f8a66021948fd71c01b3fa3e153b8fa83f7c3639
[samba.git] / source3 / libads / kerberos_verify.c
1 /*
2    Unix SMB/CIFS implementation.
3    kerberos utility library
4    Copyright (C) Andrew Tridgell 2001
5    Copyright (C) Remus Koos 2001
6    Copyright (C) Luke Howard 2003
7    Copyright (C) Guenther Deschner 2003, 2005
8    Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
9    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
10    Copyright (C) Jeremy Allison 2007
11
12    This program is free software; you can redistribute it and/or modify
13    it under the terms of the GNU General Public License as published by
14    the Free Software Foundation; either version 3 of the License, or
15    (at your option) any later version.
16
17    This program is distributed in the hope that it will be useful,
18    but WITHOUT ANY WARRANTY; without even the implied warranty of
19    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
20    GNU General Public License for more details.
21
22    You should have received a copy of the GNU General Public License
23    along with this program.  If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 #include "includes.h"
27 #include "smb_krb5.h"
28 #include "libads/kerberos_proto.h"
29
30 #ifdef HAVE_KRB5
31
32 #if !defined(HAVE_KRB5_PRINC_COMPONENT)
33 const krb5_data *krb5_princ_component(krb5_context, krb5_principal, int );
34 #endif
35
36 static bool ads_dedicated_keytab_verify_ticket(krb5_context context,
37                                           krb5_auth_context auth_context,
38                                           const DATA_BLOB *ticket,
39                                           krb5_ticket **pp_tkt,
40                                           krb5_keyblock **keyblock,
41                                           krb5_error_code *perr)
42 {
43         krb5_error_code ret = 0;
44         bool auth_ok = false;
45         krb5_keytab keytab = NULL;
46         krb5_keytab_entry kt_entry;
47         krb5_ticket *dec_ticket = NULL;
48
49         krb5_data packet;
50         krb5_kvno kvno = 0;
51         krb5_enctype enctype;
52
53         *pp_tkt = NULL;
54         *keyblock = NULL;
55         *perr = 0;
56
57         ZERO_STRUCT(kt_entry);
58
59         ret = smb_krb5_open_keytab(context, lp_dedicated_keytab_file(), true,
60             &keytab);
61         if (ret) {
62                 DEBUG(1, ("smb_krb5_open_keytab failed (%s)\n",
63                         error_message(ret)));
64                 goto out;
65         }
66
67         packet.length = ticket->length;
68         packet.data = (char *)ticket->data;
69
70         ret = krb5_rd_req(context, &auth_context, &packet, NULL, keytab,
71             NULL, &dec_ticket);
72         if (ret) {
73                 DEBUG(0, ("krb5_rd_req failed (%s)\n", error_message(ret)));
74                 goto out;
75         }
76
77 #ifdef HAVE_ETYPE_IN_ENCRYPTEDDATA /* Heimdal */
78         enctype = dec_ticket->ticket.key.keytype;
79 #else /* MIT */
80         enctype = dec_ticket->enc_part.enctype;
81         kvno    = dec_ticket->enc_part.kvno;
82 #endif
83
84         /* Get the key for checking the pac signature */
85         ret = krb5_kt_get_entry(context, keytab, dec_ticket->server,
86                                 kvno, enctype, &kt_entry);
87         if (ret) {
88                 DEBUG(0, ("krb5_kt_get_entry failed (%s)\n",
89                           error_message(ret)));
90                 goto out;
91         }
92
93         ret = krb5_copy_keyblock(context, KRB5_KT_KEY(&kt_entry), keyblock);
94         smb_krb5_kt_free_entry(context, &kt_entry);
95
96         if (ret) {
97                 DEBUG(0, ("failed to copy key: %s\n",
98                           error_message(ret)));
99                 goto out;
100         }
101
102         auth_ok = true;
103         *pp_tkt = dec_ticket;
104         dec_ticket = NULL;
105
106   out:
107         if (dec_ticket)
108                 krb5_free_ticket(context, dec_ticket);
109
110         if (keytab)
111                 krb5_kt_close(context, keytab);
112
113         *perr = ret;
114         return auth_ok;
115 }
116
117 /******************************************************************************
118  Try to verify a ticket using the system keytab... the system keytab has
119  kvno -1 entries, so it's more like what microsoft does... see comment in
120  utils/net_ads.c in the ads_keytab_add_entry function for details.
