krb5_wrap: add smb_krb5_get_pw_salt().
via 3f7b80f s4-dsdb/samdb: use smb_krb5_make_principal for compatibility reasons with MIT.
from 685af03 doc: Add new parameters to vfs_full_audit man page
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9c5470be1e69af78c0c681fbb9a2d113039556f3
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 15:06:51 2014 +0200
lib/krb5_wrap: provide krb5_warnx() replacement.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Aug 8 08:30:50 CEST 2014 on sn-devel-104
commit c0d000692be5aa02652f6271a8ff4950703542df
Author: Günther Deschner <gd at samba.org>
Date: Tue May 13 17:33:07 2014 +0200
lib/krb5_wrap: use krb5_copy_data_contents in smb_krb5_principal_set_realm.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7b1a5179fa2edd7aea30a102e913dfa63fa0eeeb
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 14:54:06 2014 +0200
lib/krb5_wrap: provide CKSUMTYPE_HMAC_MD5 type matching MIT.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6bc619d159c134c1e863627c157d28b12ca33d63
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 14:31:37 2014 +0200
lib/krb5_wrap: define KRB5_PW_SALT if it is not already there.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0e255497d293cd8b3fa24a99c93b43ae5ed2b550
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 12:13:00 2014 +0200
lib/krb5_wrap: add smb_krb5_principal_get_type().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit abc2d812f584176313e2dd375582ead3635d7b8f
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 10:12:01 2014 +0200
auth/credentials_krb5: silence a build warning.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 763cae60c33b06a7ce74e2c7b386cb1b4810c653
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 09:57:21 2014 +0200
lib/krb5_wrap: add smb_krb5_principal_set_realm().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1a58585a9b912a6b70e37a6b2391d3ca7ddda34f
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 10:06:13 2014 +0200
lib/krb5_wrap: use const principal in smb_krb5_principal_get_realm().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a6145a2822d000e02a35797bf9749422be1d4806
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 09:46:25 2014 +0200
wscript: add check for krb5_keyblock_init.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d487bce3abd9699d14f48e6cc11a1a98cb19632b
Author: Günther Deschner <gd at samba.org>
Date: Tue May 6 13:47:28 2014 +0200
s4-gensec_krb5: fix memleak in gensec_krb5_session_info().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9fed7ed00eb74a82e822dca2c9f267fe0c47069f
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 14:59:00 2014 +0200
lib/krb5_wrap: add krb5_copy_data_contents.
This reuses krb5_data_copy() if available, choosed not to call it
krb5_data_copy as that is easily mixed up with krb5_copy_data (which allocs the
krb5_data pointer). Thanks Simo for proposing the better name.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 57b6517441ae66bab6cab211ee8843fe7143b296
Author: Günther Deschner <gd at samba.org>
Date: Wed May 7 08:19:56 2014 +0200
s4-heimdal: fix krb5_get_init_creds_opt_set_process_last_req().
Most probably just a copy/paste error.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 759c9b03e4b3560b0a17f364503ad9489033cb76
Author: Günther Deschner <gd at samba.org>
Date: Wed May 7 08:24:15 2014 +0200
s4-auth/kerberos: add a note how to implement krb5_get_init_creds_opt_set_win2k() with MIT.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7f619503988cc88b2e2e5d0b938b7ba124ac6d04
Author: Günther Deschner <gd at samba.org>
Date: Tue May 6 11:30:51 2014 +0200
s4-kerberos: remove duplicate macros.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit feabae7417213c071e98f05995601151a29353e7
Author: Günther Deschner <gd at samba.org>
Date: Wed Apr 30 10:26:17 2014 +0200
s4-dsdb/samdb: use smb_krb5_principal_get_comp_string in ldb ACL module.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f5ce0ee45a1403484bede07b6596a885246913c8
Author: Günther Deschner <gd at samba.org>
Date: Wed Apr 30 10:49:14 2014 +0200
lib/krb5_wrap: add smb_krb5_principal_get_comp_string().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5c663685ebbb14cc8eca49e9e9554c2dae2e9764
Author: Günther Deschner <gd at samba.org>
Date: Wed Apr 30 10:46:20 2014 +0200
lib/krb5_wrap: move krb5_princ_size replacement code to lib/krb5_wrap/krb5_samba.c.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fb2a8b34c17a68da6f0712d83b55084efaa76e52
Author: Günther Deschner <gd at samba.org>
Date: Tue Apr 29 18:22:55 2014 +0200
auth/credentials-krb5: use get_kerberos_allowed_etypes().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3d56bcc1de8dcdf00c46218b522e4236cdaec40a
Author: Günther Deschner <gd at samba.org>
Date: Tue Apr 29 18:14:35 2014 +0200
s4-torture: use smb_krb5_get_allowed_weak_crypto() in remote PAC test.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
commit 561c74666aa5342a5f819b1af821032fdf1f362b
Author: Günther Deschner <gd at samba.org>
Date: Tue Apr 29 18:14:05 2014 +0200
lib/krb5_wrap: add smb_krb5_get_allowed_weak_crypto().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
commit 38d454eb44fc695f643a0396ececf8e6a7710454
Author: Günther Deschner <gd at samba.org>
Date: Fri Apr 25 14:15:48 2014 +0200
lib/krb5_wrap: remove unused create_kerberos_key_from_string_direct().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
commit 22c6766693179422d721a752ec942e2a7730a0a0
Author: Günther Deschner <gd at samba.org>
Date: Fri Apr 25 14:14:20 2014 +0200
samba: use smb_krb5_create_key_from_string() in some places.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
commit 016cd35d75b33315b78547c231ba82347b448840
Author: Günther Deschner <gd at samba.org>
Date: Fri Apr 25 14:12:05 2014 +0200
lib/krb5_wrap: add smb_krb5_create_key_from_string().
