git.samba.org
/
samba.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
8137f2d
)
s3-libsmb: Use data_blob_talloc to get krb5 ticket and session keys
author
Simo Sorce
<idra@samba.org>
Wed, 21 Jul 2010 00:00:12 +0000
(20:00 -0400)
committer
Simo Sorce
<idra@samba.org>
Wed, 21 Jul 2010 00:02:09 +0000
(20:02 -0400)
source3/include/krb5_protos.h
patch
|
blob
|
history
source3/libads/authdata.c
patch
|
blob
|
history
source3/libads/kerberos_verify.c
patch
|
blob
|
history
source3/libsmb/clikrb5.c
patch
|
blob
|
history
source3/libsmb/clispnego.c
patch
|
blob
|
history
source3/rpc_client/cli_pipe.c
patch
|
blob
|
history
source3/utils/ntlm_auth.c
patch
|
blob
|
history
diff --git
a/source3/include/krb5_protos.h
b/source3/include/krb5_protos.h
index b65fb17d9c59693a49f5594fed6ce6de4f711756..97e6871c89d808c255b1a4f4cd89a5eb306119bd 100644
(file)
--- a/
source3/include/krb5_protos.h
+++ b/
source3/include/krb5_protos.h
@@
-46,7
+46,10
@@
krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, st
krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
#endif
krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes);
krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
#endif
krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes);
-bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote);
+bool get_krb5_smb_session_key(TALLOC_CTX *mem_ctx,
+ krb5_context context,
+ krb5_auth_context auth_context,
+ DATA_BLOB *session_key, bool remote);
krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, int enctype);
void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype);
krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, int enctype);
void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype);
@@
-141,9
+144,10
@@
char *smb_krb5_principal_get_realm(krb5_context context,
krb5_principal principal);
#endif /* HAVE_KRB5 */
krb5_principal principal);
#endif /* HAVE_KRB5 */
-int cli_krb5_get_ticket(const char *principal, time_t time_offset,
+int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
+ const char *principal, time_t time_offset,
DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
- uint32 extra_ap_opts, const char *ccname,
+ uint32
_t
extra_ap_opts, const char *ccname,
time_t *tgs_expire,
const char *impersonate_princ_s);
time_t *tgs_expire,
const char *impersonate_princ_s);
diff --git
a/source3/libads/authdata.c
b/source3/libads/authdata.c
index 305b6072bc87b48d1bb7509eb737db0e579e7348..00062f4457eb8140e1f06bf3f86a2bdf16e0276d 100644
(file)
--- a/
source3/libads/authdata.c
+++ b/
source3/libads/authdata.c
@@
-406,7
+406,8
@@
NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_LOGON_TYPE;
}
return NT_STATUS_INVALID_LOGON_TYPE;
}
- ret = cli_krb5_get_ticket(local_service,
+ ret = cli_krb5_get_ticket(mem_ctx,
+ local_service,
time_offset,
&tkt,
&sesskey1,
time_offset,
&tkt,
&sesskey1,
diff --git
a/source3/libads/kerberos_verify.c
b/source3/libads/kerberos_verify.c
index c07259394b550628c53597c717919e59fe1f7b0c..10edd076bb0d89e4eb2892c187fad7911eaafeb1 100644
(file)
--- a/
source3/libads/kerberos_verify.c
+++ b/
source3/libads/kerberos_verify.c
@@
-615,7
+615,8
@@
NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
ZERO_STRUCT(packet);
}
ZERO_STRUCT(packet);
}