121 ******************************************************************************/
122
123 static bool ads_keytab_verify_ticket(krb5_context context,
124                                         krb5_auth_context auth_context,
125                                         const DATA_BLOB *ticket,
126                                         krb5_ticket **pp_tkt,
127                                         krb5_keyblock **keyblock,
128                                         krb5_error_code *perr)
129 {
130         krb5_error_code ret = 0;
131         bool auth_ok = False;
132         krb5_keytab keytab = NULL;
133         krb5_kt_cursor kt_cursor;
134         krb5_keytab_entry kt_entry;
135         char *valid_princ_formats[7] = { NULL, NULL, NULL,
136                                          NULL, NULL, NULL, NULL };
137         char *entry_princ_s = NULL;
138         fstring my_name, my_fqdn;
139         int i;
140         int number_matched_principals = 0;
141         krb5_data packet;
142         int err;
143
144         *pp_tkt = NULL;
145         *keyblock = NULL;
146         *perr = 0;
147
148         /* Generate the list of principal names which we expect
149          * clients might want to use for authenticating to the file
150          * service.  We allow name$,{host,cifs}/{name,fqdn,name.REALM}. */
151
152         fstrcpy(my_name, global_myname());
153
154         my_fqdn[0] = '\0';
155         name_to_fqdn(my_fqdn, global_myname());
156
157         err = asprintf(&valid_princ_formats[0],
158                         "%s$@%s", my_name, lp_realm());
159         if (err == -1) {
160                 goto out;
161         }
162         err = asprintf(&valid_princ_formats[1],
163                         "host/%s@%s", my_name, lp_realm());
164         if (err == -1) {
165                 goto out;
166         }
167         err = asprintf(&valid_princ_formats[2],
168                         "host/%s@%s", my_fqdn, lp_realm());
169         if (err == -1) {
170                 goto out;
171         }
172         err = asprintf(&valid_princ_formats[3],
173                         "host/%s.%s@%s", my_name, lp_realm(), lp_realm());
174         if (err == -1) {
175                 goto out;
176         }
177         err = asprintf(&valid_princ_formats[4],
178                         "cifs/%s@%s", my_name, lp_realm());
179         if (err == -1) {
180                 goto out;
181         }
182         err = asprintf(&valid_princ_formats[5],
183                         "cifs/%s@%s", my_fqdn, lp_realm());
184         if (err == -1) {
185                 goto out;
186         }
187         err = asprintf(&valid_princ_formats[6],
188                         "cifs/%s.%s@%s", my_name, lp_realm(), lp_realm());
189         if (err == -1) {
190                 goto out;
191         }
192
193         ZERO_STRUCT(kt_entry);
194         ZERO_STRUCT(kt_cursor);
195
196         ret = smb_krb5_open_keytab(context, NULL, False, &keytab);
197         if (ret) {
198                 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
199                           error_message(ret)));
200                 goto out;
201         }
202
203         /* Iterate through the keytab.  For each key, if the principal
204          * name case-insensitively matches one of the allowed formats,
205          * try verifying the ticket using that principal. */
206
207         ret = krb5_kt_start_seq_get(context, keytab, &kt_cursor);
208         if (ret) {
209                 DEBUG(1, (__location__ ": krb5_kt_start_seq_get failed (%s)\n",
210                           error_message(ret)));
211                 goto out;
212         }
213   
214         while (!auth_ok &&
215                (krb5_kt_next_entry(context, keytab,
216                                    &kt_entry, &kt_cursor) == 0)) {
217                 ret = smb_krb5_unparse_name(talloc_tos(), context,
218                                             kt_entry.principal,
219                                             &entry_princ_s);
220                 if (ret) {
221                         DEBUG(1, (__location__ ": smb_krb5_unparse_name "
222                                   "failed (%s)\n", error_message(ret)));
223                         goto out;
224                 }
225
226                 for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
227
228                         if (!strequal(entry_princ_s, valid_princ_formats[i])) {
