-/*
+/*
Unix SMB/CIFS implementation.
kerberos utility library
Copyright (C) Andrew Tridgell 2001
#ifdef HAVE_KRB5
-#define LIBADS_CCACHE_NAME "MEMORY:libads"
-
/*
- we use a prompter to avoid a crash bug in the kerberos libs when
+ we use a prompter to avoid a crash bug in the kerberos libs when
dealing with empty passwords
this prompter is just a string copy ...
*/
-static krb5_error_code
+static krb5_error_code
kerb_prompter(krb5_context ctx, void *data,
const char *name,
const char *banner,
prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
/*
* We don't want to change passwords here. We're
- * called from heimal when the KDC returns
+ * called from heimdal when the KDC returns
* KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
* have the chance to ask the user for a new
* password. If we return 0 (i.e. success), we will be
* spinning in the endless for-loop in
* change_password() in
- * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+ * third_party/heimdal/lib/krb5/init_creds_pw.c
*/
return KRB5KDC_ERR_KEY_EXPIRED;
}
ZERO_STRUCT(my_creds);
+ if (cache_name == NULL) {
+ DBG_DEBUG("Missing ccache for [%s] and config [%s]\n",
+ given_principal,
+ getenv("KRB5_CONFIG"));
+ TALLOC_FREE(frame);
+ return EINVAL;
+ }
+
code = smb_krb5_init_context_common(&ctx);
if (code != 0) {
DBG_ERR("kerberos init context failed (%s)\n",
DBG_DEBUG("as %s using [%s] as ccache and config [%s]\n",
given_principal,
- cache_name ? cache_name: krb5_cc_default_name(ctx),
+ cache_name,
getenv("KRB5_CONFIG"));
- if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) {
+ if ((code = krb5_cc_resolve(ctx, cache_name, &cc))) {
goto out;
}
krb5_get_init_creds_opt_set_address_list(opt, addr->addrs);
}
- if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password),
+ if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password),
kerb_prompter, discard_const_p(char, password),
0, NULL, opt))) {
goto out;
return code;
}
- if (!cc_name) {
- if ((code = krb5_cc_default(ctx, &cc))) {
- krb5_free_context(ctx);
- return code;
- }
- } else {
- if ((code = krb5_cc_resolve(ctx, cc_name, &cc))) {
- DEBUG(3, ("ads_kdestroy: krb5_cc_resolve failed: %s\n",
- error_message(code)));
- krb5_free_context(ctx);
- return code;
- }
+ /*
+ * This should not happen, if
+ * we need that behaviour we
+ * should add an ads_kdestroy_default()
+ */
+ SMB_ASSERT(cc_name != NULL);
+
+ code = krb5_cc_resolve(ctx, cc_name, &cc);
+ if (code != 0) {
+ DBG_NOTICE("krb5_cc_resolve(%s) failed: %s\n",
+ cc_name, error_message(code));
+ krb5_free_context(ctx);
+ return code;
}
- if ((code = krb5_cc_destroy (ctx, cc))) {
- DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
- error_message(code)));
+ code = krb5_cc_destroy(ctx, cc);
+ if (code != 0) {
+ DBG_ERR("krb5_cc_destroy(%s) failed: %s\n",
+ cc_name, error_message(code));
}
krb5_free_context (ctx);
int time_offset,
const char *cache_name)
{
- return kerberos_kinit_password_ext(principal,
- password,
- time_offset,
- 0,
+ return kerberos_kinit_password_ext(principal,
+ password,
+ time_offset,
+ 0,
0,
cache_name,
False,
{
TALLOC_CTX *frame = talloc_stackframe();
size_t i;
- struct ip_service *ip_srv_site = NULL;
