packaging/SuSE/samba-mutual-auth.diff

   1 --- source/configure.in 22 Feb 2003 12:19:18 -0000      1.409
   2 +++ source/configure.in 24 Feb 2003 06:04:25 -0000
   3 @@ -627,6 +627,15 @@
   4  fi
   5
   6  ############################################
   7 +# support for using Kerberos keytab instead of secrets database
   8 +
   9 +AC_ARG_ENABLE(keytab,
  10 +[  --enable-keytab         Turn on support for Kerberos keytabs in lieu of secrets DB (default=no)],
  11 +    [if eval "test x$enable_keytab = xyes"; then
  12 +       AC_DEFINE(USE_KEYTAB,1,[Use Kerberos keytab])
  13 +    fi])
  14 +
  15 +############################################
  16  # we need dlopen/dlclose/dlsym/dlerror for PAM, the password database plugins and the plugin loading code
  17  AC_SEARCH_LIBS(dlopen, [dl])
  18  # dlopen/dlclose/dlsym/dlerror will be checked again later and defines will be set then
  19 --- source/passdb/secrets.c     1 Feb 2003 04:39:15 -0000       1.54
  20 +++ source/passdb/secrets.c     24 Feb 2003 06:04:26 -0000
  21 @@ -221,6 +221,72 @@
  22         return True;
  23  }
  24
  25 +#ifdef USE_KEYTAB
  26 +/************************************************************************
  27 + Read local secret from the keytab
  28 +************************************************************************/
  29 +
  30 +static BOOL secrets_fetch_keytab_password(uint8 ret_pwd[16], time_t *pass_last_set_time)
  31 +{
  32 +       char spn[MAXHOSTNAMELEN + 2], *p;
  33 +       krb5_context context;
  34 +       krb5_error_code ret;
  35 +       krb5_principal princ;
  36 +       krb5_keyblock *key;
  37 +
  38 +       ret = krb5_init_context(&context);
  39 +       if (ret) {
  40 +               DEBUG(1, ("secrets_fetch_keytab_password: failed to initialize Kerberos context\n"));
  41 +               return False;
  42 +       }
  43 +
  44 +       spn[sizeof(spn) - 1] = '\0';
  45 +       if (gethostname(spn, sizeof(spn) - 2) < 0) {
  46 +               DEBUG(1, ("secrets_fetch_keytab_password: could not determine local hostname\n"));
  47 +               krb5_free_context(context);
  48 +               return False;
  49 +       }
  50 +
  51 +       for (p = spn; *p && *p != '.'; p++)
  52 +               *p = toupper(*p);
  53 +       *p++ = '$';
  54 +       *p = '\0';
  55 +
  56 +       ret = krb5_parse_name(context, spn, &princ);
  57 +       if (ret) {
  58 +               DEBUG(1, ("secrets_fetch_keytab_password: failed to parse name %s\n", spn));
  59 +               krb5_free_context(context);
  60 +               return False;
  61 +       }
  62 +
  63 +#ifdef ENCTYPE_ARCFOUR_HMAC
  64 +       ret = krb5_kt_read_service_key(context, NULL, princ, 0, ENCTYPE_ARCFOUR_HMAC, &key);
  65 +#elif defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
  66 +       ret = krb5_kt_read_service_key(context, NULL, princ, 0, ENCTYPE_ARCFOUR_HMAC_MD5, &key);
  67 +#else
  68 +#error ENCTYPE_ARCFOUR_HMAC or ENCTYPE_ARCFOUR_HMAC_MD5 required for keytab secret storage
  69 +#endif
  70 +       if (ret) {
  71 +               DEBUG(1, ("secrets_fetch_keytab_password: failed to read secret for %s\n", spn));
  72 +               krb5_free_context(context);
  73 +               return False;
  74 +       }
  75 +       if (key->keyvalue.length != 16) {
  76 +               DEBUG(1, ("secrets_fetch_keytab_password: key is incorrect length\n"));
  77 +               krb5_free_context(context);
  78 +               return False;
  79 +       }
  80 +
  81 +       memcpy(ret_pwd, key->keyvalue.data, key->keyvalue.length);
  82 +       time(pass_last_set_time); /* XXX */
  83 +
  84 +       krb5_free_keyblock(context, key);
  85 +       krb5_free_context(context);
  86 +
  87 +       return True;