229                                 continue;
230                         }
231
232                         number_matched_principals++;
233                         packet.length = ticket->length;
234                         packet.data = (char *)ticket->data;
235                         *pp_tkt = NULL;
236
237                         ret = krb5_rd_req_return_keyblock_from_keytab(context,
238                                                 &auth_context, &packet,
239                                                 kt_entry.principal, keytab,
240                                                 NULL, pp_tkt, keyblock);
241
242                         if (ret) {
243                                 DEBUG(10, (__location__ ": krb5_rd_req_return"
244                                            "_keyblock_from_keytab(%s) "
245                                            "failed: %s\n", entry_princ_s,
246                                            error_message(ret)));
247
248                                 /* workaround for MIT:
249                                 * as krb5_ktfile_get_entry will explicitly
250                                 * close the krb5_keytab as soon as krb5_rd_req
251                                 * has successfully decrypted the ticket but the
252                                 * ticket is not valid yet (due to clockskew)
253                                 * there is no point in querying more keytab
254                                 * entries - Guenther */
255
256                                 if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
257                                     ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
258                                     ret == KRB5KRB_AP_ERR_SKEW) {
259                                         break;
260                                 }
261                         } else {
262                                 DEBUG(3, (__location__ ": krb5_rd_req_return"
263                                           "_keyblock_from_keytab succeeded "
264                                           "for principal %s\n",
265                                           entry_princ_s));
266                                 auth_ok = True;
267                                 break;
268                         }
269                 }
270
271                 /* Free the name we parsed. */
272                 TALLOC_FREE(entry_princ_s);
273
274                 /* Free the entry we just read. */
275                 smb_krb5_kt_free_entry(context, &kt_entry);
276                 ZERO_STRUCT(kt_entry);
277         }
278         krb5_kt_end_seq_get(context, keytab, &kt_cursor);
279
280         ZERO_STRUCT(kt_cursor);
281
282 out:
283
284         for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
285                 SAFE_FREE(valid_princ_formats[i]);
286         }
287
288         if (!auth_ok) {
289                 if (!number_matched_principals) {
290                         DEBUG(3, (__location__ ": no keytab principals "
291                                   "matched expected file service name.\n"));
292                 } else {
293                         DEBUG(3, (__location__ ": krb5_rd_req failed for "
294                                   "all %d matched keytab principals\n",
295                                   number_matched_principals));
296                 }
297         }
298
299         SAFE_FREE(entry_princ_s);
300
301         {
302                 krb5_keytab_entry zero_kt_entry;
303                 ZERO_STRUCT(zero_kt_entry);
304                 if (memcmp(&zero_kt_entry, &kt_entry,
305                            sizeof(krb5_keytab_entry))) {
306                         smb_krb5_kt_free_entry(context, &kt_entry);
307                 }
308         }
309
310         {
311                 krb5_kt_cursor zero_csr;
312                 ZERO_STRUCT(zero_csr);
313                 if ((memcmp(&kt_cursor, &zero_csr,
314                             sizeof(krb5_kt_cursor)) != 0) && keytab) {
315                         krb5_kt_end_seq_get(context, keytab, &kt_cursor);
316                 }
317         }
318
319         if (keytab) {
320                 krb5_kt_close(context, keytab);
321         }
322         *perr = ret;
323         return auth_ok;
324 }
325
326 /*****************************************************************************