- struct ip_service *ip_srv_nonsite = NULL;
+ struct samba_sockaddr *ip_sa_site = NULL;
+ struct samba_sockaddr *ip_sa_nonsite = NULL;
struct samba_sockaddr sa = {0};
size_t count_site = 0;
size_t count_nonsite;
struct netlogon_samlogon_response **responses = NULL;
NTSTATUS status;
bool ok;
- char *kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", "",
- print_canonical_sockaddr_with_port(mem_ctx, pss));
+ char *kdc_str = NULL;
+ char *canon_sockaddr = NULL;
- if (kdc_str == NULL) {
- TALLOC_FREE(frame);
- return NULL;
- }
+ if (pss != NULL) {
+ canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
+ if (canon_sockaddr == NULL) {
+ goto out;
+ }
- ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
- if (!ok) {
- TALLOC_FREE(kdc_str);
- goto out;
+ kdc_str = talloc_asprintf(frame,
+ "\t\tkdc = %s\n",
+ canon_sockaddr);
+ if (kdc_str == NULL) {
+ goto out;
+ }
+
+ ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
+ if (!ok) {
+ goto out;
+ }
}
/*
*/
if (sitename) {
- status = get_kdc_list_talloc(talloc_tos(),
+ status = get_kdc_list(frame,
realm,
sitename,
- &ip_srv_site,
+ &ip_sa_site,
&count_site);
if (!NT_STATUS_IS_OK(status)) {
- DBG_ERR("get_kdc_list_talloc fail %s\n",
+ DBG_ERR("get_kdc_list fail %s\n",
nt_errstr(status));
- TALLOC_FREE(kdc_str);
goto out;
}
DBG_DEBUG("got %zu addresses from site %s search\n",
/* Get all KDC's. */
- status = get_kdc_list_talloc(talloc_tos(),
+ status = get_kdc_list(frame,
realm,
NULL,
- &ip_srv_nonsite,
+ &ip_sa_nonsite,
&count_nonsite);
if (!NT_STATUS_IS_OK(status)) {
- DBG_ERR("get_kdc_list_talloc (site-less) fail %s\n",
+ DBG_ERR("get_kdc_list (site-less) fail %s\n",
nt_errstr(status));
- TALLOC_FREE(kdc_str);
goto out;
}
DBG_DEBUG("got %zu addresses from site-less search\n", count_nonsite);
if (count_site + count_nonsite < count_site) {
/* Wrap check. */
DBG_ERR("get_kdc_list_talloc (site-less) fail wrap error\n");
- TALLOC_FREE(kdc_str);
goto out;
}
dc_addrs = talloc_array(talloc_tos(), struct sockaddr_storage,
count_site + count_nonsite);
if (dc_addrs == NULL) {
- TALLOC_FREE(kdc_str);
goto out;
}
num_dcs = 0;
for (i = 0; i < count_site; i++) {
- struct samba_sockaddr ip_sa = {0};
-
- ok = sockaddr_storage_to_samba_sockaddr(&ip_sa,
- &ip_srv_site[i].ss);
- if (!ok) {
- TALLOC_FREE(kdc_str);
- goto out;
- }
-
- if (!sockaddr_equal(&sa.u.sa, &ip_sa.u.sa)) {
+ if (!sockaddr_equal(&sa.u.sa, &ip_sa_site[i].u.sa)) {
add_sockaddr_unique(dc_addrs, &num_dcs,
- &ip_srv_site[i].ss);
+ &ip_sa_site[i].u.ss);
}
}
for (i = 0; i < count_nonsite; i++) {
- struct samba_sockaddr ip_sa = {0};
-
- ok = sockaddr_storage_to_samba_sockaddr(&ip_sa,
- &ip_srv_nonsite[i].ss);
- if (!ok) {
- TALLOC_FREE(kdc_str);
- goto out;
- }
-
- if (!sockaddr_equal(&sa.u.sa, &ip_sa.u.sa)) {
+ if (!sockaddr_equal(&sa.u.sa, &ip_sa_nonsite[i].u.sa)) {
add_sockaddr_unique(dc_addrs, &num_dcs,
- &ip_srv_nonsite[i].ss);
+ &ip_sa_nonsite[i].u.ss);
}
}
- dc_addrs2 = talloc_zero_array(talloc_tos(),
- struct tsocket_address *,
- num_dcs);
-
DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
if (num_dcs == 0) {
- TALLOC_FREE(kdc_str);
+ /*
+ * We do not have additional KDCs, but we have the one passed
+ * in via `pss`. So just use that one and leave.
