#include "includes.h"
#include "smb_krb5.h"
+#include "../librpc/gen_ndr/krb5pac.h"
+#include "../lib/util/asn1.h"
+#include "libsmb/nmblib.h"
#ifndef KRB5_AUTHDATA_WIN2K_PAC
#define KRB5_AUTHDATA_WIN2K_PAC 128
krb5_cksumtype cksumtype);
#endif
-/**************************************************************
- Wrappers around kerberos string functions that convert from
- utf8 -> unix charset and vica versa.
-**************************************************************/
-
-/**************************************************************
- krb5_parse_name that takes a UNIX charset.
-**************************************************************/
-
- krb5_error_code smb_krb5_parse_name(krb5_context context,
- const char *name, /* in unix charset */
- krb5_principal *principal)
-{
- krb5_error_code ret;
- char *utf8_name;
- size_t converted_size;
-
- if (!push_utf8_talloc(talloc_tos(), &utf8_name, name, &converted_size)) {
- return ENOMEM;
- }
-
- ret = krb5_parse_name(context, utf8_name, principal);
- TALLOC_FREE(utf8_name);
- return ret;
-}
-
-#ifdef HAVE_KRB5_PARSE_NAME_NOREALM
-/**************************************************************
- krb5_parse_name_norealm that takes a UNIX charset.
-**************************************************************/
-
-static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context,
- const char *name, /* in unix charset */
- krb5_principal *principal)
-{
- krb5_error_code ret;
- char *utf8_name;
- size_t converted_size;
-
- *principal = NULL;
- if (!push_utf8_talloc(talloc_tos(), &utf8_name, name, &converted_size)) {
- return ENOMEM;
- }
-
- ret = krb5_parse_name_norealm(context, utf8_name, principal);
- TALLOC_FREE(utf8_name);
- return ret;
-}
-#endif
-
-/**************************************************************
- krb5_parse_name that returns a UNIX charset name. Must
- be freed with talloc_free() call.
-**************************************************************/
-
-krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
- krb5_context context,
- krb5_const_principal principal,
- char **unix_name)
-{
- krb5_error_code ret;
- char *utf8_name;
- size_t converted_size;
-
- *unix_name = NULL;
- ret = krb5_unparse_name(context, principal, &utf8_name);
- if (ret) {
- return ret;
- }
-
- if (!pull_utf8_talloc(mem_ctx, unix_name, utf8_name, &converted_size)) {
- krb5_free_unparsed_name(context, utf8_name);
- return ENOMEM;
- }
- krb5_free_unparsed_name(context, utf8_name);
- return 0;
-}
-
-#ifndef HAVE_KRB5_SET_REAL_TIME
-/*
- * This function is not in the Heimdal mainline.
- */
- krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds)
-{
- krb5_error_code ret;
- int32_t sec, usec;
-
- ret = krb5_us_timeofday(context, &sec, &usec);
- if (ret)
- return ret;
-
- context->kdc_sec_offset = seconds - sec;
- context->kdc_usec_offset = microseconds - usec;
-
- return 0;
-}
-#endif
-
#if !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES)
#if defined(HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES)
}
#else
#error UNKNOWN_ADDRTYPE
-#endif
-
-#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
-static int create_kerberos_key_from_string_direct(krb5_context context,
- krb5_principal host_princ,
- krb5_data *password,
- krb5_keyblock *key,
- krb5_enctype enctype)
-{
- int ret = 0;
- krb5_data salt;
