+++ /dev/null
---- source/configure.in 22 Feb 2003 12:19:18 -0000 1.409
-+++ source/configure.in 24 Feb 2003 06:04:25 -0000
-@@ -627,6 +627,15 @@
- fi
-
- ############################################
-+# support for using Kerberos keytab instead of secrets database
-+
-+AC_ARG_ENABLE(keytab,
-+[ --enable-keytab Turn on support for Kerberos keytabs in lieu of secrets DB (default=no)],
-+ [if eval "test x$enable_keytab = xyes"; then
-+ AC_DEFINE(USE_KEYTAB,1,[Use Kerberos keytab])
-+ fi])
-+
-+############################################
- # we need dlopen/dlclose/dlsym/dlerror for PAM, the password database plugins and the plugin loading code
- AC_SEARCH_LIBS(dlopen, [dl])
- # dlopen/dlclose/dlsym/dlerror will be checked again later and defines will be set then
---- source/passdb/secrets.c 1 Feb 2003 04:39:15 -0000 1.54
-+++ source/passdb/secrets.c 24 Feb 2003 06:04:26 -0000
-@@ -221,6 +221,72 @@
- return True;
- }
-
-+#ifdef USE_KEYTAB
-+/************************************************************************
-+ Read local secret from the keytab
-+************************************************************************/
-+
-+static BOOL secrets_fetch_keytab_password(uint8 ret_pwd[16], time_t *pass_last_set_time)
-+{
-+ char spn[MAXHOSTNAMELEN + 2], *p;
-+ krb5_context context;
-+ krb5_error_code ret;
-+ krb5_principal princ;
-+ krb5_keyblock *key;
-+
-+ ret = krb5_init_context(&context);
-+ if (ret) {
-+ DEBUG(1, ("secrets_fetch_keytab_password: failed to initialize Kerberos context\n"));
-+ return False;
-+ }
-+
-+ spn[sizeof(spn) - 1] = '\0';
-+ if (gethostname(spn, sizeof(spn) - 2) < 0) {
-+ DEBUG(1, ("secrets_fetch_keytab_password: could not determine local hostname\n"));
-+ krb5_free_context(context);
-+ return False;
-+ }
-+
-+ for (p = spn; *p && *p != '.'; p++)
-+ *p = toupper(*p);
-+ *p++ = '$';
-+ *p = '\0';
-+
-+ ret = krb5_parse_name(context, spn, &princ);
-+ if (ret) {
-+ DEBUG(1, ("secrets_fetch_keytab_password: failed to parse name %s\n", spn));
-+ krb5_free_context(context);
-+ return False;
-+ }
-+
-+#ifdef ENCTYPE_ARCFOUR_HMAC
-+ ret = krb5_kt_read_service_key(context, NULL, princ, 0, ENCTYPE_ARCFOUR_HMAC, &key);
-+#elif defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
-+ ret = krb5_kt_read_service_key(context, NULL, princ, 0, ENCTYPE_ARCFOUR_HMAC_MD5, &key);
-+#else
-+#error ENCTYPE_ARCFOUR_HMAC or ENCTYPE_ARCFOUR_HMAC_MD5 required for keytab secret storage
-+#endif
-+ if (ret) {
-+ DEBUG(1, ("secrets_fetch_keytab_password: failed to read secret for %s\n", spn));
-+ krb5_free_context(context);
-+ return False;
-+ }
-+ if (key->keyvalue.length != 16) {
-+ DEBUG(1, ("secrets_fetch_keytab_password: key is incorrect length\n"));
-+ krb5_free_context(context);
-+ return False;
-+ }
-+
-+ memcpy(ret_pwd, key->keyvalue.data, key->keyvalue.length);
-+ time(pass_last_set_time); /* XXX */
-+
-+ krb5_free_keyblock(context, key);
-+ krb5_free_context(context);
-+
-+ return True;
-+}
-+#endif /* USE_KEYTAB */
-+
- /************************************************************************
- Routine to get the trust account password for a domain.
