r3492: Fixes from testing kerberos salted principal fix.

Jeremy.
(This used to be commit b356a8fdc5a1ac45f2f7f56a0836e794bdecddc6)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 6004bc8098bd80b39ae5998f30fcd5a415eca93b..32f5951c9fa38fd625aee8bba08e53d8e1eee7aa 100644 (file)
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -362,8 +362,8 @@ static krb5_error_code get_service_ticket(krb5_context ctx,
        }
 
        if ((err = krb5_get_credentials(ctx, 0, ccache, &creds, &new_creds))) {
-               DEBUG(5,("get_service_ticket: krb5_get_credentials for %s failed: %s\n", 
-                       service_s, error_message(err)));
+               DEBUG(5,("get_service_ticket: krb5_get_credentials for %s enctype %d failed: %s\n", 
+                       service_s, enctype, error_message(err)));
                goto out;
        }
 
@@ -602,23 +602,12 @@ static void kerberos_derive_salting_principal_for_enctype(const char *service_pr
  Go through all the possible enctypes for this principal.
  ************************************************************************/
 
- void kerberos_derive_salting_principal(krb5_context context,
+static void kerberos_derive_salting_principal_direct(krb5_context context,
                                        krb5_ccache ccache,
                                        krb5_enctype *enctypes,
                                        char *service_principal)
 {
        int i;
-       BOOL free_ccache = False;
-
-       if (ccache == NULL) {
-               krb5_error_code ret;
-               if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) {
-                       DEBUG(0, ("kerberos_derive_salting_principal: krb5_cc_resolve for %s failed: %s\n", 
-                               LIBADS_CCACHE_NAME, error_message(ret)));
-                       return;
-               }
-               free_ccache = True;
-       }
 
        /* Try for each enctype separately, because the rules are
         * different for different enctypes. */
@@ -640,9 +629,48 @@ static void kerberos_derive_salting_principal_for_enctype(const char *service_pr
                                                                enctypes[i],
                                                                enctypes);
        }
+}
 
-       if (free_ccache && ccache) {
-               krb5_cc_close(context, ccache);
+/************************************************************************
+ Wrapper function for the above.
+ ************************************************************************/
+
+void kerberos_derive_salting_principal(char *service_principal)
+{
+       krb5_context context = NULL;
+       krb5_enctype *enctypes = NULL;
+       krb5_ccache ccache = NULL;
+       krb5_error_code ret = 0;
+
+       initialize_krb5_error_table();
+       if ((ret = krb5_init_context(&context)) != 0) {
+               DEBUG(1,("kerberos_derive_cifs_salting_principals: krb5_init_context failed. %s\n",
+                       error_message(ret)));
+               return;
+       }
+       if ((ret = get_kerberos_allowed_etypes(context, &enctypes)) != 0) {
+               DEBUG(1,("kerberos_derive_cifs_salting_principals: get_kerberos_allowed_etypes failed. %s\n",
+                       error_message(ret)));
+               goto out;
+       }
+
+       if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) {
+               DEBUG(3, ("get_service_ticket: krb5_cc_resolve for %s failed: %s\n", 
+                       LIBADS_CCACHE_NAME, error_message(ret)));
+               goto out;
+       }
+
+       kerberos_derive_salting_principal_direct(context, ccache, enctypes, service_principal);
+
+  out: 
+       if (enctypes) {
+               free_kerberos_etypes(context, enctypes);
+       }
+       if (ccache) {
+               krb5_cc_destroy(context, ccache);
+       }
+       if (context) {
+               krb5_free_context(context);
        }
 }
 
@@ -681,38 +709,38 @@ BOOL kerberos_derive_cifs_salting_principals(void)
 
        if (asprintf(&service, "%s$", global_myname()) != -1) {
                strlower_m(service);
-               kerberos_derive_salting_principal(context, ccache, enctypes, service);
+               kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
                SAFE_FREE(service);
        }
        if (asprintf(&service, "cifs/%s", global_myname()) != -1) {
                strlower_m(service);
-               kerberos_derive_salting_principal(context, ccache, enctypes, service);
+               kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
                SAFE_FREE(service);
        }
        if (asprintf(&service, "host/%s", global_myname()) != -1) {
                strlower_m(service);
-               kerberos_derive_salting_principal(context, ccache, enctypes, service);
+               kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
                SAFE_FREE(service);
        }
        if (asprintf(&service, "cifs/%s.%s", global_myname(), lp_realm()) != -1) {
                strlower_m(service);
-               kerberos_derive_salting_principal(context, ccache, enctypes, service);
+               kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
                SAFE_FREE(service);
        }
        if (asprintf(&service, "host/%s.%s", global_myname(), lp_realm()) != -1) {
                strlower_m(service);
-               kerberos_derive_salting_principal(context, ccache, enctypes, service);
+               kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
                SAFE_FREE(service);
        }
        name_to_fqdn(my_fqdn, global_myname());
        if (asprintf(&service, "cifs/%s", my_fqdn) != -1) {
                strlower_m(service);
-               kerberos_derive_salting_principal(context, ccache, enctypes, service);
+               kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
                SAFE_FREE(service);
        }
        if (asprintf(&service, "host/%s", my_fqdn) != -1) {
                strlower_m(service);
-               kerberos_derive_salting_principal(context, ccache, enctypes, service);
+               kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
                SAFE_FREE(service);
        }
 

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 90f5a376d6c0db217d721751850c2988e7d730a0..97374508ab36e651ab5ea5a00d7c2965e16a3f7e 100644 (file)
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -128,7 +128,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
        }
 
        /* Guess at how the KDC is salting keys for this principal. */
-       kerberos_derive_salting_principal(context, NULL, enctypes, princ_s);
+       kerberos_derive_salting_principal(princ_s);
 
        ret = krb5_parse_name(context, princ_s, &princ);
        if (ret) {

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 2202ee11e2fb0a0676043d0d2074ee3aaff221fa..9efa45e58f566667dc1745c3691aa89f87d5e16d 100644 (file)
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -823,6 +823,20 @@ int net_ads_join(int argc, const char **argv)
                return -1;
        }
 
+#ifdef HAVE_KRB5
+       if (!kerberos_derive_salting_principal(machine_account)) {
+               DEBUG(1,("Failed to determine salting principal\n"));
+               ads_destroy(&ads);
+               return -1;
+       }
+
+       if (!kerberos_derive_cifs_salting_principals()) {
+               DEBUG(1,("Failed to determine salting principals\n"));
+               ads_destroy(&ads);
+               return -1;
+       }
+#endif
+
        if (!secrets_store_domain_sid(short_domain_name, &dom_sid)) {
                DEBUG(1,("Failed to save domain sid\n"));
                ads_destroy(&ads);