This function can take either a calculated salt or a principal and calculate the
salt on its own.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
commit 6b3d9853ce8fb1506eefd7df10637b0413b69ab5
Author: Günther Deschner <gd at samba.org>
Date: Fri Apr 25 14:03:35 2014 +0200
lib/krb5_wrap: add smb_krb5_get_pw_salt().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
commit 3f7b80f691406aead96b1a0a9d1a168c5adb9ee6
Author: Günther Deschner <gd at samba.org>
Date: Fri Apr 25 13:59:11 2014 +0200
s4-dsdb/samdb: use smb_krb5_make_principal for compatibility reasons with MIT.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_krb5.c | 13 +-
lib/krb5_wrap/krb5_samba.c | 325 ++++++++++++++++++--
lib/krb5_wrap/krb5_samba.h | 57 +++-
source3/libads/kerberos.c | 7 +-
source4/auth/gensec/gensec_krb5.c | 1 +
source4/auth/kerberos/kerberos.h | 18 -
source4/auth/kerberos/kerberos_util.c | 2 +
source4/auth/kerberos/srv_keytab.c | 10 +-
source4/dsdb/samdb/ldb_modules/acl.c | 13 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 9 +-
.../dsdb/samdb/ldb_modules/wscript_build_server | 2 +-
source4/heimdal/lib/krb5/init_creds.c | 2 +-
source4/heimdal_build/wscript_configure | 5 +
source4/torture/rpc/remote_pac.c | 9 +-
wscript_configure_system_mitkrb5 | 9 +-
15 files changed, 402 insertions(+), 80 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 489a959..d968e20 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -516,7 +516,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
OM_uint32 maj_stat, min_stat;
struct gssapi_creds_container *gcc;
struct ccache_container *ccache;
+#ifdef SAMBA4_USES_HEIMDAL
gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
+#endif
krb5_enctype *etypes = NULL;
if (cred->client_gss_creds_obtained >= cred->client_gss_creds_threshold &&
@@ -595,7 +597,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
return ret;
}
-#ifdef SAMBA4_USES_HEIMDAL /* MIT lacks krb5_get_default_in_tkt_etypes */
+
/*
* transfer the enctypes from the smb_krb5_context to the gssapi layer
*
@@ -607,9 +609,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
* and used for the AS-REQ, so it wasn't possible to disable the usage
* of AES keys.
*/
- min_stat = krb5_get_default_in_tkt_etypes(ccache->smb_krb5_context->krb5_context,
- KRB5_PDU_NONE,
- &etypes);
+ min_stat = get_kerberos_allowed_etypes(ccache->smb_krb5_context->krb5_context,
+ &etypes);
if (min_stat == 0) {
OM_uint32 num_ktypes;
@@ -618,7 +619,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, gcc->creds,
num_ktypes,
(int32_t *) etypes);
- krb5_xfree (etypes);
+ SAFE_FREE(etypes);
if (maj_stat) {
talloc_free(gcc);
if (min_stat) {
@@ -630,7 +631,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
return ret;
}
}
-#endif
+
#ifdef SAMBA4_USES_HEIMDAL /* MIT lacks GSS_KRB5_CRED_NO_CI_FLAGS_X */
/* don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG */
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index b218437..a3743ae 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -134,51 +134,116 @@ bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr)
#error UNKNOWN_ADDRTYPE
#endif
-#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_C_STRING_TO_KEY)
-/* MIT */
-int create_kerberos_key_from_string_direct(krb5_context context,
- krb5_principal host_princ,
- krb5_data *password,
- krb5_keyblock *key,
- krb5_enctype enctype)
+/**
+* @brief Create a keyblock based on input parameters
+*
+* @param context The krb5_context
+* @param host_princ The krb5_principal to use
+* @param salt The optional salt, if ommitted, salt is calculated with
+* the provided principal.