- krb5_encrypt_block eblock;
-
- ret = krb5_principal2salt(context, host_princ, &salt);
- if (ret) {
- DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
- return ret;
- }
- krb5_use_enctype(context, &eblock, enctype);
- ret = krb5_string_to_key(context, &eblock, key, password, &salt);
- SAFE_FREE(salt.data);
-
- return ret;
-}
-#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
-static int create_kerberos_key_from_string_direct(krb5_context context,
- krb5_principal host_princ,
- krb5_data *password,
- krb5_keyblock *key,
- krb5_enctype enctype)
-{
- int ret;
- krb5_salt salt;
-
- ret = krb5_get_pw_salt(context, host_princ, &salt);
- if (ret) {
- DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
- return ret;
- }
-
- ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
- krb5_free_salt(context, salt);
-
- return ret;
-}
-#else
-#error UNKNOWN_CREATE_KEY_FUNCTIONS
#endif
int create_kerberos_key_from_string(krb5_context context,
krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
krb5_enctype **enctypes)
{
+#ifdef HAVE_KRB5_PDU_NONE_DECL
+ return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, enctypes);
+#else
return krb5_get_default_in_tkt_etypes(context, enctypes);
+#endif
}
#else
#error UNKNOWN_GET_ENCTYPES_FUNCTIONS
}
asn1_start_tag(data, ASN1_CONTEXT(2));
- asn1_read_OctetString(data, talloc_autofree_context(), &edata_contents);
+ asn1_read_OctetString(data, talloc_tos(), &edata_contents);
asn1_end_tag(data);
asn1_end_tag(data);
asn1_end_tag(data);
asn1_end_tag(data);
asn1_start_tag(data, ASN1_CONTEXT(1));
- asn1_read_OctetString(data, talloc_autofree_context(), &pac_contents);
+ asn1_read_OctetString(data, talloc_tos(), &pac_contents);
asn1_end_tag(data);
asn1_end_tag(data);
asn1_end_tag(data);
return False;
}
- krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt)
-{
-#if defined(HAVE_KRB5_TKT_ENC_PART2)
- return tkt->enc_part2->client;
-#else
- return tkt->client;
-#endif
-}
-
-#if !defined(HAVE_KRB5_LOCATE_KDC)
-
-/* krb5_locate_kdc is an internal MIT symbol. MIT are not yet willing to commit
- * to a public interface for this functionality, so we have to be able to live
- * without it if the MIT libraries are hiding their internal symbols.
- */
-
-#if defined(KRB5_KRBHST_INIT)
-/* Heimdal */
- krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters)
-{
- krb5_krbhst_handle hnd;
- krb5_krbhst_info *hinfo;
- krb5_error_code rc;
- int num_kdcs, i;
- struct sockaddr *sa;
- struct addrinfo *ai;
-
- *addr_pp = NULL;
- *naddrs = 0;
-
- rc = krb5_krbhst_init(ctx, realm->data, KRB5_KRBHST_KDC, &hnd);
- if (rc) {
- DEBUG(0, ("smb_krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc)));
- return rc;
- }
-
- for ( num_kdcs = 0; (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); num_kdcs++)
- ;
-
- krb5_krbhst_reset(ctx, hnd);
-
- if (!num_kdcs) {
- DEBUG(0, ("smb_krb5_locate_kdc: zero kdcs found !\n"));
- krb5_krbhst_free(ctx, hnd);
- return -1;
- }
-
- sa = SMB_MALLOC_ARRAY( struct sockaddr, num_kdcs );
- if (!sa) {
- DEBUG(0, ("smb_krb5_locate_kdc: malloc failed\n"));
- krb5_krbhst_free(ctx, hnd);
- naddrs = 0;
- return -1;
- }
-
- memset(sa, '\0', sizeof(struct sockaddr) * num_kdcs );
-
- for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) {
-
-#if defined(HAVE_KRB5_KRBHST_GET_ADDRINFO)
- rc = krb5_krbhst_get_addrinfo(ctx, hinfo, &ai);
