[PATCH] samba3-keytab

Wed Sep 3 01:23:35 GMT 2003

This patch does not work if there is a keytab but no secrets.tdb.

The attach patch (to Guenther's patch) fixes this.

Also, not that this requires a HOST/foo principal in the keytab.
Most keytabs have host/foo.bar.tld, and most Kerberos libraries
enforce case-sensitive comparison of principal names.

-- Luke

-------------- next part --------------
Index: libads/kerberos_verify.c
===================================================================
RCS file: /home/project/cvs/samba/source/libads/kerberos_verify.c,v
retrieving revision 1.9
diff -u -r1.9 kerberos_verify.c

--- libads/kerberos_verify.c	2003/09/03 00:14:30	1.9
+++ libads/kerberos_verify.c	2003/09/03 00:46:02
@@ -55,26 +55,28 @@
 	krb5_address remote_addr;
 #endif
 	BOOL auth_ok = False;
+	BOOL use_secrets = False;
 
 	ZERO_STRUCT(packet);
 	ZERO_STRUCT(password);
 	ZERO_STRUCTP(auth_data);
 	ZERO_STRUCTP(ap_rep);
 
-	if (!secrets_init()) {
-		DEBUG(1,("ads_verify_ticket: secrets_init failed\n"));
-		return NT_STATUS_LOGON_FAILURE;
+	if (secrets_init()) {
+		password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
+		if (password_s != NULL) {
+			password.data = password_s;
+			password.length = strlen(password_s);
+
+			use_secrets = True;
+		}
 	}
 
-	password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
-	if (!password_s) {
+	if (*lp_keytab() == '\0' && !use_secrets) {
 		DEBUG(1,("ads_verify_ticket: failed to fetch machine password\n"));
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
-	password.data = password_s;
-	password.length = strlen(password_s);
-
 	initialize_krb5_error_table();
 	ret = krb5_init_context(&context);
 	if (ret) {
@@ -166,7 +168,7 @@
 	} 
 
 #if defined(HAVE_KRB5_MEMORY_KEYTAB)
-	if (!*lp_keytab()) {
+	if (!*lp_keytab() && use_secrets) {
 
 		/* setup a in-memory-keytab */
 		asprintf(&keytab_name, "MEMORY:");
@@ -185,18 +187,21 @@
 	
 	/* We need to setup a auth context with each possible encoding type in turn. */
 	for (i=0;enctypes[i];i++) {
-		if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) {
-			sret = NT_STATUS_NO_MEMORY;
-			goto out;
-		}
-	
-		if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) {
-			continue;
-		}
+		if (use_secrets) {
+			if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) {
+				sret = NT_STATUS_NO_MEMORY;
+				goto out;
+			}
+
+			if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) {
+				continue;
+			}
 
-		krb5_auth_con_setuseruserkey(context, auth_context, key);
+			krb5_auth_con_setuseruserkey(context, auth_context, key);
 
-		krb5_free_keyblock(context, key);
+			krb5_free_keyblock(context, key);
+			SAFE_FREE(key);
+		}
 
 		packet.length = ticket->length;
 		packet.data = (krb5_pointer)ticket->data;
@@ -289,8 +294,10 @@
 	if (!NT_STATUS_IS_OK(sret))
 		data_blob_free(ap_rep);
 
-	krb5_free_principal(context, host_princ);
-	krb5_free_ticket(context, tkt);
+	if (host_princ)
+		krb5_free_principal(context, host_princ);
+	if (tkt)
+		krb5_free_ticket(context, tkt);
 	free_kerberos_etypes(context, enctypes);
 	SAFE_FREE(password_s);
 	SAFE_FREE(host_princ_s);
-------------- next part --------------