- The user of this function must have locked the trust password file using
-@@ -243,6 +309,12 @@
- pass_last_set_time = 0;
- return True;
- }
-+
-+#ifdef USE_KEYTAB
-+ if (is_myworkgroup(domain)) {
-+ return secrets_fetch_keytab_password(ret_pwd, pass_last_set_time);
-+ }
-+#endif /* USE_KEYTAB */
-
- if (!(pass = secrets_fetch(trust_keystr(domain), &size))) {
- DEBUG(5, ("secrets_fetch failed!\n"));
-
---- source/libsmb/clikrb5.c 2003-07-02 00:32:55.000000000 +0200
-+++ source/libsmb/clikrb5.c 2003-07-02 00:37:22.000000000 +0200
-@@ -316,11 +316,13 @@
- krb5_enctype enc_types[] = {
- #ifdef ENCTYPE_ARCFOUR_HMAC
- ENCTYPE_ARCFOUR_HMAC,
-+#elif defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
-+ ENCTYPE_ARCFOUR_HMAC_MD5,
- #endif
- ENCTYPE_DES_CBC_MD5,
- ENCTYPE_DES_CBC_CRC,
- ENCTYPE_NULL};
--
-+
- retval = krb5_init_context(&context);
- if (retval) {
- DEBUG(1,("krb5_init_context failed (%s)\n",
-@@ -367,24 +369,26 @@
-
- BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, uint8 session_key[16])
- {
--#ifdef ENCTYPE_ARCFOUR_HMAC
- krb5_keyblock *skey;
--#endif
- BOOL ret = False;
-
- memset(session_key, 0, 16);
-
--#ifdef ENCTYPE_ARCFOUR_HMAC
-+#if defined(ENCTYPE_ARCFOUR_HMAC) || defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
- if (krb5_auth_con_getremotesubkey(context, auth_context, &skey) == 0 && skey != NULL) {
- if (KRB5_KEY_TYPE(skey) ==
-+# ifdef ENCTYPE_ARCFOUR_HMAC
- ENCTYPE_ARCFOUR_HMAC
-+# else
-+ ENCTYPE_ARCFOUR_HMAC_MD5
-+# endif /* ENCTYPE_ARCFOUR_HMAC */
- && KRB5_KEY_LENGTH(skey) == 16) {
- memcpy(session_key, KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
- ret = True;
- }
- krb5_free_keyblock(context, skey);
- }
--#endif /* ENCTYPE_ARCFOUR_HMAC */
-+#endif /* ENCTYPE_ARCFOUR_HMAC || HAVE_ENCTYPE_ARCFOUR_HMAC_MD5 */
-
- return ret;
- }
-@@ -395,5 +399,12 @@
- DEBUG(0,("NO KERBEROS SUPPORT\n"));
- return data_blob(NULL, 0);
- }
-+BOOL krb5_get_smb_session_key(krb5_context context, krb5_auth_context ac, uint8 session_key[16])
-+ {
-+ DEBUG(0,("NO KERBEROS SUPPORT\n"));
-+ memset(session_key, 0, 16);
-+ return False;
-+ }
-+ //#endif
-
- #endif
---- source/libads/kerberos_verify.c 2003-06-28 23:40:55.000000000 +0200
-+++ source/libads/kerberos_verify.c 2003-07-02 00:50:13.000000000 +0200
-@@ -38,7 +38,9 @@
- krb5_keytab keytab = NULL;
- krb5_data packet;
- krb5_ticket *tkt = NULL;
-- int ret, i;
-+ int ret;
-+#ifndef USE_KEYTAB
-+ int i;
- krb5_keyblock * key;
- krb5_principal host_princ;
- char *host_princ_s;
-@@ -46,8 +48,10 @@
- char *password_s;
- krb5_data password;
- krb5_enctype *enctypes = NULL;
-+#endif /* USE_KEYTAB */
- BOOL auth_ok = False;
-
-+#ifndef USE_KEYTAB
- if (!secrets_init()) {
- DEBUG(1,("secrets_init failed\n"));
- return NT_STATUS_LOGON_FAILURE;
-@@ -61,6 +65,7 @@
-
- password.data = password_s;
- password.length = strlen(password_s);
-+#endif /* USE_KEYTAB */
-
- ret = krb5_init_context(&context);
- if (ret) {
-@@ -82,7 +87,16 @@
- DEBUG(1,("krb5_auth_con_init failed (%s)\n", error_message(ret)));
- return NT_STATUS_LOGON_FAILURE;
- }
-+#ifdef USE_KEYTAB
-+ packet.length = ticket->length;
-+ packet.data = (krb5_pointer)ticket->data;
-
-+ if (!(ret = krb5_rd_req(context, &auth_context, &packet,
-+ NULL, keytab, NULL, &tkt))) {
-+ auth_ok = True;
-+ }
-+
-+#else
- fstrcpy(myname, global_myname());
- strlower(myname);
- asprintf(&host_princ_s, "HOST/%s@%s", myname, lp_realm());
-@@ -121,6 +135,9 @@
- }
- }
-
-+ SAFE_FREE(key);
-+#endif /* USE_KEYTAB */
-+
- if (!auth_ok) {
- DEBUG(3,("krb5_rd_req with auth failed (%s)\n",
- error_message(ret)));
---- source/Makefile.in 2003-07-01 23:35:49.000000000 +0200
-+++ source/Makefile.in 2003-07-02 01:20:09.000000000 +0200
-@@ -806,7 +806,7 @@
-
- bin/pdbedit@EXEEXT@: $(PDBEDIT_OBJ) @BUILD_POPT@ bin/.dummy
- @echo Linking $@
-- @$(CC) $(FLAGS) -o $@ $(IDMAP_LIBS) $(PDBEDIT_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@ $(PASSDBLIBS)
-+ @$(CC) $(FLAGS) -o $@ $(IDMAP_LIBS) $(PDBEDIT_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@ $(PASSDBLIBS) $(KRB5LIBS)
-
- bin/samtest@EXEEXT@: $(SAMTEST_OBJ) @BUILD_POPT@ bin/.dummy
- @echo Linking $@
-@@ -1062,7 +1062,7 @@
-
- bin/wbinfo@EXEEXT@: $(WBINFO_OBJ) @BUILD_POPT@ bin/.dummy
- @echo Linking $@
-- @$(LINK) -o $@ $(WBINFO_OBJ) $(LIBS) @POPTLIBS@
-+ @$(LINK) -o $@ $(WBINFO_OBJ) $(LIBS) @POPTLIBS@ $(KRB5LIBS)
-
- bin/ntlm_auth@EXEEXT@: $(NTLM_AUTH_OBJ) $(PARAM_OBJ) $(LIB_OBJ) \
- $(UBIQX_OBJ) @BUILD_POPT@ bin/.dummy
git.samba.org / samba.git / blobdiff