327  Try to verify a ticket using the secrets.tdb.
328 ******************************************************************************/
329
330 static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
331                                                 krb5_auth_context auth_context,
332                                                 krb5_principal host_princ,
333                                                 const DATA_BLOB *ticket,
334                                                 krb5_ticket **pp_tkt,
335                                                 krb5_keyblock **keyblock,
336                                                 krb5_error_code *perr)
337 {
338         krb5_error_code ret = 0;
339         bool auth_ok = False;
340         bool cont = true;
341         char *password_s = NULL;
342         /* Let's make some room for 2 password (old and new)*/
343         krb5_data passwords[2];
344         krb5_enctype enctypes[] = {
345 #if defined(ENCTYPE_ARCFOUR_HMAC)
346                 ENCTYPE_ARCFOUR_HMAC,
347 #endif
348                 ENCTYPE_DES_CBC_CRC,
349                 ENCTYPE_DES_CBC_MD5,
350                 ENCTYPE_NULL
351         };
352         krb5_data packet;
353         int i, j;
354
355         *pp_tkt = NULL;
356         *keyblock = NULL;
357         *perr = 0;
358
359         ZERO_STRUCT(passwords);
360
361         if (!secrets_init()) {
362                 DEBUG(1,("ads_secrets_verify_ticket: secrets_init failed\n"));
363                 *perr = KRB5_CONFIG_CANTOPEN;
364                 return False;
365         }
366
367         password_s = secrets_fetch_machine_password(lp_workgroup(),
368                                                     NULL, NULL);
369         if (!password_s) {
370                 DEBUG(1,(__location__ ": failed to fetch machine password\n"));
371                 *perr = KRB5_LIBOS_CANTREADPWD;
372                 return False;
373         }
374
375         passwords[0].data = password_s;
376         passwords[0].length = strlen(password_s);
377
378         password_s = secrets_fetch_prev_machine_password(lp_workgroup());
379         if (password_s) {
380                 DEBUG(10, (__location__ ": found previous password\n"));
381                 passwords[1].data = password_s;
382                 passwords[1].length = strlen(password_s);
383         }
384
385         /* CIFS doesn't use addresses in tickets. This would break NAT. JRA */
386
387         packet.length = ticket->length;
388         packet.data = (char *)ticket->data;
389
390         /* We need to setup a auth context with each possible encoding type
391          * in turn. */
392         for (j=0; j<2 && passwords[j].length; j++) {
393
394                 for (i=0;enctypes[i];i++) {
395                         krb5_keyblock *key = NULL;
396
397                         if (!(key = SMB_MALLOC_P(krb5_keyblock))) {
398                                 ret = ENOMEM;
399                                 goto out;
400                         }
401
402                         if (create_kerberos_key_from_string(context,
403                                                 host_princ, &passwords[j],
404                                                 key, enctypes[i], false)) {
405                                 SAFE_FREE(key);
406                                 continue;
407                         }
408
409                         krb5_auth_con_setuseruserkey(context,
410                                                         auth_context, key);
411
412                         if (!(ret = krb5_rd_req(context, &auth_context,
413                                                 &packet, NULL, NULL,
414                                                 NULL, pp_tkt))) {
415                                 DEBUG(10, (__location__ ": enc type [%u] "
416                                            "decrypted message !\n",
417                                            (unsigned int)enctypes[i]));
418                                 auth_ok = True;
419                                 cont = false;
420                                 krb5_copy_keyblock(context, key, keyblock);
421                                 krb5_free_keyblock(context, key);
422                                 break;
423                         }
424
425                         DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
426                                 (__location__ ": enc type [%u] failed to "
427                                  "decrypt with error %s\n",
428                                  (unsigned int)enctypes[i],
429                                  error_message(ret)));
430
431                         /* successfully decrypted but ticket is just not
432                          * valid at the moment */
433                         if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
434                             ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
435                             ret == KRB5KRB_AP_ERR_SKEW) {
436                                 krb5_free_keyblock(context, key);
437                                 cont = false;
438                                 break;
439                         }
440
441                         krb5_free_keyblock(context, key);
442                 }
443                 if (!cont) {
444                         /* If we found a valid pass then no need to try
445                          * the next one or we have invalid ticket so no need
446                          * to try next password*/
447                         break;
448                 }
449         }
450
451  out:
452         SAFE_FREE(passwords[0].data);
453         SAFE_FREE(passwords[1].data);
454         *perr = ret;
455         return auth_ok;
456 }
457
458 /*****************************************************************************
459  Verify an incoming ticket and parse out the principal name and
460  authorization_data if available.