- if (rc) {
- DEBUG(0,("krb5_krbhst_get_addrinfo failed: %s\n", error_message(rc)));
- continue;
- }
-#endif
- if (hinfo->ai && hinfo->ai->ai_family == AF_INET)
- memcpy(&sa[i], hinfo->ai->ai_addr, sizeof(struct sockaddr));
- }
-
- krb5_krbhst_free(ctx, hnd);
-
- *naddrs = num_kdcs;
- *addr_pp = sa;
- return 0;
-}
-
-#else /* ! defined(KRB5_KRBHST_INIT) */
-
- krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm,
- struct sockaddr **addr_pp, int *naddrs, int get_masters)
-{
- DEBUG(0, ("unable to explicitly locate the KDC on this platform\n"));
- return KRB5_KDC_UNREACH;
-}
-
-#endif /* KRB5_KRBHST_INIT */
-
-#else /* ! HAVE_KRB5_LOCATE_KDC */
-
- krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm,
- struct sockaddr **addr_pp, int *naddrs, int get_masters)
-{
- return krb5_locate_kdc(ctx, realm, addr_pp, naddrs, get_masters);
-}
-
-#endif /* HAVE_KRB5_LOCATE_KDC */
-
-#if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
- void krb5_free_unparsed_name(krb5_context context, char *val)
-{
- SAFE_FREE(val);
-}
-#endif
-
- void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
-{
-#if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
- if (pdata->data) {
- krb5_free_data_contents(context, pdata);
- }
-#else
- SAFE_FREE(pdata->data);
-#endif
-}
-
- void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype)
-{
-#if defined(HAVE_KRB5_KEYBLOCK_IN_CREDS)
- KRB5_KEY_TYPE((&pcreds->keyblock)) = enctype;
-#elif defined(HAVE_KRB5_SESSION_IN_CREDS)
- KRB5_KEY_TYPE((&pcreds->session)) = enctype;
-#else
-#error UNKNOWN_KEYBLOCK_MEMBER_IN_KRB5_CREDS_STRUCT
-#endif
-}
-
- bool kerberos_compatible_enctypes(krb5_context context,
- krb5_enctype enctype1,
- krb5_enctype enctype2)
-{
-#if defined(HAVE_KRB5_C_ENCTYPE_COMPARE)
- krb5_boolean similar = 0;
-
- krb5_c_enctype_compare(context, enctype1, enctype2, &similar);
- return similar ? True : False;
-#elif defined(HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS)
- return krb5_enctypes_compatible_keys(context, enctype1, enctype2) ? True : False;
-#endif
-}
-
static bool ads_cleanup_expired_creds(krb5_context context,
krb5_ccache ccache,
krb5_creds *credsp)
return retval;
}
+#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
static krb5_error_code create_gss_checksum(krb5_data *in_data, /* [inout] */
uint32_t gss_flags)
{
memset(gss_cksum, '\0', base_cksum_size + orig_length);
SIVAL(gss_cksum, 0, GSSAPI_BNDLENGTH);
- /* Precalculated MD5sum of NULL channel bindings (20 bytes) */
- /* Channel bindings are: (all ints encoded as little endian)
-
- [4 bytes] initiator_addrtype (255 for null bindings)
- [4 bytes] initiator_address length
- [n bytes] .. initiator_address data - not present
- in null bindings.
- [4 bytes] acceptor_addrtype (255 for null bindings)
- [4 bytes] acceptor_address length
- [n bytes] .. acceptor_address data - not present
- in null bindings.
- [4 bytes] application_data length
- [n bytes] .. application_ data - not present
- in null bindings.
- MD5 of this is ""\x14\x8f\x0c\xf7\xb1u\xdey*J\x9a%\xdfV\xc5\x18"
- */
-
- memcpy(&gss_cksum[4],
- "\x14\x8f\x0c\xf7\xb1u\xdey*J\x9a%\xdfV\xc5\x18",
- GSSAPI_BNDLENGTH);
+ /*
+ * GSS_C_NO_CHANNEL_BINDINGS means 16 zero bytes.
+ * This matches the behavior of heimdal and mit.
+ *
+ * And it is needed to work against some closed source
+ * SMB servers.
