Update: Kerberos Ticket Forwarding Patch/Update [3.2]
Jeremy Allison
jra at samba.org
Fri Aug 1 22:23:37 GMT 2008
On Fri, Aug 01, 2008 at 05:18:13PM -0400, Derrick Schommer wrote:
> Yeah, give me some time to mess around with it, the data length is exactly the same, so presumably it's wrapping and unwrapping and re-wrapping. I'm looking into it, I'm off on Holiday on Monday but I'll be back on Tuesday. I'm trying to re-learn all the stuff I've forgotten over the years on this. I think I buried it from my mind to defend myself from the insanity :)
>
> What probably occurred was getting this to work initially was a huge bear trying to understand all the MIT Kerberos inner workings and other memory leaks that existed in the libraries (which I bugged and they fixed). Then, once I got it working I was so happy I stopped exploring further. There is a possibility I may have spun a few extra cycles wrapping and unwrapping without knowing.
Yes, I remember running into the horrors that were MIT krb5 memory leaks
myself :-). No one knows how to use this API correctly :-).
Ok, here is a version that calls krb5_fwd_tgt_creds() directly.
I also removed the krb5_auth_con_set_req_cksumtype() of type
GSSAPI_CHECKSUM, as that's not defined in the
krb5_auth_con_set_req_cksumtype() interface. Do we still need
that, do the libraries use that checksum type by default
or will the receiving code just use whatever checksum
is defined in the packet ?
I'm at LinuxWorld SF Mon-Wed next week, so I'll pick up
what you have again on thurs. (or earlier if I get some
time).
Jeremy.
-------------- next part --------------
diff --git a/source/configure.in b/source/configure.in
index 9a230de..e1c0776 100644
--- a/source/configure.in
+++ b/source/configure.in
@@ -3367,6 +3367,7 @@ if test x"$with_ads_support" != x"no"; then
AC_CHECK_FUNC_EXT(krb5_get_init_creds_opt_free, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_get_init_creds_opt_get_error, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_enctype_to_string, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_auth_con_set_req_cksumtype, $KRB5_LIBS)
LIBS="$KRB5_LIBS $LIBS"
diff --git a/source/libsmb/clifsinfo.c b/source/libsmb/clifsinfo.c
index 0005c39..5e73b61 100644
--- a/source/libsmb/clifsinfo.c
+++ b/source/libsmb/clifsinfo.c
@@ -528,7 +528,7 @@ static NTSTATUS make_cli_gss_blob(struct smb_trans_enc_state *es,
&es->s.gss_state->gss_ctx,
srv_name,
GSS_C_NO_OID, /* default OID. */
- GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG,
+ GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG,
GSS_C_INDEFINITE, /* requested ticket lifetime. */
NULL, /* no channel bindings */
p_tok_in,
diff --git a/source/libsmb/clikrb5.c b/source/libsmb/clikrb5.c
index c289740..6298d76 100644
--- a/source/libsmb/clikrb5.c
+++ b/source/libsmb/clikrb5.c
@@ -636,6 +636,8 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
bool creds_ready = False;
int i = 0, maxtries = 3;
+ ZERO_STRUCT(in_data);
+
retval = smb_krb5_parse_name(context, principal, &server);
if (retval) {
DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal));
@@ -691,14 +693,73 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
*expire_time = (time_t)credsp->times.endtime;
}
- in_data.length = 0;
+ /* Fetch a forwarded TGT from the KDC so that we can hand off a 2nd ticket
+ as part of the kerberos exchange. */
+ if( credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE ) {
+ DEBUG( 3, ("ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT\n") );
+
+ if( *auth_context == NULL ) {
+ /* Allocate if it has not yet been allocated. */
+ retval = krb5_auth_con_init( context, auth_context );
+ if (retval) {
+ DEBUG(1,("ads_krb5_mk_req: krb5_auth_con_init failed (%s)\n",
+ error_message(retval)));
+ goto cleanup_creds;
+ }
+ }
+
+ retval = krb5_auth_con_setuseruserkey( context, *auth_context, &credsp->keyblock );
+ if (retval) {
+ DEBUG(1,("ads_krb5_mk_req: krb5_auth_con_setuseruserkey failed (%s)\n",
+ error_message(retval)));
+ goto cleanup_creds;
+ }
+
+ /* Must use a subkey for forwarded tickets. */
+ retval = krb5_auth_con_setflags( context, *auth_context, KRB5_AUTH_CONTEXT_USE_SUBKEY);
+ if (retval) {
+ DEBUG(1,("ads_krb5_mk_req: krb5_auth_con_setflags failed (%s)\n",
+ error_message(retval)));
+ goto cleanup_creds;
+ }
+
+#if 0
+ /* JRA -DO WE STILL NEED TO DO THIS ? */
+ /* We need to do this in order to allow our GSS-API: */
+ retval = krb5_auth_con_set_req_cksumtype( context, *auth_context, GSSAPI_CHECKSUM );
+ if (retval) {
+ DEBUG( 1, ("krb5_auth_con_set_req_cksumtype failed (%s)\n",
+ error_message( retval ) ) );
+ goto cleanup_creds;
+ }
+#endif
+
+ retval = krb5_fwd_tgt_creds(context,/* Krb5 context [in] */
+ *auth_context, /* Authentication context [in] */
+ CONST_DISCARD(char *, KRB5_TGS_NAME), /* Ticket service name ("krbtgt") [in] */
+ credsp->client, /* Client principal for the tgt [in] */
+ credsp->server, /* Server principal for the tgt [in] */
+ ccache, /* Credential cache to use for storage [in] */
+ 1, /* Turn on for "Forwardable ticket" [in] */
+ &in_data); /* Resulting response [out] */
+ if (retval) {
+ DEBUG( 1, ("krb5_fwd_tgt_creds failed (%s)\n", error_message( retval ) ) );
+ goto cleanup_creds;
+ }
+ }
+
retval = krb5_mk_req_extended(context, auth_context, ap_req_options,
&in_data, credsp, outbuf);
if (retval) {
DEBUG(1,("ads_krb5_mk_req: krb5_mk_req_extended failed (%s)\n",
error_message(retval)));
}
-
+
+ if (in_data.data) {
+ free( in_data.data );
+ in_data.length = 0;
+ }
+
krb5_free_creds(context, credsp);
cleanup_creds:
@@ -1703,7 +1764,6 @@ done:
TALLOC_FREE(mem_ctx);
return ret;
}
-
#else /* HAVE_KRB5 */
/* this saves a few linking headaches */
int cli_krb5_get_ticket(const char *principal, time_t time_offset,
More information about the samba-technical
mailing list