461 ******************************************************************************/
462
463 NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
464                            const char *realm,
465                            time_t time_offset,
466                            const DATA_BLOB *ticket,
467                            char **principal,
468                            struct PAC_LOGON_INFO **logon_info,
469                            DATA_BLOB *ap_rep,
470                            DATA_BLOB *session_key,
471                            bool use_replay_cache)
472 {
473         NTSTATUS sret = NT_STATUS_LOGON_FAILURE;
474         NTSTATUS pac_ret;
475         DATA_BLOB auth_data;
476         krb5_context context = NULL;
477         krb5_auth_context auth_context = NULL;
478         krb5_data packet;
479         krb5_ticket *tkt = NULL;
480         krb5_rcache rcache = NULL;
481         krb5_keyblock *keyblock = NULL;
482         time_t authtime;
483         krb5_error_code ret = 0;
484         int flags = 0;
485         krb5_principal host_princ = NULL;
486         krb5_const_principal client_principal = NULL;
487         char *host_princ_s = NULL;
488         bool auth_ok = False;
489         bool got_auth_data = False;
490         struct named_mutex *mutex = NULL;
491
492         ZERO_STRUCT(packet);
493         ZERO_STRUCT(auth_data);
494
495         *principal = NULL;
496         *logon_info = NULL;
497         *ap_rep = data_blob_null;
498         *session_key = data_blob_null;
499
500         initialize_krb5_error_table();
501         ret = krb5_init_context(&context);
502         if (ret) {
503                 DEBUG(1, (__location__ ": krb5_init_context failed (%s)\n",
504                           error_message(ret)));
505                 return NT_STATUS_LOGON_FAILURE;
506         }
507
508         if (time_offset != 0) {
509                 krb5_set_real_time(context, time(NULL) + time_offset, 0);
510         }
511
512         ret = krb5_set_default_realm(context, realm);
513         if (ret) {
514                 DEBUG(1, (__location__ ": krb5_set_default_realm "
515                           "failed (%s)\n", error_message(ret)));
516                 goto out;
517         }
518
519         /* This whole process is far more complex than I would
520            like. We have to go through all this to allow us to store
521            the secret internally, instead of using /etc/krb5.keytab */
522
523         ret = krb5_auth_con_init(context, &auth_context);
524         if (ret) {
525                 DEBUG(1, (__location__ ": krb5_auth_con_init failed (%s)\n",
526                           error_message(ret)));
527                 goto out;
528         }
529
530         krb5_auth_con_getflags( context, auth_context, &flags );
531         if ( !use_replay_cache ) {
532                 /* Disable default use of a replay cache */
533                 flags &= ~KRB5_AUTH_CONTEXT_DO_TIME;
534                 krb5_auth_con_setflags( context, auth_context, flags );
535         }
536
537         if (asprintf(&host_princ_s, "%s$", global_myname()) == -1) {
538                 goto out;
539         }
540
541         strlower_m(host_princ_s);
542         ret = smb_krb5_parse_name(context, host_princ_s, &host_princ);
543         if (ret) {
544                 DEBUG(1, (__location__ ": smb_krb5_parse_name(%s) "
545                           "failed (%s)\n", host_princ_s, error_message(ret)));
546                 goto out;
547         }
548
549
550         if (use_replay_cache) {
551
552                 /* Lock a mutex surrounding the replay as there is no
553                    locking in the MIT krb5 code surrounding the replay
554                    cache... */