  88 +}
  89 +#endif /* USE_KEYTAB */
  90 +
  91  /************************************************************************
  92   Routine to get the trust account password for a domain.
  93   The user of this function must have locked the trust password file using
  94 @@ -243,6 +309,12 @@
  95                 pass_last_set_time = 0;
  96                 return True;
  97         }
  98 +
  99 +#ifdef USE_KEYTAB
 100 +       if (is_myworkgroup(domain)) {
 101 +               return secrets_fetch_keytab_password(ret_pwd, pass_last_set_time);
 102 +       }
 103 +#endif /* USE_KEYTAB */
 104
 105         if (!(pass = secrets_fetch(trust_keystr(domain), &size))) {
 106                 DEBUG(5, ("secrets_fetch failed!\n"));
 107
 108 --- source/libsmb/clikrb5.c     2003-07-02 00:32:55.000000000 +0200
 109 +++ source/libsmb/clikrb5.c     2003-07-02 00:37:22.000000000 +0200
 110 @@ -316,11 +316,13 @@
 111         krb5_enctype enc_types[] = {
 112  #ifdef ENCTYPE_ARCFOUR_HMAC
 113                 ENCTYPE_ARCFOUR_HMAC,
 114 +#elif defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
 115 +               ENCTYPE_ARCFOUR_HMAC_MD5,
 116  #endif
 117                 ENCTYPE_DES_CBC_MD5,
 118                 ENCTYPE_DES_CBC_CRC,
 119                 ENCTYPE_NULL};
 120 -
 121 +
 122         retval = krb5_init_context(&context);
 123         if (retval) {
 124                 DEBUG(1,("krb5_init_context failed (%s)\n",
 125 @@ -367,24 +369,26 @@
 126
 127   BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, uint8 session_key[16])
 128   {
 129 -#ifdef ENCTYPE_ARCFOUR_HMAC
 130         krb5_keyblock *skey;
 131 -#endif
 132         BOOL ret = False;
 133
 134         memset(session_key, 0, 16);
 135
 136 -#ifdef ENCTYPE_ARCFOUR_HMAC
 137 +#if defined(ENCTYPE_ARCFOUR_HMAC) || defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
 138         if (krb5_auth_con_getremotesubkey(context, auth_context, &skey) == 0 && skey != NULL) {
 139                 if (KRB5_KEY_TYPE(skey) ==
 140 +# ifdef ENCTYPE_ARCFOUR_HMAC
 141                     ENCTYPE_ARCFOUR_HMAC
 142 +# else
 143 +                   ENCTYPE_ARCFOUR_HMAC_MD5
 144 +# endif /* ENCTYPE_ARCFOUR_HMAC */
 145                     && KRB5_KEY_LENGTH(skey) == 16) {
 146                         memcpy(session_key, KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
 147                         ret = True;
 148                 }
 149                 krb5_free_keyblock(context, skey);
 150         }
 151 -#endif /* ENCTYPE_ARCFOUR_HMAC */
 152 +#endif /* ENCTYPE_ARCFOUR_HMAC || HAVE_ENCTYPE_ARCFOUR_HMAC_MD5 */
 153
 154         return ret;
 155   }
 156 @@ -395,5 +399,12 @@
 157          DEBUG(0,("NO KERBEROS SUPPORT\n"));
 158          return data_blob(NULL, 0);
 159   }
 160 +BOOL krb5_get_smb_session_key(krb5_context context, krb5_auth_context ac, uint8 session_key[16])
 161 + {
 162 +       DEBUG(0,("NO KERBEROS SUPPORT\n"));
 163 +       memset(session_key, 0, 16);
 164 +       return False;
 165 + }
 166 + //#endif
 167
 168  #endif