+ */
+ result = talloc_move(mem_ctx, &kdc_str);
goto out;
}
+
+ dc_addrs2 = talloc_zero_array(talloc_tos(),
+ struct tsocket_address *,
+ num_dcs);
if (dc_addrs2 == NULL) {
- TALLOC_FREE(kdc_str);
goto out;
}
status = map_nt_error_from_unix(errno);
DEBUG(2,("Failed to create tsocket_address for %s - %s\n",
addr, nt_errstr(status)));
- TALLOC_FREE(kdc_str);
goto out;
}
}
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("get_kdc_ip_string: cldap_multi_netlogon failed: "
"%s\n", nt_errstr(status)));
- TALLOC_FREE(kdc_str);
goto out;
}
}
/* Append to the string - inefficient but not done often. */
- new_kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n",
- kdc_str,
- print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i]));
- TALLOC_FREE(kdc_str);
+ new_kdc_str = talloc_asprintf_append(
+ kdc_str,
+ "\t\tkdc = %s\n",
+ print_canonical_sockaddr_with_port(
+ mem_ctx, &dc_addrs[i]));
if (new_kdc_str == NULL) {
goto out;
}
kdc_str = new_kdc_str;
}
- result = kdc_str;
+ result = talloc_move(mem_ctx, &kdc_str);
out:
- DEBUG(10, ("get_kdc_ip_string: Returning %s\n", kdc_str));
+ if (result != NULL) {
+ DBG_DEBUG("Returning\n%s\n", result);
+ } else {
+ DBG_NOTICE("Failed to get KDC ip address\n");
+ }
- TALLOC_FREE(ip_srv_site);
- TALLOC_FREE(ip_srv_nonsite);
TALLOC_FREE(frame);
return result;
}
if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
lp_kerberos_encryption_types() == KERBEROS_ETYPES_STRONG) {
-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
aes_enctypes = talloc_asprintf_append(
aes_enctypes, "%s", "aes256-cts-hmac-sha1-96 ");
if (aes_enctypes == NULL) {
goto done;
}
-#endif
-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
aes_enctypes = talloc_asprintf_append(
aes_enctypes, "%s", "aes128-cts-hmac-sha1-96");
if (aes_enctypes == NULL) {
goto done;
}
-#endif
}
if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_ALLOWED &&
if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY) {
- legacy_enctypes = "arcfour-hmac-md5 des-cbc-crc des-cbc-md5";
+ legacy_enctypes = "arcfour-hmac-md5";
}
enctypes = talloc_asprintf(mem_ctx, "\tdefault_etypes = %s %s\n",
return false;
}
- if (domain == NULL || pss == NULL) {
+ if (domain == NULL) {
return false;
}
fd = mkstemp(tmpname);
umask(mask);
if (fd == -1) {
- DEBUG(0,("create_local_private_krb5_conf_for_domain: smb_mkstemp failed,"
- " for file %s. Errno %s\n",
- tmpname, strerror(errno) ));
+ DBG_ERR("mkstemp failed, for file %s. Errno %s\n",
+ tmpname,
+ strerror(errno));
goto done;
}
goto done;
}
- DEBUG(5,("create_local_private_krb5_conf_for_domain: wrote "
- "file %s with realm %s KDC list = %s\n",
- fname, realm_upper, kdc_ip_string));
+ DBG_INFO("wrote file %s with realm %s KDC list:\n%s\n",
+ fname, realm_upper, kdc_ip_string);
/* Set the environment variable to this file. */
setenv("KRB5_CONFIG", fname, 1);
goto done; /* Not a fatal error. */
}
- /* Yes, this is a race conditon... too bad. */
+ /* Yes, this is a race condition... too bad. */
if (rename(SYSTEM_KRB5_CONF_PATH, newpath) == -1) {
DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
"of %s to %s failed. Errno %s\n",