+ *
+ * See bug #7883
+ */
+ memset(&gss_cksum[4], 0x00, GSSAPI_BNDLENGTH);
SIVAL(gss_cksum, 20, gss_flags);
in_data->length = base_cksum_size + orig_length;
return 0;
}
+#endif
/*
we can't use krb5_mk_req because w2k wants the service to be in a particular format
krb5_data in_data;
bool creds_ready = False;
int i = 0, maxtries = 3;
- uint32_t gss_flags = 0;
ZERO_STRUCT(in_data);
goto cleanup_creds;
}
-#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY)
- if( credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE ) {
- /* Fetch a forwarded TGT from the KDC so that we can hand off a 2nd ticket
- as part of the kerberos exchange. */
+#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
+ {
+ uint32_t gss_flags = 0;
+
+ if( credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE ) {
+ /* Fetch a forwarded TGT from the KDC so that we can hand off a 2nd ticket
+ as part of the kerberos exchange. */
- DEBUG( 3, ("ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT\n") );
+ DEBUG( 3, ("ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT\n") );
- retval = krb5_auth_con_setuseruserkey(context,
+ retval = krb5_auth_con_setuseruserkey(context,
*auth_context,
&credsp->keyblock );
- if (retval) {
- DEBUG(1,("krb5_auth_con_setuseruserkey failed (%s)\n",
- error_message(retval)));
- goto cleanup_creds;
- }
+ if (retval) {
+ DEBUG(1,("krb5_auth_con_setuseruserkey failed (%s)\n",
+ error_message(retval)));
+ goto cleanup_creds;
+ }
- /* Must use a subkey for forwarded tickets. */
- retval = krb5_auth_con_setflags(context,
+ /* Must use a subkey for forwarded tickets. */
+ retval = krb5_auth_con_setflags(context,
*auth_context,
KRB5_AUTH_CONTEXT_USE_SUBKEY);
- if (retval) {
- DEBUG(1,("krb5_auth_con_setflags failed (%s)\n",
- error_message(retval)));
- goto cleanup_creds;
- }
+ if (retval) {
+ DEBUG(1,("krb5_auth_con_setflags failed (%s)\n",
+ error_message(retval)));
+ goto cleanup_creds;
+ }
- retval = krb5_fwd_tgt_creds(context,/* Krb5 context [in] */
+ retval = krb5_fwd_tgt_creds(context,/* Krb5 context [in] */
*auth_context, /* Authentication context [in] */
- CONST_DISCARD(char *, KRB5_TGS_NAME), /* Ticket service name ("krbtgt") [in] */
+ discard_const_p(char, KRB5_TGS_NAME), /* Ticket service name ("krbtgt") [in] */
credsp->client, /* Client principal for the tgt [in] */
credsp->server, /* Server principal for the tgt [in] */
ccache, /* Credential cache to use for storage [in] */
1, /* Turn on for "Forwardable ticket" [in] */
&in_data ); /* Resulting response [out] */
- if (retval) {
- DEBUG( 3, ("krb5_fwd_tgt_creds failed (%s)\n",
- error_message( retval ) ) );
-
- /*
- * This is not fatal. Delete the *auth_context and continue
- * with krb5_mk_req_extended to get a non-forwardable ticket.
- */
-
- if (in_data.data) {
- free( in_data.data );
- in_data.data = NULL;
- in_data.length = 0;
- }
- krb5_auth_con_free(context, *auth_context);
- *auth_context = NULL;
- retval = setup_auth_context(context, auth_context);
if (retval) {
- DEBUG(1,("setup_auth_context failed (%s)\n",
- error_message(retval)));
- goto cleanup_creds;
+ DEBUG( 3, ("krb5_fwd_tgt_creds failed (%s)\n",
+ error_message( retval ) ) );
+
+ /*
+ * This is not fatal. Delete the *auth_context and continue
+ * with krb5_mk_req_extended to get a non-forwardable ticket.
