syncing packaging files from 3.0
[garming/samba-autobuild/.git] / packaging / SuSE / samba-mutual-auth.diff
1 --- source/configure.in 22 Feb 2003 12:19:18 -0000      1.409
2 +++ source/configure.in 24 Feb 2003 06:04:25 -0000
3 @@ -627,6 +627,15 @@
4  fi
5  
6  ############################################
7 +# support for using Kerberos keytab instead of secrets database
8 +
9 +AC_ARG_ENABLE(keytab, 
10 +[  --enable-keytab         Turn on support for Kerberos keytabs in lieu of secrets DB (default=no)],
11 +    [if eval "test x$enable_keytab = xyes"; then
12 +       AC_DEFINE(USE_KEYTAB,1,[Use Kerberos keytab])
13 +    fi])
14 +
15 +############################################
16  # we need dlopen/dlclose/dlsym/dlerror for PAM, the password database plugins and the plugin loading code
17  AC_SEARCH_LIBS(dlopen, [dl])
18  # dlopen/dlclose/dlsym/dlerror will be checked again later and defines will be set then
19 --- source/passdb/secrets.c     1 Feb 2003 04:39:15 -0000       1.54
20 +++ source/passdb/secrets.c     24 Feb 2003 06:04:26 -0000
21 @@ -221,6 +221,72 @@
22         return True;
23  }
24  
25 +#ifdef USE_KEYTAB
26 +/************************************************************************
27 + Read local secret from the keytab
28 +************************************************************************/
29 +
30 +static BOOL secrets_fetch_keytab_password(uint8 ret_pwd[16], time_t *pass_last_set_time)
31 +{
32 +       char spn[MAXHOSTNAMELEN + 2], *p;
33 +       krb5_context context;
34 +       krb5_error_code ret;
35 +       krb5_principal princ;
36 +       krb5_keyblock *key;
37 +
38 +       ret = krb5_init_context(&context);
39 +       if (ret) {
40 +               DEBUG(1, ("secrets_fetch_keytab_password: failed to initialize Kerberos context\n"));
41 +               return False;
42 +       }
43 +
44 +       spn[sizeof(spn) - 1] = '\0';
45 +       if (gethostname(spn, sizeof(spn) - 2) < 0) {
46 +               DEBUG(1, ("secrets_fetch_keytab_password: could not determine local hostname\n"));
47 +               krb5_free_context(context);
48 +               return False;
49 +       }
50 +
51 +       for (p = spn; *p && *p != '.'; p++)
52 +               *p = toupper(*p);
53 +       *p++ = '$';
54 +       *p = '\0';
55 +
56 +       ret = krb5_parse_name(context, spn, &princ);
57 +       if (ret) {
58 +               DEBUG(1, ("secrets_fetch_keytab_password: failed to parse name %s\n", spn));
59 +               krb5_free_context(context);
60 +               return False;
61 +       }
62 +
63 +#ifdef ENCTYPE_ARCFOUR_HMAC
64 +       ret = krb5_kt_read_service_key(context, NULL, princ, 0, ENCTYPE_ARCFOUR_HMAC, &key);
65 +#elif defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
66 +       ret = krb5_kt_read_service_key(context, NULL, princ, 0, ENCTYPE_ARCFOUR_HMAC_MD5, &key);
67 +#else
68 +#error ENCTYPE_ARCFOUR_HMAC or ENCTYPE_ARCFOUR_HMAC_MD5 required for keytab secret storage
69 +#endif 
70 +       if (ret) {
71 +               DEBUG(1, ("secrets_fetch_keytab_password: failed to read secret for %s\n", spn));
72 +               krb5_free_context(context);
73 +               return False;
74 +       }
75 +       if (key->keyvalue.length != 16) {
76 +               DEBUG(1, ("secrets_fetch_keytab_password: key is incorrect length\n"));
77 +               krb5_free_context(context);
78 +               return False;
79 +       }
80 +
81 +       memcpy(ret_pwd, key->keyvalue.data, key->keyvalue.length);
82 +       time(pass_last_set_time); /* XXX */
83 +
84 +       krb5_free_keyblock(context, key);
85 +       krb5_free_context(context);
86 +
87 +       return True;
