}
#endif
if (add_netbios_addr) {
- if ((code = smb_krb5_gen_netbios_krb5_address(&addr))) {
+ if ((code = smb_krb5_gen_netbios_krb5_address(&addr,
+ lp_netbios_name()))) {
goto out;
}
krb5_get_init_creds_opt_set_address_list(opt, addr->addrs);
fstring salt;
fstr_sprintf( salt, "host/%s.%s@", lp_netbios_name(), lp_realm() );
- strlower_m( salt );
+ (void)strlower_m( salt );
fstrcat( salt, lp_realm() );
return SMB_STRDUP( salt );
/************************************************************************
************************************************************************/
+static
char* kerberos_secrets_fetch_des_salt( void )
{
char *salt, *key;
if ( (key = des_salt_key()) == NULL ) {
DEBUG(0,("kerberos_secrets_fetch_des_salt: failed to generate key!\n"));
- return False;
+ return NULL;
}
salt = (char*)secrets_fetch( key, NULL );
return salt;
}
-/************************************************************************
- Routine to get the default realm from the kerberos credentials cache.
- Caller must free if the return value is not NULL.
-************************************************************************/
-
-char *kerberos_get_default_realm_from_ccache( void )
-{
- char *realm = NULL;
- krb5_context ctx = NULL;
- krb5_ccache cc = NULL;
- krb5_principal princ = NULL;
-
- initialize_krb5_error_table();
- if (krb5_init_context(&ctx)) {
- return NULL;
- }
-
- DEBUG(5,("kerberos_get_default_realm_from_ccache: "
- "Trying to read krb5 cache: %s\n",
- krb5_cc_default_name(ctx)));
- if (krb5_cc_default(ctx, &cc)) {
- DEBUG(0,("kerberos_get_default_realm_from_ccache: "
- "failed to read default cache\n"));
- goto out;
- }
- if (krb5_cc_get_principal(ctx, cc, &princ)) {
- DEBUG(0,("kerberos_get_default_realm_from_ccache: "
- "failed to get default principal\n"));
- goto out;
- }
-
-#if defined(HAVE_KRB5_PRINCIPAL_GET_REALM)
- realm = SMB_STRDUP(krb5_principal_get_realm(ctx, princ));
-#elif defined(HAVE_KRB5_PRINC_REALM)
- {
- krb5_data *realm_data = krb5_princ_realm(ctx, princ);
- realm = SMB_STRNDUP(realm_data->data, realm_data->length);
- }
-#endif
-
- out:
-
- if (ctx) {
- if (princ) {
- krb5_free_principal(ctx, princ);
- }
- if (cc) {
- krb5_cc_close(ctx, cc);
- }
- krb5_free_context(ctx);
- }
-
- return realm;
-}
-
-/************************************************************************
- Routine to get the realm from a given DNS name. Returns malloc'ed memory.
- Caller must free() if the return value is not NULL.
-************************************************************************/
-
-char *kerberos_get_realm_from_hostname(const char *hostname)
-{
-#if defined(HAVE_KRB5_GET_HOST_REALM) && defined(HAVE_KRB5_FREE_HOST_REALM)
-#if defined(HAVE_KRB5_REALM_TYPE)
- /* Heimdal. */
- krb5_realm *realm_list = NULL;
-#else
- /* MIT */
- char **realm_list = NULL;
-#endif
- char *realm = NULL;
- krb5_error_code kerr;
- krb5_context ctx = NULL;
-
- initialize_krb5_error_table();
- if (krb5_init_context(&ctx)) {
- return NULL;
- }
-
- kerr = krb5_get_host_realm(ctx, hostname, &realm_list);
- if (kerr != 0) {
- DEBUG(3,("kerberos_get_realm_from_hostname %s: "
- "failed %s\n",
- hostname ? hostname : "(NULL)",
- error_message(kerr) ));
- goto out;
- }
-
- if (realm_list && realm_list[0]) {
- realm = SMB_STRDUP(realm_list[0]);
- }
-
- out:
-
- if (ctx) {
- if (realm_list) {
- krb5_free_host_realm(ctx, realm_list);
- realm_list = NULL;
- }
- krb5_free_context(ctx);
- ctx = NULL;
- }
- return realm;
-#else
- return NULL;
-#endif
-}
-
/************************************************************************
Routine to get the salting principal for this service. This is
maintained for backwards compatibilty with releases prior to 3.0.24.
to look for the older tdb keys. Caller must free if return is not null.
