[PATCH] samba3-keytab
Luke Howard
lukeh at PADL.COM
Wed Sep 3 01:23:35 GMT 2003
This patch does not work if there is a keytab but no secrets.tdb.
The attach patch (to Guenther's patch) fixes this.
Also, not that this requires a HOST/foo principal in the keytab.
Most keytabs have host/foo.bar.tld, and most Kerberos libraries
enforce case-sensitive comparison of principal names.
-- Luke
-------------- next part --------------
Index: libads/kerberos_verify.c
===================================================================
RCS file: /home/project/cvs/samba/source/libads/kerberos_verify.c,v
retrieving revision 1.9
diff -u -r1.9 kerberos_verify.c
--- libads/kerberos_verify.c 2003/09/03 00:14:30 1.9
+++ libads/kerberos_verify.c 2003/09/03 00:46:02
@@ -55,26 +55,28 @@
krb5_address remote_addr;
#endif
BOOL auth_ok = False;
+ BOOL use_secrets = False;
ZERO_STRUCT(packet);
ZERO_STRUCT(password);
ZERO_STRUCTP(auth_data);
ZERO_STRUCTP(ap_rep);
- if (!secrets_init()) {
- DEBUG(1,("ads_verify_ticket: secrets_init failed\n"));
- return NT_STATUS_LOGON_FAILURE;
+ if (secrets_init()) {
+ password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
+ if (password_s != NULL) {
+ password.data = password_s;
+ password.length = strlen(password_s);
+
+ use_secrets = True;
+ }
}
- password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
- if (!password_s) {
+ if (*lp_keytab() == '\0' && !use_secrets) {
DEBUG(1,("ads_verify_ticket: failed to fetch machine password\n"));
return NT_STATUS_LOGON_FAILURE;
}
- password.data = password_s;
- password.length = strlen(password_s);
-
initialize_krb5_error_table();
ret = krb5_init_context(&context);
if (ret) {
@@ -166,7 +168,7 @@
}
#if defined(HAVE_KRB5_MEMORY_KEYTAB)
- if (!*lp_keytab()) {
+ if (!*lp_keytab() && use_secrets) {
/* setup a in-memory-keytab */
asprintf(&keytab_name, "MEMORY:");
@@ -185,18 +187,21 @@
/* We need to setup a auth context with each possible encoding type in turn. */
for (i=0;enctypes[i];i++) {
- if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) {
- sret = NT_STATUS_NO_MEMORY;
- goto out;
- }
-
- if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) {
- continue;
- }
+ if (use_secrets) {
+ if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) {
+ sret = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) {
+ continue;
+ }
- krb5_auth_con_setuseruserkey(context, auth_context, key);
+ krb5_auth_con_setuseruserkey(context, auth_context, key);
- krb5_free_keyblock(context, key);
+ krb5_free_keyblock(context, key);
+ SAFE_FREE(key);
+ }
packet.length = ticket->length;
packet.data = (krb5_pointer)ticket->data;
@@ -289,8 +294,10 @@
if (!NT_STATUS_IS_OK(sret))
data_blob_free(ap_rep);
- krb5_free_principal(context, host_princ);
- krb5_free_ticket(context, tkt);
+ if (host_princ)
+ krb5_free_principal(context, host_princ);
+ if (tkt)
+ krb5_free_ticket(context, tkt);
free_kerberos_etypes(context, enctypes);
SAFE_FREE(password_s);
SAFE_FREE(host_princ_s);
-------------- next part --------------
More information about the samba-technical
mailing list