+* @param password The krb5_data containing the password
+* @param enctype The krb5_enctype to use for the keyblock generation
+* @param key The returned krb5_keyblock, caller needs to free with
+* krb5_free_keyblock().
+*
+* @return krb5_error_code
+*/
+int smb_krb5_create_key_from_string(krb5_context context,
+ krb5_principal *host_princ,
+ krb5_data *salt,
+ krb5_data *password,
+ krb5_enctype enctype,
+ krb5_keyblock *key)
{
int ret = 0;
- krb5_data salt;
- ret = krb5_principal2salt(context, host_princ, &salt);
- if (ret) {
- DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
- return ret;
+ if (host_princ == NULL && salt == NULL) {
+ return -1;
}
- ret = krb5_c_string_to_key(context, enctype, password, &salt, key);
- SAFE_FREE(salt.data);
- return ret;
+#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_C_STRING_TO_KEY)
+{/* MIT */
+ krb5_data _salt;
+
+ if (salt == NULL) {
+ ret = krb5_principal2salt(context, *host_princ, &_salt);
+ if (ret) {
+ DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
+ return ret;
+ }
+ } else {
+ _salt = *salt;
+ }
+ ret = krb5_c_string_to_key(context, enctype, password, &_salt, key);
+ if (salt == NULL) {
+ SAFE_FREE(_salt.data);
+ }
}
#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
+{/* Heimdal */
+ krb5_salt _salt;
+
+ if (salt == NULL) {
+ ret = krb5_get_pw_salt(context, *host_princ, &_salt);
+ if (ret) {
+ DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
+ return ret;
+ }
+ } else {
+ _salt.saltvalue = *salt;
+ _salt.salttype = KRB5_PW_SALT;
+ }
+
+ ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, _salt, key);
+ if (salt == NULL) {
+ krb5_free_salt(context, _salt);
+ }
+}
+#else
+#error UNKNOWN_CREATE_KEY_FUNCTIONS
+#endif
+ return ret;
+}
+
+/**
+* @brief Create a salt for a given principal
+*
+* @param context The initialized krb5_context
+* @param host_princ The krb5_principal to create the salt for
+* @param psalt A pointer to a krb5_data struct
+*
+* caller has to free the contents of psalt with kerberos_free_data_contents
+* when function has succeeded
+*
+* @return krb5_error_code, returns 0 on success, error code otherwise
+*/
+
+int smb_krb5_get_pw_salt(krb5_context context,
+ krb5_principal host_princ,
+ krb5_data *psalt)
+#if defined(HAVE_KRB5_GET_PW_SALT)
/* Heimdal */
-int create_kerberos_key_from_string_direct(krb5_context context,
- krb5_principal host_princ,
- krb5_data *password,
- krb5_keyblock *key,
- krb5_enctype enctype)
{
int ret;
krb5_salt salt;
ret = krb5_get_pw_salt(context, host_princ, &salt);
if (ret) {
- DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
return ret;
}
- ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
- krb5_free_salt(context, salt);
+ psalt->data = salt.saltvalue.data;
+ psalt->length = salt.saltvalue.length;
return ret;
}
+#elif defined(HAVE_KRB5_PRINCIPAL2SALT)
+/* MIT */
+{
+ return krb5_principal2salt(context, host_princ, psalt);
+}
#else
-#error UNKNOWN_CREATE_KEY_FUNCTIONS
+#error UNKNOWN_SALT_FUNCTIONS
#endif
#if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
@@ -670,6 +735,39 @@ void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
}
/*
+ * @brief copy a buffer into a krb5_data struct
+ *
+ * @param[in] p The krb5_data
+ * @param[in] data The data to copy
+ * @param[in] length The length of the data to copy
+ * @return krb5_error_code
+ *
+ * Caller has to free krb5_data with kerberos_free_data_contents().
