--- /dev/null
+--- source/configure.in 22 Feb 2003 12:19:18 -0000 1.409
++++ source/configure.in 24 Feb 2003 06:04:25 -0000
+@@ -627,6 +627,15 @@
+ fi
+
+ ############################################
++# support for using Kerberos keytab instead of secrets database
++
++AC_ARG_ENABLE(keytab,
++[ --enable-keytab Turn on support for Kerberos keytabs in lieu of secrets DB (default=no)],
++ [if eval "test x$enable_keytab = xyes"; then
++ AC_DEFINE(USE_KEYTAB,1,[Use Kerberos keytab])
++ fi])
++
++############################################
+ # we need dlopen/dlclose/dlsym/dlerror for PAM, the password database plugins and the plugin loading code
+ AC_SEARCH_LIBS(dlopen, [dl])
+ # dlopen/dlclose/dlsym/dlerror will be checked again later and defines will be set then
+--- source/passdb/secrets.c 1 Feb 2003 04:39:15 -0000 1.54
++++ source/passdb/secrets.c 24 Feb 2003 06:04:26 -0000
+@@ -221,6 +221,72 @@
+ return True;
+ }
+
++#ifdef USE_KEYTAB
++/************************************************************************
++ Read local secret from the keytab
++************************************************************************/
++
++static BOOL secrets_fetch_keytab_password(uint8 ret_pwd[16], time_t *pass_last_set_time)
++{
++ char spn[MAXHOSTNAMELEN + 2], *p;
++ krb5_context context;
++ krb5_error_code ret;
++ krb5_principal princ;
++ krb5_keyblock *key;
++
++ ret = krb5_init_context(&context);
++ if (ret) {
++ DEBUG(1, ("secrets_fetch_keytab_password: failed to initialize Kerberos context\n"));
++ return False;
++ }
++
++ spn[sizeof(spn) - 1] = '\0';
++ if (gethostname(spn, sizeof(spn) - 2) < 0) {
++ DEBUG(1, ("secrets_fetch_keytab_password: could not determine local hostname\n"));
++ krb5_free_context(context);
++ return False;
++ }
++
++ for (p = spn; *p && *p != '.'; p++)
++ *p = toupper(*p);
++ *p++ = '$';
++ *p = '\0';
++
++ ret = krb5_parse_name(context, spn, &princ);
++ if (ret) {
++ DEBUG(1, ("secrets_fetch_keytab_password: failed to parse name %s\n", spn));
++ krb5_free_context(context);
++ return False;
++ }
++
++#ifdef ENCTYPE_ARCFOUR_HMAC
++ ret = krb5_kt_read_service_key(context, NULL, princ, 0, ENCTYPE_ARCFOUR_HMAC, &key);
++#elif defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
++ ret = krb5_kt_read_service_key(context, NULL, princ, 0, ENCTYPE_ARCFOUR_HMAC_MD5, &key);
++#else
++#error ENCTYPE_ARCFOUR_HMAC or ENCTYPE_ARCFOUR_HMAC_MD5 required for keytab secret storage
++#endif
++ if (ret) {
++ DEBUG(1, ("secrets_fetch_keytab_password: failed to read secret for %s\n", spn));
++ krb5_free_context(context);
++ return False;
++ }
++ if (key->keyvalue.length != 16) {
++ DEBUG(1, ("secrets_fetch_keytab_password: key is incorrect length\n"));
++ krb5_free_context(context);
++ return False;
++ }
++
++ memcpy(ret_pwd, key->keyvalue.data, key->keyvalue.length);
++ time(pass_last_set_time); /* XXX */
++
++ krb5_free_keyblock(context, key);
++ krb5_free_context(context);
++
++ return True;
++}
++#endif /* USE_KEYTAB */
++
+ /************************************************************************
+ Routine to get the trust account password for a domain.