 169 --- source/libads/kerberos_verify.c     2003-06-28 23:40:55.000000000 +0200
 170 +++ source/libads/kerberos_verify.c     2003-07-02 00:50:13.000000000 +0200
 171 @@ -38,7 +38,9 @@
 172         krb5_keytab keytab = NULL;
 173         krb5_data packet;
 174         krb5_ticket *tkt = NULL;
 175 -       int ret, i;
 176 +       int ret;
 177 +#ifndef USE_KEYTAB
 178 +       int i;
 179         krb5_keyblock * key;
 180         krb5_principal host_princ;
 181         char *host_princ_s;
 182 @@ -46,8 +48,10 @@
 183         char *password_s;
 184         krb5_data password;
 185         krb5_enctype *enctypes = NULL;
 186 +#endif /* USE_KEYTAB */
 187         BOOL auth_ok = False;
 188
 189 +#ifndef USE_KEYTAB
 190         if (!secrets_init()) {
 191                 DEBUG(1,("secrets_init failed\n"));
 192                 return NT_STATUS_LOGON_FAILURE;
 193 @@ -61,6 +65,7 @@
 194
 195         password.data = password_s;
 196         password.length = strlen(password_s);
 197 +#endif /* USE_KEYTAB */
 198
 199         ret = krb5_init_context(&context);
 200         if (ret) {
 201 @@ -82,7 +87,16 @@
 202                 DEBUG(1,("krb5_auth_con_init failed (%s)\n", error_message(ret)));
 203                 return NT_STATUS_LOGON_FAILURE;
 204         }
 205 +#ifdef USE_KEYTAB
 206 +       packet.length = ticket->length;
 207 +       packet.data = (krb5_pointer)ticket->data;
 208
 209 +       if (!(ret = krb5_rd_req(context, &auth_context, &packet,
 210 +                               NULL, keytab, NULL, &tkt))) {
 211 +               auth_ok = True;
 212 +       }
 213 +
 214 +#else
 215         fstrcpy(myname, global_myname());
 216         strlower(myname);
 217         asprintf(&host_princ_s, "HOST/%s@%s", myname, lp_realm());
 218 @@ -121,6 +135,9 @@
 219                 }
 220         }
 221
 222 +       SAFE_FREE(key);
 223 +#endif /* USE_KEYTAB */
 224 +
 225         if (!auth_ok) {
 226                 DEBUG(3,("krb5_rd_req with auth failed (%s)\n",
 227                          error_message(ret)));
 228 --- source/Makefile.in  2003-07-01 23:35:49.000000000 +0200
 229 +++ source/Makefile.in  2003-07-02 01:20:09.000000000 +0200
 230 @@ -806,7 +806,7 @@
 231
 232  bin/pdbedit@EXEEXT@: $(PDBEDIT_OBJ) @BUILD_POPT@ bin/.dummy
 233         @echo Linking $@
 234 -       @$(CC) $(FLAGS) -o $@ $(IDMAP_LIBS) $(PDBEDIT_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@ $(PASSDBLIBS)
 235 +       @$(CC) $(FLAGS) -o $@ $(IDMAP_LIBS) $(PDBEDIT_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@ $(PASSDBLIBS) $(KRB5LIBS)
 236
 237  bin/samtest@EXEEXT@: $(SAMTEST_OBJ) @BUILD_POPT@ bin/.dummy
 238         @echo Linking $@
 239 @@ -1062,7 +1062,7 @@
 240
 241  bin/wbinfo@EXEEXT@: $(WBINFO_OBJ) @BUILD_POPT@ bin/.dummy
 242         @echo Linking $@
 243 -       @$(LINK) -o $@ $(WBINFO_OBJ) $(LIBS) @POPTLIBS@
 244 +       @$(LINK) -o $@ $(WBINFO_OBJ) $(LIBS) @POPTLIBS@ $(KRB5LIBS)
 245
 246  bin/ntlm_auth@EXEEXT@: $(NTLM_AUTH_OBJ) $(PARAM_OBJ) $(LIB_OBJ) \
 247                 $(UBIQX_OBJ) @BUILD_POPT@ bin/.dummy