+ */
+
+ if (in_data.data) {
+ free( in_data.data );
+ in_data.data = NULL;
+ in_data.length = 0;
+ }
+ krb5_auth_con_free(context, *auth_context);
+ *auth_context = NULL;
+ retval = setup_auth_context(context, auth_context);
+ if (retval) {
+ DEBUG(1,("setup_auth_context failed (%s)\n",
+ error_message(retval)));
+ goto cleanup_creds;
+ }
+ } else {
+ /* We got a delegated ticket. */
+ gss_flags |= GSS_C_DELEG_FLAG;
}
- } else {
- /* We got a delegated ticket. */
- gss_flags |= GSS_C_DELEG_FLAG;
}
- }
-#endif
- /* Frees and reallocates in_data into a GSS checksum blob. */
- retval = create_gss_checksum(&in_data, gss_flags);
- if (retval) {
- goto cleanup_data;
- }
+ /* Frees and reallocates in_data into a GSS checksum blob. */
+ retval = create_gss_checksum(&in_data, gss_flags);
+ if (retval) {
+ goto cleanup_data;
+ }
-#if defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
- /* We always want GSS-checksum types. */
- retval = krb5_auth_con_set_req_cksumtype(context, *auth_context, GSSAPI_CHECKSUM );
- if (retval) {
- DEBUG(1,("krb5_auth_con_set_req_cksumtype failed (%s)\n",
- error_message(retval)));
- goto cleanup_data;
+ /* We always want GSS-checksum types. */
+ retval = krb5_auth_con_set_req_cksumtype(context, *auth_context, GSSAPI_CHECKSUM );
+ if (retval) {
+ DEBUG(1,("krb5_auth_con_set_req_cksumtype failed (%s)\n",
+ error_message(retval)));
+ goto cleanup_data;
+ }
}
#endif
error_message(retval)));
}
+#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
cleanup_data:
+#endif
+
if (in_data.data) {
free( in_data.data );
in_data.length = 0;
krb5_ccache ccdef = NULL;
krb5_auth_context auth_context = NULL;
krb5_enctype enc_types[] = {
-#ifdef ENCTYPE_ARCFOUR_HMAC
ENCTYPE_ARCFOUR_HMAC,
-#endif
ENCTYPE_DES_CBC_MD5,
ENCTYPE_DES_CBC_CRC,
ENCTYPE_NULL};
{
static krb5_data kdata;
- kdata.data = (char *)krb5_principal_get_comp_string(context, principal, i);
+ kdata.data = discard_const_p(char, krb5_principal_get_comp_string(context, principal, i));
kdata.length = strlen((const char *)kdata.data);
return &kdata;
}
#endif
- krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry)
-{
-/* Try krb5_free_keytab_entry_contents first, since
- * MIT Kerberos >= 1.7 has both krb5_free_keytab_entry_contents and
- * krb5_kt_free_entry but only has a prototype for the first, while the
- * second is considered private.
- */
-#if defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
- return krb5_free_keytab_entry_contents(context, kt_entry);
-#elif defined(HAVE_KRB5_KT_FREE_ENTRY)
- return krb5_kt_free_entry(context, kt_entry);
-#else
-#error UNKNOWN_KT_FREE_FUNCTION
-#endif
-}
-
- void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
- struct PAC_SIGNATURE_DATA *sig)
-{
-#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM
- cksum->cksumtype = (krb5_cksumtype)sig->type;
- cksum->checksum.length = sig->signature.length;
- cksum->checksum.data = sig->signature.data;
-#else
- cksum->checksum_type = (krb5_cksumtype)sig->type;
- cksum->length = sig->signature.length;
- cksum->contents = sig->signature.data;
-#endif
-}
-
- krb5_error_code smb_krb5_verify_checksum(krb5_context context,
- const krb5_keyblock *keyblock,
- krb5_keyusage usage,
- krb5_checksum *cksum,
- uint8 *data,
- size_t length)
-{
- krb5_error_code ret;
-
- /* verify the checksum */
-
- /* welcome to the wonderful world of samba's kerberos abstraction layer:
- *
- * function heimdal 0.6.1rc3 heimdal 0.7 MIT krb 1.4.2
- * -----------------------------------------------------------------------------
- * krb5_c_verify_checksum - works works
- * krb5_verify_checksum works (6 args) works (6 args) broken (7 args)
- */
-
-#if defined(HAVE_KRB5_C_VERIFY_CHECKSUM)
- {
- krb5_boolean checksum_valid = False;
- krb5_data input;
-
- input.data = (char *)data;
- input.length = length;
-