+ The user of this function must have locked the trust password file using
+@@ -243,6 +309,12 @@
+ pass_last_set_time = 0;
+ return True;
+ }
++
++#ifdef USE_KEYTAB
++ if (is_myworkgroup(domain)) {
++ return secrets_fetch_keytab_password(ret_pwd, pass_last_set_time);
++ }
++#endif /* USE_KEYTAB */
+
+ if (!(pass = secrets_fetch(trust_keystr(domain), &size))) {
+ DEBUG(5, ("secrets_fetch failed!\n"));
+
+--- source/libsmb/clikrb5.c 2003-07-02 00:32:55.000000000 +0200
++++ source/libsmb/clikrb5.c 2003-07-02 00:37:22.000000000 +0200
+@@ -316,11 +316,13 @@
+ krb5_enctype enc_types[] = {
+ #ifdef ENCTYPE_ARCFOUR_HMAC
+ ENCTYPE_ARCFOUR_HMAC,
++#elif defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
++ ENCTYPE_ARCFOUR_HMAC_MD5,
+ #endif
+ ENCTYPE_DES_CBC_MD5,
+ ENCTYPE_DES_CBC_CRC,
+ ENCTYPE_NULL};
+-
++
+ retval = krb5_init_context(&context);
+ if (retval) {
+ DEBUG(1,("krb5_init_context failed (%s)\n",
+@@ -367,24 +369,26 @@
+
+ BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, uint8 session_key[16])
+ {
+-#ifdef ENCTYPE_ARCFOUR_HMAC
+ krb5_keyblock *skey;
+-#endif
+ BOOL ret = False;
+
+ memset(session_key, 0, 16);
+
+-#ifdef ENCTYPE_ARCFOUR_HMAC
++#if defined(ENCTYPE_ARCFOUR_HMAC) || defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
+ if (krb5_auth_con_getremotesubkey(context, auth_context, &skey) == 0 && skey != NULL) {
+ if (KRB5_KEY_TYPE(skey) ==
++# ifdef ENCTYPE_ARCFOUR_HMAC
+ ENCTYPE_ARCFOUR_HMAC
++# else
++ ENCTYPE_ARCFOUR_HMAC_MD5
++# endif /* ENCTYPE_ARCFOUR_HMAC */
+ && KRB5_KEY_LENGTH(skey) == 16) {
+ memcpy(session_key, KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
+ ret = True;
+ }
+ krb5_free_keyblock(context, skey);
+ }
+-#endif /* ENCTYPE_ARCFOUR_HMAC */
++#endif /* ENCTYPE_ARCFOUR_HMAC || HAVE_ENCTYPE_ARCFOUR_HMAC_MD5 */
+
+ return ret;
+ }
+@@ -395,5 +399,12 @@
+ DEBUG(0,("NO KERBEROS SUPPORT\n"));
+ return data_blob(NULL, 0);
+ }
++BOOL krb5_get_smb_session_key(krb5_context context, krb5_auth_context ac, uint8 session_key[16])
++ {
++ DEBUG(0,("NO KERBEROS SUPPORT\n"));
++ memset(session_key, 0, 16);
++ return False;
++ }
++ //#endif
+
+ #endif
+--- source/libads/kerberos_verify.c 2003-06-28 23:40:55.000000000 +0200
++++ source/libads/kerberos_verify.c 2003-07-02 00:50:13.000000000 +0200
+@@ -38,7 +38,9 @@
+ krb5_keytab keytab = NULL;
+ krb5_data packet;
+ krb5_ticket *tkt = NULL;
+- int ret, i;
++ int ret;
++#ifndef USE_KEYTAB
++ int i;
+ krb5_keyblock * key;
+ krb5_principal host_princ;
+ char *host_princ_s;
+@@ -46,8 +48,10 @@
+ char *password_s;
+ krb5_data password;
+ krb5_enctype *enctypes = NULL;
++#endif /* USE_KEYTAB */
+ BOOL auth_ok = False;
+
++#ifndef USE_KEYTAB
+ if (!secrets_init()) {
+ DEBUG(1,("secrets_init failed\n"));
+ return NT_STATUS_LOGON_FAILURE;
+@@ -61,6 +65,7 @@
+
+ password.data = password_s;
+ password.length = strlen(password_s);
++#endif /* USE_KEYTAB */
+
+ ret = krb5_init_context(&context);
+ if (ret) {
+@@ -82,7 +87,16 @@
+ DEBUG(1,("krb5_auth_con_init failed (%s)\n", error_message(ret)));
+ return NT_STATUS_LOGON_FAILURE;
+ }
++#ifdef USE_KEYTAB
++ packet.length = ticket->length;
++ packet.data = (krb5_pointer)ticket->data;
+
++ if (!(ret = krb5_rd_req(context, &auth_context, &packet,
++ NULL, keytab, NULL, &tkt))) {
++ auth_ok = True;
++ }
++
++#else
+ fstrcpy(myname, global_myname());
+ strlower(myname);
+ asprintf(&host_princ_s, "HOST/%s@%s", myname, lp_realm());
+@@ -121,6 +135,9 @@
+ }
+ }
+
++ SAFE_FREE(key);
++#endif /* USE_KEYTAB */
++
+ if (!auth_ok) {
+ DEBUG(3,("krb5_rd_req with auth failed (%s)\n",
+ error_message(ret)));
+--- source/Makefile.in 2003-07-01 23:35:49.000000000 +0200
++++ source/Makefile.in 2003-07-02 01:20:09.000000000 +0200
+@@ -806,7 +806,7 @@
+
+ bin/pdbedit@EXEEXT@: $(PDBEDIT_OBJ) @BUILD_POPT@ bin/.dummy
+ @echo Linking $@
+- @$(CC) $(FLAGS) -o $@ $(IDMAP_LIBS) $(PDBEDIT_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@ $(PASSDBLIBS)
++ @$(CC) $(FLAGS) -o $@ $(IDMAP_LIBS) $(PDBEDIT_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@ $(PASSDBLIBS) $(KRB5LIBS)
+
+ bin/samtest@EXEEXT@: $(SAMTEST_OBJ) @BUILD_POPT@ bin/.dummy
+ @echo Linking $@
+@@ -1062,7 +1062,7 @@
+
+ bin/wbinfo@EXEEXT@: $(WBINFO_OBJ) @BUILD_POPT@ bin/.dummy
+ @echo Linking $@
+- @$(LINK) -o $@ $(WBINFO_OBJ) $(LIBS) @POPTLIBS@
++ @$(LINK) -o $@ $(WBINFO_OBJ) $(LIBS) @POPTLIBS@ $(KRB5LIBS)
+
+ bin/ntlm_auth@EXEEXT@: $(NTLM_AUTH_OBJ) $(PARAM_OBJ) $(LIB_OBJ) \
+ $(UBIQX_OBJ) @BUILD_POPT@ bin/.dummy
git.samba.org / ira / wip.git / blobdiff