- get_krb5_smb_session_key(context, auth_context, session_key, True);
+ get_krb5_smb_session_key(mem_ctx, context,
+ auth_context, session_key, true);
dump_data_pw("SMB session key (from ticket)\n", session_key->data, session_key->length);
#if 0
dump_data_pw("SMB session key (from ticket)\n", session_key->data, session_key->length);
#if 0
diff --git
a/source3/libsmb/clikrb5.c
b/source3/libsmb/clikrb5.c
index adec435728028c2a73e90fbd605a1400cd940424..68b45d89089be3245bb878d981f43af4b7a4e3a3 100644
(file)
--- a/
source3/libsmb/clikrb5.c
+++ b/
source3/libsmb/clikrb5.c
@@
-828,9
+828,10
@@
cleanup_princ:
/*
get a kerberos5 ticket for the given service
*/
/*
get a kerberos5 ticket for the given service
*/
-int cli_krb5_get_ticket(const char *principal, time_t time_offset,
+int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
+ const char *principal, time_t time_offset,
DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
- uint32 extra_ap_opts, const char *ccname,
+ uint32
_t
extra_ap_opts, const char *ccname,
time_t *tgs_expire,
const char *impersonate_princ_s)
time_t *tgs_expire,
const char *impersonate_princ_s)
@@
-881,10
+882,10
@@
int cli_krb5_get_ticket(const char *principal, time_t time_offset,
goto failed;
}
goto failed;
}
- get_krb5_smb_session_key(context, auth_context,
- session_key_krb5,
F
alse);
+ get_krb5_smb_session_key(
mem_ctx,
context, auth_context,
+ session_key_krb5,
f
alse);
- *ticket = data_blob
(
packet.data, packet.length);
+ *ticket = data_blob
_talloc(mem_ctx,
packet.data, packet.length);
kerberos_free_data_contents(context, &packet);
kerberos_free_data_contents(context, &packet);
@@
-901,7
+902,8
@@
failed:
return retval;
}
return retval;
}
-bool get_krb5_smb_session_key(krb5_context context,
+bool get_krb5_smb_session_key(TALLOC_CTX *mem_ctx,
+ krb5_context context,
krb5_auth_context auth_context,
DATA_BLOB *session_key, bool remote)
{
krb5_auth_context auth_context,
DATA_BLOB *session_key, bool remote)
{
@@
-925,9
+927,12
@@
bool get_krb5_smb_session_key(krb5_context context,
DEBUG(10, ("Got KRB5 session key of length %d\n",
(int)KRB5_KEY_LENGTH(skey)));
DEBUG(10, ("Got KRB5 session key of length %d\n",
(int)KRB5_KEY_LENGTH(skey)));
- *session_key = data_blob(KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
+ *session_key = data_blob_talloc(mem_ctx,
+ KRB5_KEY_DATA(skey),
+ KRB5_KEY_LENGTH(skey));
dump_data_pw("KRB5 Session Key:\n",
dump_data_pw("KRB5 Session Key:\n",
- session_key->data, session_key->length);
+ session_key->data,
+ session_key->length);
ret = true;
ret = true;
@@
-2277,8
+2282,10
@@
char *smb_krb5_principal_get_realm(krb5_context context,
#else /* HAVE_KRB5 */
/* this saves a few linking headaches */
#else /* HAVE_KRB5 */
/* this saves a few linking headaches */
- int cli_krb5_get_ticket(const char *principal, time_t time_offset,
- DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts,
+ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
+ const char *principal, time_t time_offset,
+ DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
+ uint32_t extra_ap_opts,
const char *ccname, time_t *tgs_expire,
const char *impersonate_princ_s)
{
const char *ccname, time_t *tgs_expire,
const char *impersonate_princ_s)
{
diff --git
a/source3/libsmb/clispnego.c
b/source3/libsmb/clispnego.c