88 +}
89 +#endif /* USE_KEYTAB */
90 +
91  /************************************************************************
92   Routine to get the trust account password for a domain.
93   The user of this function must have locked the trust password file using
94 @@ -243,6 +309,12 @@
95                 pass_last_set_time = 0;
96                 return True;
97         }
98 +
99 +#ifdef USE_KEYTAB
100 +       if (is_myworkgroup(domain)) {
101 +               return secrets_fetch_keytab_password(ret_pwd, pass_last_set_time);
102 +       }
103 +#endif /* USE_KEYTAB */
104  
105         if (!(pass = secrets_fetch(trust_keystr(domain), &size))) {
106                 DEBUG(5, ("secrets_fetch failed!\n"));
107  
108 --- source/libsmb/clikrb5.c     2003-07-02 00:32:55.000000000 +0200
109 +++ source/libsmb/clikrb5.c     2003-07-02 00:37:22.000000000 +0200
110 @@ -316,11 +316,13 @@
111         krb5_enctype enc_types[] = {
112  #ifdef ENCTYPE_ARCFOUR_HMAC
113                 ENCTYPE_ARCFOUR_HMAC,
114 +#elif defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
115 +               ENCTYPE_ARCFOUR_HMAC_MD5,
116  #endif 
117                 ENCTYPE_DES_CBC_MD5, 
118                 ENCTYPE_DES_CBC_CRC, 
119                 ENCTYPE_NULL};
120 -       
121 +       
122         retval = krb5_init_context(&context);
123         if (retval) {
124                 DEBUG(1,("krb5_init_context failed (%s)\n", 
125 @@ -367,24 +369,26 @@
126  
127   BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, uint8 session_key[16])
128   {
129 -#ifdef ENCTYPE_ARCFOUR_HMAC
130         krb5_keyblock *skey;
131 -#endif
132         BOOL ret = False;
133  
134         memset(session_key, 0, 16);
135  
136 -#ifdef ENCTYPE_ARCFOUR_HMAC
137 +#if defined(ENCTYPE_ARCFOUR_HMAC) || defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
138         if (krb5_auth_con_getremotesubkey(context, auth_context, &skey) == 0 && skey != NULL) {
139                 if (KRB5_KEY_TYPE(skey) ==
140 +# ifdef ENCTYPE_ARCFOUR_HMAC
141                     ENCTYPE_ARCFOUR_HMAC
142 +# else
143 +                   ENCTYPE_ARCFOUR_HMAC_MD5
144 +# endif /* ENCTYPE_ARCFOUR_HMAC */
145                     && KRB5_KEY_LENGTH(skey) == 16) {
146                         memcpy(session_key, KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
147                         ret = True;
148                 }
149                 krb5_free_keyblock(context, skey);
150         }
151 -#endif /* ENCTYPE_ARCFOUR_HMAC */
152 +#endif /* ENCTYPE_ARCFOUR_HMAC || HAVE_ENCTYPE_ARCFOUR_HMAC_MD5 */
153  
154         return ret;
155   }
156 @@ -395,5 +399,12 @@
157          DEBUG(0,("NO KERBEROS SUPPORT\n"));
158          return data_blob(NULL, 0);
159   }
160 +BOOL krb5_get_smb_session_key(krb5_context context, krb5_auth_context ac, uint8 session_key[16])
161 + {
162 +       DEBUG(0,("NO KERBEROS SUPPORT\n"));
163 +       memset(session_key, 0, 16);
164 +       return False;
165 + }
166 + //#endif
167  
168  #endif