************************************************************************/
+static
krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context,
krb5_principal host_princ,
int enctype)
return ret_princ;
}
+int create_kerberos_key_from_string(krb5_context context,
+ krb5_principal host_princ,
+ krb5_data *password,
+ krb5_keyblock *key,
+ krb5_enctype enctype,
+ bool no_salt)
+{
+ krb5_principal salt_princ = NULL;
+ int ret;
+ /*
+ * Check if we've determined that the KDC is salting keys for this
+ * principal/enctype in a non-obvious way. If it is, try to match
+ * its behavior.
+ */
+ if (no_salt) {
+ KRB5_KEY_DATA(key) = (KRB5_KEY_DATA_CAST *)SMB_MALLOC(password->length);
+ if (!KRB5_KEY_DATA(key)) {
+ return ENOMEM;
+ }
+ memcpy(KRB5_KEY_DATA(key), password->data, password->length);
+ KRB5_KEY_LENGTH(key) = password->length;
+ KRB5_KEY_TYPE(key) = enctype;
+ return 0;
+ }
+ salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype);
+ ret = smb_krb5_create_key_from_string(context,
+ salt_princ ? salt_princ : host_princ,
+ NULL,
+ password,
+ enctype,
+ key);
+ if (salt_princ) {
+ krb5_free_principal(context, salt_princ);
+ }
+ return ret;
+}
+
/************************************************************************
Routine to set the salting principal for this service. Active
Directory may use a non-obvious principal name to generate the salt
/************************************************************************
************************************************************************/
-static char *print_kdc_line(char *mem_ctx,
- const char *prev_line,
- const struct sockaddr_storage *pss,
- const char *kdc_name)
-{
- char addr[INET6_ADDRSTRLEN];
- uint16_t port = get_sockaddr_port(pss);
-
- if (pss->ss_family == AF_INET) {
- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
- prev_line,
- print_canonical_sockaddr(mem_ctx, pss));
- }
-
- /*
- * IPv6 starts here
- */
-
- DEBUG(10, ("print_kdc_line: IPv6 case for kdc_name: %s, port: %d\n",
- kdc_name, port));
-
- if (port != 0 && port != DEFAULT_KRB5_PORT) {
- /* Currently for IPv6 we can't specify a non-default
- krb5 port with an address, as this requires a ':'.
- Resolve to a name. */
- char hostname[MAX_DNS_NAME_LENGTH];
- int ret = sys_getnameinfo((const struct sockaddr *)pss,
- sizeof(*pss),
- hostname, sizeof(hostname),
- NULL, 0,
- NI_NAMEREQD);
- if (ret) {
- DEBUG(0,("print_kdc_line: can't resolve name "
- "for kdc with non-default port %s. "
- "Error %s\n.",
- print_canonical_sockaddr(mem_ctx, pss),
- gai_strerror(ret)));
- return NULL;
- }
- /* Success, use host:port */
- return talloc_asprintf(mem_ctx,
- "%s\tkdc = %s:%u\n",
- prev_line,
- hostname,
- (unsigned int)port);
- }
-
- /* no krb5 lib currently supports "kdc = ipv6 address"
- * at all, so just fill in just the kdc_name if we have
- * it and let the krb5 lib figure out the appropriate
- * ipv6 address - gd */
-
- if (kdc_name) {
- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
- prev_line, kdc_name);
- }
-
- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
- prev_line,
- print_sockaddr(addr,
- sizeof(addr),
- pss));
-}
-
/************************************************************************
Create a string list of available kdc's, possibly searching by sitename.
Does DNS queries.