index 66e023a91d1058e6ef43905375e34ee7d0252f6e..539b41105698751c88e647cee3f39692872855a9 100644
(file)
--- a/
source3/libsmb/clispnego.c
+++ b/
source3/libsmb/clispnego.c
@@
-301,12
+301,13
@@
int spnego_gen_krb5_negTokenInit(TALLOC_CTX *ctx,
const char *krb_mechs[] = {OID_KERBEROS5_OLD, OID_KERBEROS5, OID_NTLMSSP, NULL};
/* get a kerberos ticket for the service and extract the session key */
const char *krb_mechs[] = {OID_KERBEROS5_OLD, OID_KERBEROS5, OID_NTLMSSP, NULL};
/* get a kerberos ticket for the service and extract the session key */
- retval = cli_krb5_get_ticket(principal, time_offset,
- &tkt, session_key_krb5, extra_ap_opts, NULL,
- expire_time, NULL);
-
- if (retval)
+ retval = cli_krb5_get_ticket(
ctx,
principal, time_offset,
+ &tkt, session_key_krb5,
+ extra_ap_opts, NULL,
+ expire_time, NULL);
+ if (retval)
{
return retval;
return retval;
+ }
/* wrap that up in a nice GSS-API wrapping */
tkt_wrapped = spnego_gen_krb5_wrap(ctx, tkt, TOK_ID_KRB_AP_REQ);
/* wrap that up in a nice GSS-API wrapping */
tkt_wrapped = spnego_gen_krb5_wrap(ctx, tkt, TOK_ID_KRB_AP_REQ);
diff --git
a/source3/rpc_client/cli_pipe.c
b/source3/rpc_client/cli_pipe.c
index 50b0efadb29876b6e61cf1351fdc1bb574c9f218..c3712f77bad5f4cdde811c74b679aa53defc1890 100644
(file)
--- a/
source3/rpc_client/cli_pipe.c
+++ b/
source3/rpc_client/cli_pipe.c
@@
-1288,8
+1288,10
@@
static NTSTATUS create_krb5_auth_bind_req(struct rpc_pipe_client *cli,
/* Create the ticket for the service principal and return it in a gss-api wrapped blob. */
/* Create the ticket for the service principal and return it in a gss-api wrapped blob. */
- ret = cli_krb5_get_ticket(a->service_principal, 0, &tkt,
- &a->session_key, (uint32)AP_OPTS_MUTUAL_REQUIRED, NULL, NULL, NULL);
+ ret = cli_krb5_get_ticket(a, a->service_principal, 0,
+ &tkt, &a->session_key,
+ AP_OPTS_MUTUAL_REQUIRED, NULL,
+ NULL, NULL);
if (ret) {
DEBUG(1,("create_krb5_auth_bind_req: cli_krb5_get_ticket for principal %s "
if (ret) {
DEBUG(1,("create_krb5_auth_bind_req: cli_krb5_get_ticket for principal %s "
diff --git
a/source3/utils/ntlm_auth.c
b/source3/utils/ntlm_auth.c
index bfdc369b150695cdbd0fb5f086d27afaf44fb48a..971ba96220c9d7a25ba14c3f352f75a7668b36e8 100644
(file)
--- a/
source3/utils/ntlm_auth.c
+++ b/
source3/utils/ntlm_auth.c
@@
-1602,8
+1602,9
@@
static bool manage_client_krb5_init(struct spnego_data spnego)
spnego.negTokenInit.mechListMIC.length);
principal[spnego.negTokenInit.mechListMIC.length] = '\0';
spnego.negTokenInit.mechListMIC.length);
principal[spnego.negTokenInit.mechListMIC.length] = '\0';
- retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL, NULL);
-
+ retval = cli_krb5_get_ticket(ctx, principal, 0,
+ &tkt, &session_key_krb5,
+ 0, NULL, NULL, NULL);
if (retval) {
char *user = NULL;
if (retval) {
char *user = NULL;
@@
-1626,8
+1627,9
@@
static bool manage_client_krb5_init(struct spnego_data spnego)
return False;
}
return False;
}
- retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL, NULL);
-
+ retval = cli_krb5_get_ticket(ctx, principal, 0,
+ &tkt, &session_key_krb5,
+ 0, NULL, NULL, NULL);
if (retval) {
DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval)));
return False;
if (retval) {
DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval)));
return False;