+ */
+
+krb5_error_code krb5_copy_data_contents(krb5_data *p,
+ const void *data,
+ size_t len)
+{
+#if defined(HAVE_KRB5_DATA_COPY)
+ return krb5_data_copy(p, data, len);
+#else
+ if (len) {
+ p->data = malloc(len);
+ if (p->data == NULL) {
+ return ENOMEM;
+ }
+ memmove(p->data, data, len);
+ } else {
+ p->data = NULL;
+ }
+ p->length = len;
+ p->magic = KV5M_DATA;
+ return 0;
+#endif
+}
+
+/*
get a kerberos5 ticket for the given service
*/
int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
@@ -806,6 +904,43 @@ done:
}
#endif
+/*
+ * @brief Get talloced string component of a principal
+ *
+ * @param[in] mem_ctx The TALLOC_CTX
+ * @param[in] context The krb5_context
+ * @param[in] principal The principal
+ * @param[in] component The component
+ * @return string component
+ *
+ * Caller must talloc_free if the return value is not NULL.
+ *
+ */
+
+/* caller has to free returned string with free() */
+char *smb_krb5_principal_get_comp_string(TALLOC_CTX *mem_ctx,
+ krb5_context context,
+ krb5_const_principal principal,
+ unsigned int component)
+{
+#if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING)
+ return talloc_strdup(mem_ctx, krb5_principal_get_comp_string(context, principal, component));
+#else
+ krb5_data *data;
+
+ if (component >= krb5_princ_size(context, principal)) {
+ return NULL;
+ }
+
+ data = krb5_princ_component(context, principal, component);
+ if (data == NULL) {
+ return NULL;
+ }
+
+ return talloc_strndup(mem_ctx, data->data, data->length);
+#endif
+}
+
/* Prototypes */
krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, /* FILE:/tmp/krb5cc_0 */
@@ -2165,7 +2300,7 @@ krb5_error_code smb_krb5_make_pac_checksum(TALLOC_CTX *mem_ctx,
*/
char *smb_krb5_principal_get_realm(krb5_context context,
- krb5_principal principal)
+ krb5_const_principal principal)
{
#ifdef HAVE_KRB5_PRINCIPAL_GET_REALM /* Heimdal */
return discard_const_p(char, krb5_principal_get_realm(context, principal));
@@ -2178,6 +2313,50 @@ char *smb_krb5_principal_get_realm(krb5_context context,
#endif
}
+/*
+ * smb_krb5_principal_set_realm
+ *
+ * @brief Get realm of a principal
+ *
+ * @param[in] context The krb5_context
+ * @param[in] principal The principal
+ * @param[in] realm The realm
+ * @return 0 on success, a krb5_error_code on error.
+ *
+ */
+
+krb5_error_code smb_krb5_principal_set_realm(krb5_context context,
+ krb5_principal principal,
+ const char *realm)
+{
+#ifdef HAVE_KRB5_PRINCIPAL_SET_REALM /* Heimdal */
+ return krb5_principal_set_realm(context, principal, realm);
+#elif defined(krb5_princ_realm) && defined(krb5_princ_set_realm) /* MIT */
+ krb5_error_code ret;
+ krb5_data data;
+ krb5_data *old_data;
+
+ old_data = krb5_princ_realm(context, principal);
+
+ ret = krb5_copy_data_contents(&data,
+ realm,
+ strlen(realm));
+ if (ret) {
+ return ret;
+ }
+
+ /* free realm before setting */
+ free(old_data->data);
+
+ krb5_princ_set_realm(context, principal, &data);
+
+ return ret;
+#else
+#error UNKNOWN_PRINC_SET_REALM_FUNCTION
+#endif
+}
+
+
/************************************************************************
Routine to get the default realm from the kerberos credentials cache.
Caller must free if the return value is not NULL.
