#ifdef HAVE_KRB5
-#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */
-#define KRB5_KEY_TYPE(k) ((k)->keytype)
-#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length)
-#define KRB5_KEY_DATA(k) ((k)->keyvalue.data)
-#define KRB5_KEY_DATA_CAST void
-#else /* MIT */
-#define KRB5_KEY_TYPE(k) ((k)->enctype)
-#define KRB5_KEY_LENGTH(k) ((k)->length)
-#define KRB5_KEY_DATA(k) ((k)->contents)
-#define KRB5_KEY_DATA_CAST krb5_octet
-#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
-
#define GSSAPI_CHECKSUM 0x8003 /* Checksum type value for Kerberos */
#define GSSAPI_BNDLENGTH 16 /* Bind Length (rfc-1964 pg.3) */
#define GSSAPI_CHECKSUM_SIZE (12+GSSAPI_BNDLENGTH)
DEBUG(3, ("ads_cleanup_expired_creds: Ticket in ccache[%s:%s] expiration %s\n",
cc_type, krb5_cc_get_name(context, ccache),
- http_timestring(credsp->times.endtime)));
+ http_timestring(talloc_tos(), credsp->times.endtime)));
/* we will probably need new tickets if the current ones
will expire within 10 seconds.
DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s:%s) is valid until: (%s - %u)\n",
principal, krb5_cc_get_type(context, ccache), krb5_cc_get_name(context, ccache),
- http_timestring((unsigned)credsp->times.endtime),
+ http_timestring(talloc_tos(), (unsigned)credsp->times.endtime),
(unsigned)credsp->times.endtime));
if (expire_time) {
ccache,
&in_data );
if (retval) {
- DEBUG( 1, ("ads_krb5_get_fwd_ticket failed (%s)\n", error_message( retval ) ) );
- goto cleanup_creds;
- }
-
- if (retval) {
- DEBUG( 1, ("krb5_auth_con_set_req_cksumtype failed (%s)\n",
- error_message( retval ) ) );
- goto cleanup_creds;
+ DEBUG( 3, ("ads_krb5_get_fwd_ticket failed (%s)\n",
+ error_message( retval ) ) );
+
+ /*
+ * This is not fatal. Delete the *auth_context and continue
+ * with krb5_mk_req_extended to get a non-forwardable ticket.
+ */
+
+ if (in_data.data) {
+ free( in_data.data );
+ in_data.data = NULL;
+ in_data.length = 0;
+ }
+ krb5_auth_con_free(context, *auth_context);
+ *auth_context = NULL;
}
-
}
#endif
krb5_error_code ret;
krb5_keytab keytab;
char *name = NULL;
+ krb5_keyblock *keyp;
/* We have to open a new keytab handle here, as MIT does
an implicit open/getnext/close on krb5_kt_get_entry. We
goto out;
}
-#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
- ret = krb5_copy_keyblock(context, &entry.keyblock, out_key);
-#elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) /* MIT */
- ret = krb5_copy_keyblock(context, &entry.key, out_key);
-#else
-#error UNKNOWN_KRB5_KEYTAB_ENTRY_FORMAT
-#endif
+ keyp = KRB5_KT_KEY(&entry);
+ ret = krb5_copy_keyblock(context, keyp, out_key);
if (ret) {
DEBUG(0,("get_key_from_keytab: failed to copy key: %s\n", error_message(ret)));
goto out;
#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_FREE */
}
- krb5_enctype smb_get_enctype_from_kt_entry(const krb5_keytab_entry *kt_entry)
+ krb5_enctype smb_get_enctype_from_kt_entry(krb5_keytab_entry *kt_entry)
{
-#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */
- return kt_entry->key.enctype;
-#elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK) /* Heimdal */
- return kt_entry->keyblock.keytype;
-#else
-#error UNKNOWN_KRB5_KEYTAB_ENTRY_KEYBLOCK_FORMAT
-#endif
+ return KRB5_KEY_TYPE(KRB5_KT_KEY(kt_entry));
}
}
/* We now have a service ticket, now turn it into an AP-REQ. */
- authenticator->length = ntohs(fwdData.length + GSSAPI_CHECKSUM_SIZE);
+ authenticator->length = fwdData.length + GSSAPI_CHECKSUM_SIZE;
/* Caller should call free() when they're done with this. */
authenticator->data = (char *)pChksum;