555
556                 mutex = grab_named_mutex(talloc_tos(),
557                                          "replay cache mutex", 10);
558                 if (mutex == NULL) {
559                         DEBUG(1, (__location__ ": unable to protect replay "
560                                   "cache with mutex.\n"));
561                         ret = KRB5_CC_IO;
562                         goto out;
563                 }
564
565                 /* JRA. We must set the rcache here. This will prevent
566                    replay attacks. */
567
568                 ret = krb5_get_server_rcache(
569                                 context,
570                                 krb5_princ_component(context, host_princ, 0),
571                                 &rcache);
572                 if (ret) {
573                         DEBUG(1, (__location__ ": krb5_get_server_rcache "
574                                   "failed (%s)\n", error_message(ret)));
575                         goto out;
576                 }
577
578                 ret = krb5_auth_con_setrcache(context, auth_context, rcache);
579                 if (ret) {
580                         DEBUG(1, (__location__ ": krb5_auth_con_setrcache "
581                                   "failed (%s)\n", error_message(ret)));
582                         goto out;
583                 }
584         }
585
586         switch (lp_kerberos_method()) {
587         default:
588         case KERBEROS_VERIFY_SECRETS:
589                 auth_ok = ads_secrets_verify_ticket(context, auth_context,
590                     host_princ, ticket, &tkt, &keyblock, &ret);
591                 break;
592         case KERBEROS_VERIFY_SYSTEM_KEYTAB:
593                 auth_ok = ads_keytab_verify_ticket(context, auth_context,
594                     ticket, &tkt, &keyblock, &ret);
595                 break;
596         case KERBEROS_VERIFY_DEDICATED_KEYTAB:
597                 auth_ok = ads_dedicated_keytab_verify_ticket(context,
598                     auth_context, ticket, &tkt, &keyblock, &ret);
599                 break;
600         case KERBEROS_VERIFY_SECRETS_AND_KEYTAB:
601                 /* First try secrets.tdb and fallback to the krb5.keytab if
602                    necessary.  This is the pre 3.4 behavior when
603                    "use kerberos keytab" was true.*/
604                 auth_ok = ads_secrets_verify_ticket(context, auth_context,
605                     host_princ, ticket, &tkt, &keyblock, &ret);
606
607                 if (!auth_ok) {
608                         /* Only fallback if we failed to decrypt the ticket */
609                         if (ret != KRB5KRB_AP_ERR_TKT_NYV &&
610                             ret != KRB5KRB_AP_ERR_TKT_EXPIRED &&
611                             ret != KRB5KRB_AP_ERR_SKEW) {
612                                 auth_ok = ads_keytab_verify_ticket(context,
613                                     auth_context, ticket, &tkt, &keyblock,
614                                     &ret);
615                         }
616                 }
617                 break;
618         }
619
620         if (use_replay_cache) {
621                 TALLOC_FREE(mutex);
622 #if 0
623                 /* Heimdal leaks here, if we fix the leak, MIT crashes */
624                 if (rcache) {
625                         krb5_rc_close(context, rcache);
626                 }
627 #endif
628         }
629
630         if (!auth_ok) {
631                 DEBUG(3, (__location__ ": krb5_rd_req with auth "
632                           "failed (%s)\n", error_message(ret)));
633                 /* Try map the error return in case it's something like
634                  * a clock skew error.