@@ -2340,6 +2519,102 @@ char *smb_get_krb5_error_message(krb5_context context,
return ret;
}
+
+/**
+* @brief Return the kerberos library setting for "libdefaults:allow_weak_crypto"
+*
+* @param context The krb5_context
+*
+* @return krb5_boolean
+*
+* Function returns true if weak crypto is allowd, false if not
+*/
+
+krb5_boolean smb_krb5_get_allowed_weak_crypto(krb5_context context)
+#if defined(HAVE_KRB5_CONFIG_GET_BOOL_DEFAULT)
+{
+ return krb5_config_get_bool_default(context,
+ NULL,
+ FALSE,
+ "libdefaults",
+ "allow_weak_crypto",
+ NULL);
+}
+#elif defined(HAVE_PROFILE_H) && defined(HAVE_KRB5_GET_PROFILE)
+{
+#include <profile.h>
+ krb5_error_code ret;
+ krb5_boolean ret_default = false;
+ profile_t profile;
+ int ret_profile;
+
+ ret = krb5_get_profile(context,
+ &profile);
+ if (ret) {
+ return ret_default;
+ }
+
+ ret = profile_get_boolean(profile,
+ "libdefaults",
+ "allow_weak_crypto",
+ NULL, /* subsubname */
+ ret_default, /* def_val */
+ &ret_profile /* *ret_default */);
+ if (ret) {
+ return ret_default;
+ }
+
+ profile_release(profile);
+
+ return ret_profile;
+}
+#else
+#error UNKNOWN_KRB5_CONFIG_ROUTINES
+#endif
+
+/**
+* @brief Return the type of a krb5_principal
+*
+* @param context The krb5_context
+* @param principal The const krb5_principal
+*
+* @return integer type of the principal
+*/
+int smb_krb5_principal_get_type(krb5_context context,
+ krb5_const_principal principal)
+{
+#ifdef HAVE_KRB5_PRINCIPAL_GET_TYPE /* Heimdal */
+ return krb5_principal_get_type(context, principal);
+#elif defined(krb5_princ_type) /* MIT */
+ return krb5_princ_type(context, principal);
+#else
+#error UNKNOWN_PRINC_GET_TYPE_FUNCTION
+#endif
+}
+
+/**
+* @brief Generate a krb5 warning, forwarding to com_err
+*
+* @param context The krb5_context
+* @param fmt The message format
+* @param ... The message arguments
+*
+* @return
+*/
+#if !defined(HAVE_KRB5_WARNX)
+krb5_error_code krb5_warnx(krb5_context context, const char *fmt, ...)
+{
+ va_list args;
+
+ va_start(args, fmt);
+ DEBUG(1,(fmt, args));
+ DEBUGADD(1,("\n"));
+ va_end(args);
+
+ return 0;
+}
+#endif
+
#else /* HAVE_KRB5 */
/* this saves a few linking headaches */
int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 73a52a5..af661d9 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -64,6 +64,16 @@
#define AP_OPTS_USE_SUBKEY 0
#endif
+#ifndef KRB5_PW_SALT
+#define KRB5_PW_SALT 3
+#endif
+
+/* CKSUMTYPE_HMAC_MD5 in Heimdal
+ CKSUMTYPE_HMAC_MD5_ARCFOUR in MIT */
+#if defined(CKSUMTYPE_HMAC_MD5_ARCFOUR) && !defined(CKSUMTYPE_HMAC_MD5)
+#define CKSUMTYPE_HMAC_MD5 CKSUMTYPE_HMAC_MD5_ARCFOUR
+#endif
+
typedef struct {
#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
krb5_address **addrs;
@@ -134,11 +144,6 @@ int create_kerberos_key_from_string(krb5_context context,
krb5_keyblock *key,
krb5_enctype enctype,
bool no_salt);
-int create_kerberos_key_from_string_direct(krb5_context context,
- krb5_principal host_princ,
- krb5_data *password,
- krb5_keyblock *key,
- krb5_enctype enctype);
krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes);
bool get_krb5_smb_session_key(TALLOC_CTX *mem_ctx,
@@ -257,7 +262,11 @@ krb5_error_code smb_krb5_make_pac_checksum(TALLOC_CTX *mem_ctx,
DATA_BLOB *sig_blob);
char *smb_krb5_principal_get_realm(krb5_context context,
- krb5_principal principal);
+ krb5_const_principal principal);
+
+krb5_error_code smb_krb5_principal_set_realm(krb5_context context,
+ krb5_principal principal,
+ const char *realm);
char *kerberos_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx,
const char *service,
@@ -300,6 +309,42 @@ krb5_enctype ms_suptype_to_ietf_enctype(uint32_t enctype_bitmap);
krb5_error_code ms_suptypes_to_ietf_enctypes(TALLOC_CTX *mem_ctx,
uint32_t enctype_bitmap,
krb5_enctype **enctypes);
+int smb_krb5_get_pw_salt(krb5_context context,
+ krb5_principal host_princ,
+ krb5_data *psalt);
+
+int smb_krb5_create_key_from_string(krb5_context context,
--
Samba Shared Repository
More information about the samba-cvs
mailing list