- ret = krb5_c_verify_checksum(context,
- keyblock,
- usage,
- &input,
- cksum,
- &checksum_valid);
- if (ret) {
- DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n",
- error_message(ret)));
- return ret;
- }
-
- if (!checksum_valid)
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
- }
-
-#elif KRB5_VERIFY_CHECKSUM_ARGS == 6 && defined(HAVE_KRB5_CRYPTO_INIT) && defined(HAVE_KRB5_CRYPTO) && defined(HAVE_KRB5_CRYPTO_DESTROY)
-
- /* Warning: MIT's krb5_verify_checksum cannot be used as it will use a key
- * without enctype and it ignores any key_usage types - Guenther */
-
- {
-
- krb5_crypto crypto;
- ret = krb5_crypto_init(context,
- keyblock,
- 0,
- &crypto);
- if (ret) {
- DEBUG(0,("smb_krb5_verify_checksum: krb5_crypto_init() failed: %s\n",
- error_message(ret)));
- return ret;
- }
-
- ret = krb5_verify_checksum(context,
- crypto,
- usage,
- data,
- length,
- cksum);
-
- krb5_crypto_destroy(context, crypto);
- }
-
-#else
-#error UNKNOWN_KRB5_VERIFY_CHECKSUM_FUNCTION
-#endif
-
- return ret;
-}
-
time_t get_authtime_from_tkt(krb5_ticket *tkt)
{
#if defined(HAVE_KRB5_TKT_ENC_PART2)
return ret;
}
- krb5_error_code smb_krb5_parse_name_norealm(krb5_context context,
- const char *name,
- krb5_principal *principal)
-{
-#ifdef HAVE_KRB5_PARSE_NAME_NOREALM
- return smb_krb5_parse_name_norealm_conv(context, name, principal);
-#endif
-
- /* we are cheating here because parse_name will in fact set the realm.
- * We don't care as the only caller of smb_krb5_parse_name_norealm
- * ignores the realm anyway when calling
- * smb_krb5_principal_compare_any_realm later - Guenther */
-
- return smb_krb5_parse_name(context, name, principal);
-}
-
- bool smb_krb5_principal_compare_any_realm(krb5_context context,
- krb5_const_principal princ1,
- krb5_const_principal princ2)
-{
-#ifdef HAVE_KRB5_PRINCIPAL_COMPARE_ANY_REALM
-
- return krb5_principal_compare_any_realm(context, princ1, princ2);
-
-/* krb5_princ_size is a macro in MIT */
-#elif defined(HAVE_KRB5_PRINC_SIZE) || defined(krb5_princ_size)
-
- int i, len1, len2;
- const krb5_data *p1, *p2;
-
- len1 = krb5_princ_size(context, princ1);
- len2 = krb5_princ_size(context, princ2);
-
- if (len1 != len2)
- return False;
-
- for (i = 0; i < len1; i++) {
-
- p1 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ1), i);
- p2 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ2), i);
-
- if (p1->length != p2->length || memcmp(p1->data, p2->data, p1->length))
- return False;
- }
-
- return True;
-#else
-#error NO_SUITABLE_PRINCIPAL_COMPARE_FUNCTION
-#endif
-}
-
krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, /* FILE:/tmp/krb5cc_0 */
const char *client_string, /* gd@BER.SUSE.DE */
const char *service_string, /* krbtgt/BER.SUSE.DE@BER.SUSE.DE */
DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
/* FIXME: we should not fall back to defaults */
- ret = krb5_cc_resolve(context, CONST_DISCARD(char *, ccache_string), &ccache);
+ ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache);
if (ret) {
goto done;
}
}
}
-#ifdef HAVE_KRB5_GET_RENEWED_CREDS /* MIT */
- {
- ret = krb5_get_renewed_creds(context, &creds, client, ccache, CONST_DISCARD(char *, service_string));
- if (ret) {
- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
- goto done;
- }
- }
-#elif defined(HAVE_KRB5_GET_KDC_CRED) /* Heimdal */
- {
- krb5_kdc_flags flags;
- krb5_realm *client_realm = NULL;
-
- ret = krb5_copy_principal(context, client, &creds_in.client);
- if (ret) {
- goto done;
- }
-
- if (service_string) {
- ret = smb_krb5_parse_name(context, service_string, &creds_in.server);
- if (ret) {
- goto done;
- }
- } else {
- /* build tgt service by default */
- client_realm = krb5_princ_realm(context, creds_in.client);
- if (!client_realm) {
- ret = ENOMEM;
- goto done;
- }
