Update: Kerberos Ticket Forwarding Patch/Update [3.2]

Jeremy Allison jra at samba.org
Fri Aug 1 22:23:37 GMT 2008 

On Fri, Aug 01, 2008 at 05:18:13PM -0400, Derrick Schommer wrote:
> Yeah, give me some time to mess around with it, the data length is exactly the same, so presumably it's wrapping and unwrapping and re-wrapping. I'm looking into it, I'm off on Holiday on Monday but I'll be back on Tuesday. I'm trying to re-learn all the stuff I've forgotten over the years on this. I think I buried it from my mind to defend myself from the insanity :)
> 
> What probably occurred was getting this to work initially was a huge bear trying to understand all the MIT Kerberos inner workings and other memory leaks that existed in the libraries (which I bugged and they fixed). Then, once I got it working I was so happy I stopped exploring further. There is a possibility I may have spun a few extra cycles wrapping and unwrapping without knowing.

Yes, I remember running into the horrors that were MIT krb5 memory leaks
myself :-). No one knows how to use this API correctly :-).

Ok, here is a version that calls krb5_fwd_tgt_creds() directly.
I also removed the krb5_auth_con_set_req_cksumtype() of type
GSSAPI_CHECKSUM, as that's not defined in the
krb5_auth_con_set_req_cksumtype() interface. Do we still need
that, do the libraries use that checksum type by default
or will the receiving code just use whatever checksum
is defined in the packet ?

I'm at LinuxWorld SF Mon-Wed next week, so I'll pick up
what you have again on thurs. (or earlier if I get some
time).

Jeremy.
-------------- next part --------------
diff --git a/source/configure.in b/source/configure.in
index 9a230de..e1c0776 100644
--- a/source/configure.in
+++ b/source/configure.in
@@ -3367,6 +3367,7 @@ if test x"$with_ads_support" != x"no"; then
   AC_CHECK_FUNC_EXT(krb5_get_init_creds_opt_free, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_get_init_creds_opt_get_error, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_enctype_to_string, $KRB5_LIBS)
+  AC_CHECK_FUNC_EXT(krb5_auth_con_set_req_cksumtype, $KRB5_LIBS)
 
   LIBS="$KRB5_LIBS $LIBS"
 
diff --git a/source/libsmb/clifsinfo.c b/source/libsmb/clifsinfo.c
index 0005c39..5e73b61 100644
--- a/source/libsmb/clifsinfo.c
+++ b/source/libsmb/clifsinfo.c
@@ -528,7 +528,7 @@ static NTSTATUS make_cli_gss_blob(struct smb_trans_enc_state *es,
 				&es->s.gss_state->gss_ctx,
 				srv_name,
 				GSS_C_NO_OID, /* default OID. */
-				GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG,
+				GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG,
 				GSS_C_INDEFINITE,	/* requested ticket lifetime. */
 				NULL,   /* no channel bindings */
 				p_tok_in,
diff --git a/source/libsmb/clikrb5.c b/source/libsmb/clikrb5.c
index c289740..6298d76 100644
--- a/source/libsmb/clikrb5.c
+++ b/source/libsmb/clikrb5.c
@@ -636,6 +636,8 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
 	bool creds_ready = False;
 	int i = 0, maxtries = 3;
 	
+	ZERO_STRUCT(in_data);
+
 	retval = smb_krb5_parse_name(context, principal, &server);
 	if (retval) {
 		DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal));
@@ -691,14 +693,73 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
 		*expire_time = (time_t)credsp->times.endtime;
 	}
 
-	in_data.length = 0;
+	/* Fetch a forwarded TGT from the KDC so that we can hand off a 2nd ticket
+	 as part of the kerberos exchange. */
+	if( credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE ) {
+		DEBUG( 3, ("ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT\n")  );
+
+		if( *auth_context == NULL ) {
+			/* Allocate if it has not yet been allocated. */
+			retval = krb5_auth_con_init( context, auth_context );
+			if (retval) {
+				DEBUG(1,("ads_krb5_mk_req: krb5_auth_con_init failed (%s)\n",
+					error_message(retval)));
+				goto cleanup_creds;
+			}
+		}
+
+		retval = krb5_auth_con_setuseruserkey( context, *auth_context, &credsp->keyblock );
+		if (retval) {
+			DEBUG(1,("ads_krb5_mk_req: krb5_auth_con_setuseruserkey failed (%s)\n",
+				error_message(retval)));
+			goto cleanup_creds;
+		}
+
+		/* Must use a subkey for forwarded tickets. */
+		retval = krb5_auth_con_setflags( context, *auth_context, KRB5_AUTH_CONTEXT_USE_SUBKEY);
+		if (retval) {
+			DEBUG(1,("ads_krb5_mk_req: krb5_auth_con_setflags failed (%s)\n",
+				error_message(retval)));
+			goto cleanup_creds;
+		}
+
+#if 0
+		/* JRA -DO WE STILL NEED TO DO THIS ? */
+		/* We need to do this in order to allow our GSS-API: */
+		retval = krb5_auth_con_set_req_cksumtype( context, *auth_context, GSSAPI_CHECKSUM );
+		if (retval) {
+			DEBUG( 1, ("krb5_auth_con_set_req_cksumtype failed (%s)\n",
+				error_message( retval ) ) );
+			goto cleanup_creds;
+		}
+#endif
+
+		retval = krb5_fwd_tgt_creds(context,/* Krb5 context [in] */
+				*auth_context,  /* Authentication context [in] */
+				CONST_DISCARD(char *, KRB5_TGS_NAME),  /* Ticket service name ("krbtgt") [in] */
+				credsp->client, /* Client principal for the tgt [in] */
+				credsp->server, /* Server principal for the tgt [in] */
+				ccache,         /* Credential cache to use for storage [in] */
+				1,              /* Turn on for "Forwardable ticket" [in] */
+				&in_data);     /* Resulting response [out] */
+		if (retval) {
+			DEBUG( 1, ("krb5_fwd_tgt_creds failed (%s)\n", error_message( retval ) ) );
+			goto cleanup_creds;
+		}
+	}
+
 	retval = krb5_mk_req_extended(context, auth_context, ap_req_options, 
 				      &in_data, credsp, outbuf);
 	if (retval) {
 		DEBUG(1,("ads_krb5_mk_req: krb5_mk_req_extended failed (%s)\n", 
 			 error_message(retval)));
 	}
-	
+
+	if (in_data.data) {
+		free( in_data.data );
+		in_data.length = 0;
+	}
+
 	krb5_free_creds(context, credsp);
 
 cleanup_creds:
@@ -1703,7 +1764,6 @@ done:
  	TALLOC_FREE(mem_ctx);
  	return ret;
 }
-
 #else /* HAVE_KRB5 */
  /* this saves a few linking headaches */
  int cli_krb5_get_ticket(const char *principal, time_t time_offset,

More information about the samba-technical mailing list