635                  */
636                 sret = krb5_to_nt_status(ret);
637                 if (NT_STATUS_IS_OK(sret) ||
638                     NT_STATUS_EQUAL(sret,NT_STATUS_UNSUCCESSFUL)) {
639                         sret = NT_STATUS_LOGON_FAILURE;
640                 }
641                 DEBUG(10, (__location__ ": returning error %s\n",
642                            nt_errstr(sret) ));
643                 goto out;
644         }
645
646         authtime = get_authtime_from_tkt(tkt);
647         client_principal = get_principal_from_tkt(tkt);
648
649         ret = krb5_mk_rep(context, auth_context, &packet);
650         if (ret) {
651                 DEBUG(3, (__location__ ": Failed to generate mutual "
652                           "authentication reply (%s)\n", error_message(ret)));
653                 goto out;
654         }
655
656         *ap_rep = data_blob(packet.data, packet.length);
657         if (packet.data) {
658                 kerberos_free_data_contents(context, &packet);
659                 ZERO_STRUCT(packet);
660         }
661
662         get_krb5_smb_session_key(mem_ctx, context,
663                                  auth_context, session_key, true);
664         dump_data_pw("SMB session key (from ticket)\n",
665                      session_key->data, session_key->length);
666
667 #if 0
668         file_save("/tmp/ticket.dat", ticket->data, ticket->length);
669 #endif
670
671         /* continue when no PAC is retrieved or we couldn't decode the PAC
672            (like accounts that have the UF_NO_AUTH_DATA_REQUIRED flag set, or
673            Kerberos tickets encrypted using a DES key) - Guenther */
674
675         got_auth_data = get_auth_data_from_tkt(mem_ctx, &auth_data, tkt);
676         if (!got_auth_data) {
677                 DEBUG(3, (__location__ ": did not retrieve auth data. "
678                           "continuing without PAC\n"));
679         }
680
681         if (got_auth_data) {
682                 struct PAC_DATA *pac_data;
683                 pac_ret = decode_pac_data(mem_ctx, &auth_data, context,
684                                           keyblock, client_principal,
685                                           authtime, &pac_data);
686                 data_blob_free(&auth_data);
687                 if (!NT_STATUS_IS_OK(pac_ret)) {
688                         DEBUG(3, (__location__ ": failed to decode "
689                                   "PAC_DATA: %s\n", nt_errstr(pac_ret)));
690                 } else {
691                         uint32_t i;
692                         for (i = 0; i < pac_data->num_buffers; i++) {
693
694                                 if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
695                                         continue;
696                                 }
697
698                                 *logon_info = pac_data->buffers[i].info->logon_info.info;
699                         }
700
701                         if (!*logon_info) {
702                                 DEBUG(1, ("correctly decoded PAC but found "
703                                           "no logon_info! "
704                                           "This should not happen\n"));
705                                 return NT_STATUS_INVALID_USER_BUFFER;
706                         }
707                 }
708         }
709
710 #if 0
711 #if defined(HAVE_KRB5_TKT_ENC_PART2)
712         /* MIT */
713         if (tkt->enc_part2) {
714                 file_save("/tmp/authdata.dat",
715                           tkt->enc_part2->authorization_data[0]->contents,
716                           tkt->enc_part2->authorization_data[0]->length);
717         }
718 #else
719         /* Heimdal */
720         if (tkt->ticket.authorization_data) {
721                 file_save("/tmp/authdata.dat",
722                           tkt->ticket.authorization_data->val->ad_data.data,
723                           tkt->ticket.authorization_data->val->ad_data.length);
724         }
725 #endif
726 #endif
727
728         ret = smb_krb5_unparse_name(mem_ctx, context,
729                                     client_principal, principal);
730         if (ret) {
731                 DEBUG(3, (__location__ ": smb_krb5_unparse_name "
732                           "failed (%s)\n", error_message(ret)));
733                 sret = NT_STATUS_LOGON_FAILURE;
734                 goto out;
735         }
736
737         sret = NT_STATUS_OK;
738
739 out:
740
741         TALLOC_FREE(mutex);
742
743         if (!NT_STATUS_IS_OK(sret)) {
744                 data_blob_free(&auth_data);
745         }
746
747         if (!NT_STATUS_IS_OK(sret)) {
748                 data_blob_free(ap_rep);
749         }
750
751         if (host_princ) {
752                 krb5_free_principal(context, host_princ);
753         }
754
755         if (keyblock) {
756                 krb5_free_keyblock(context, keyblock);
757         }
758
759         if (tkt != NULL) {
760                 krb5_free_ticket(context, tkt);
761         }
762
763         SAFE_FREE(host_princ_s);
764
765         if (auth_context) {
766                 krb5_auth_con_free(context, auth_context);
767         }
768
769         if (context) {
770                 krb5_free_context(context);
771         }
772
773         return sret;
774 }
775
776 #endif /* HAVE_KRB5 */