169 --- source/libads/kerberos_verify.c     2003-06-28 23:40:55.000000000 +0200
170 +++ source/libads/kerberos_verify.c     2003-07-02 00:50:13.000000000 +0200
171 @@ -38,7 +38,9 @@
172         krb5_keytab keytab = NULL;
173         krb5_data packet;
174         krb5_ticket *tkt = NULL;
175 -       int ret, i;
176 +       int ret;
177 +#ifndef USE_KEYTAB
178 +       int i;
179         krb5_keyblock * key;
180         krb5_principal host_princ;
181         char *host_princ_s;
182 @@ -46,8 +48,10 @@
183         char *password_s;
184         krb5_data password;
185         krb5_enctype *enctypes = NULL;
186 +#endif /* USE_KEYTAB */
187         BOOL auth_ok = False;
188  
189 +#ifndef USE_KEYTAB
190         if (!secrets_init()) {
191                 DEBUG(1,("secrets_init failed\n"));
192                 return NT_STATUS_LOGON_FAILURE;
193 @@ -61,6 +65,7 @@
194  
195         password.data = password_s;
196         password.length = strlen(password_s);
197 +#endif /* USE_KEYTAB */
198  
199         ret = krb5_init_context(&context);
200         if (ret) {
201 @@ -82,7 +87,16 @@
202                 DEBUG(1,("krb5_auth_con_init failed (%s)\n", error_message(ret)));
203                 return NT_STATUS_LOGON_FAILURE;
204         }
205 +#ifdef USE_KEYTAB
206 +       packet.length = ticket->length;
207 +       packet.data = (krb5_pointer)ticket->data;
208  
209 +       if (!(ret = krb5_rd_req(context, &auth_context, &packet, 
210 +                               NULL, keytab, NULL, &tkt))) {
211 +               auth_ok = True;
212 +       }
213 +
214 +#else
215         fstrcpy(myname, global_myname());
216         strlower(myname);
217         asprintf(&host_princ_s, "HOST/%s@%s", myname, lp_realm());
218 @@ -121,6 +135,9 @@
219                 }
220         }
221  
222 +       SAFE_FREE(key);
223 +#endif /* USE_KEYTAB */
224 +
225         if (!auth_ok) {
226                 DEBUG(3,("krb5_rd_req with auth failed (%s)\n", 
227                          error_message(ret)));
228 --- source/Makefile.in  2003-07-01 23:35:49.000000000 +0200
229 +++ source/Makefile.in  2003-07-02 01:20:09.000000000 +0200
230 @@ -806,7 +806,7 @@
231  
232  bin/pdbedit@EXEEXT@: $(PDBEDIT_OBJ) @BUILD_POPT@ bin/.dummy
233         @echo Linking $@
234 -       @$(CC) $(FLAGS) -o $@ $(IDMAP_LIBS) $(PDBEDIT_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@ $(PASSDBLIBS)
235 +       @$(CC) $(FLAGS) -o $@ $(IDMAP_LIBS) $(PDBEDIT_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@ $(PASSDBLIBS) $(KRB5LIBS)
236  
237  bin/samtest@EXEEXT@: $(SAMTEST_OBJ) @BUILD_POPT@ bin/.dummy
238         @echo Linking $@
239 @@ -1062,7 +1062,7 @@
240  
241  bin/wbinfo@EXEEXT@: $(WBINFO_OBJ) @BUILD_POPT@ bin/.dummy
242         @echo Linking $@
243 -       @$(LINK) -o $@ $(WBINFO_OBJ) $(LIBS) @POPTLIBS@
244 +       @$(LINK) -o $@ $(WBINFO_OBJ) $(LIBS) @POPTLIBS@ $(KRB5LIBS)
245  
246  bin/ntlm_auth@EXEEXT@: $(NTLM_AUTH_OBJ) $(PARAM_OBJ) $(LIB_OBJ) \
247                 $(UBIQX_OBJ) @BUILD_POPT@ bin/.dummy