- ret = krb5_make_principal(context, &creds_in.server, *client_realm, KRB5_TGS_NAME, *client_realm, NULL);
- if (ret) {
- goto done;
- }
- }
-
- flags.i = 0;
- flags.b.renewable = flags.b.renew = True;
-
- ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &creds_in, &creds_out);
- if (ret) {
- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
- goto done;
- }
-
- creds = *creds_out;
+ ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string));
+ if (ret) {
+ DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
+ goto done;
}
-#else
-#error NO_SUITABLE_KRB5_TICKET_RENEW_FUNCTION_AVAILABLE
-#endif
/* hm, doesn't that create a new one if the old one wasn't there? - Guenther */
ret = krb5_cc_initialize(context, ccache, client);
return ENOMEM;
}
- put_name(buf, global_myname(), ' ', 0x20);
+ put_name(buf, lp_netbios_name(), ' ', 0x20);
#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
{
krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context,
krb5_get_init_creds_opt **opt)
{
-#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
/* Heimdal or modern MIT version */
return krb5_get_init_creds_opt_alloc(context, opt);
-#else
- /* Historical MIT version */
- krb5_get_init_creds_opt *my_opt;
-
- *opt = NULL;
-
- if ((my_opt = SMB_MALLOC_P(krb5_get_init_creds_opt)) == NULL) {
- return ENOMEM;
- }
-
- krb5_get_init_creds_opt_init(my_opt);
-
- *opt = my_opt;
- return 0;
-#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC */
}
void smb_krb5_get_init_creds_opt_free(krb5_context context,
krb5_get_init_creds_opt *opt)
{
-#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE
-
-#ifdef KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT
/* Modern MIT or Heimdal version */
krb5_get_init_creds_opt_free(context, opt);
-#else
- /* Heimdal version */
- krb5_get_init_creds_opt_free(opt);
-#endif /* KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT */
-
-#else /* HAVE_KRB5_GET_INIT_CREDS_OPT_FREE */
- /* Historical MIT version */
- SAFE_FREE(opt);
- opt = NULL;
-#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_FREE */
}
krb5_enctype smb_get_enctype_from_kt_entry(krb5_keytab_entry *kt_entry)
#else
#error UNKNOWN_KRB5_ENCTYPE_TO_STRING_FUNCTION
#endif
-}
-
- krb5_error_code smb_krb5_mk_error(krb5_context context,
- krb5_error_code error_code,
- const krb5_principal server,
- krb5_data *reply)
-{
-#ifdef HAVE_SHORT_KRB5_MK_ERROR_INTERFACE /* MIT */
- /*
- * The MIT interface is *terrible*.
- * We have to construct this ourselves...
- */
- krb5_error e;
-
- memset(&e, 0, sizeof(e));
- krb5_us_timeofday(context, &e.stime, &e.susec);
- e.server = server;
-#if defined(krb5_err_base)
- e.error = error_code - krb5_err_base;
-#elif defined(ERROR_TABLE_BASE_krb5)
- e.error = error_code - ERROR_TABLE_BASE_krb5;
-#else
- e.error = error_code; /* Almost certainly wrong, but what can we do... ? */
-#endif
-
- return krb5_mk_error(context, &e, reply);
-#else /* Heimdal. */
- return krb5_mk_error(context,
- error_code,
- NULL,
- NULL, /* e_data */
- NULL,
- server,
- NULL,
- NULL,
- reply);
-#endif
}
/**********************************************************************
goto done;
}
- ret = krb5_cc_store_cred(context, ccache, creds);
- if (ret) {
- goto done;
- }
-
if (out_creds) {
*out_creds = creds;
}
krb5_principal principal)
{
#ifdef HAVE_KRB5_PRINCIPAL_GET_REALM /* Heimdal */
- return krb5_principal_get_realm(context, principal);
+ return discard_const_p(char, krb5_principal_get_realm(context, principal));
#elif defined(krb5_princ_realm) /* MIT */
krb5_data *realm;
realm = krb5_princ_realm(context, principal);
- return (char *)realm->data;
+ return discard_const_p(char, realm->data);
#else
return NULL;
#endif
return 1;
}
-#endif
+bool unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_pac_data)
+{
+ DEBUG(0,("NO KERBEROS SUPPORT\n"));
+ return false;
+}
+
+#endif /* HAVE_KRB5 */