*num_addrs += 1;
}
+/* print_canonical_sockaddr prints an ipv6 addr in the form of
+* [ipv6.addr]. This string, when put in a generated krb5.conf file is not
+* always properly dealt with by some older krb5 libraries. Adding the hard-coded
+* portnumber workarounds the issue. - gd */
+
+static char *print_canonical_sockaddr_with_port(TALLOC_CTX *mem_ctx,
+ const struct sockaddr_storage *pss)
+{
+ char *str = NULL;
+
+ str = print_canonical_sockaddr(mem_ctx, pss);
+ if (str == NULL) {
+ return NULL;
+ }
+
+ if (pss->ss_family != AF_INET6) {
+ return str;
+ }
+
+#if defined(HAVE_IPV6)
+ str = talloc_asprintf_append(str, ":88");
+#endif
+ return str;
+}
+
static char *get_kdc_ip_string(char *mem_ctx,
const char *realm,
const char *sitename,
- const struct sockaddr_storage *pss,
- const char *kdc_name)
+ const struct sockaddr_storage *pss)
{
TALLOC_CTX *frame = talloc_stackframe();
int i;
char *result = NULL;
struct netlogon_samlogon_response **responses = NULL;
NTSTATUS status;
- char *kdc_str = print_kdc_line(mem_ctx, "", pss, kdc_name);
+ char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "",
+ print_canonical_sockaddr_with_port(mem_ctx, pss));
if (kdc_str == NULL) {
+ TALLOC_FREE(frame);
return NULL;
}
}
/* Append to the string - inefficient but not done often. */
- new_kdc_str = print_kdc_line(mem_ctx, kdc_str,
- &dc_addrs[i],
- kdc_name);
+ new_kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
+ kdc_str,
+ print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i]));
if (new_kdc_str == NULL) {
goto fail;
}
bool create_local_private_krb5_conf_for_domain(const char *realm,
const char *domain,
const char *sitename,
- const struct sockaddr_storage *pss,
- const char *kdc_name)
+ const struct sockaddr_storage *pss)
{
char *dname;
char *tmpname = NULL;
int fd;
char *realm_upper = NULL;
bool result = false;
+ char *aes_enctypes = NULL;
+ mode_t mask;
if (!lp_create_krb5_conf()) {
return false;
}
+ if (realm == NULL) {
+ DEBUG(0, ("No realm has been specified! Do you really want to "
+ "join an Active Directory server?\n"));
+ return false;
+ }
+
+ if (domain == NULL || pss == NULL) {
+ return false;
+ }
+
dname = lock_path("smb_krb5");
if (!dname) {
return false;
fname, realm, domain ));
realm_upper = talloc_strdup(fname, realm);
- strupper_m(realm_upper);
+ if (!strupper_m(realm_upper)) {
+ goto done;
+ }
- kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss, kdc_name);
+ kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss);
if (!kdc_ip_string) {
goto done;
}
+ aes_enctypes = talloc_strdup(fname, "");
+ if (aes_enctypes == NULL) {
+ goto done;
+ }
+
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes256-cts-hmac-sha1-96 ");
+ if (aes_enctypes == NULL) {
+ goto done;
+ }
+#endif
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes128-cts-hmac-sha1-96");
+ if (aes_enctypes == NULL) {
+ goto done;
+ }
+#endif
+
file_contents = talloc_asprintf(fname,
"[libdefaults]\n\tdefault_realm = %s\n"
- "\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
- "\tdefault_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
- "\tpreferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
+ "\tdefault_tgs_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
+ "\tdefault_tkt_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
+ "\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
"[realms]\n\t%s = {\n"
"\t%s\t}\n",
- realm_upper, realm_upper, kdc_ip_string);
+ realm_upper, aes_enctypes, aes_enctypes, aes_enctypes,
+ realm_upper, kdc_ip_string);
if (!file_contents) {
goto done;
flen = strlen(file_contents);
+ mask = umask(S_IRWXO | S_IRWXG);
fd = mkstemp(tmpname);
+ umask(mask);
if (fd == -1) {
DEBUG(0,("create_local_private_krb5_conf_for_domain: smb_mkstemp failed,"
" for file %s. Errno %s\n",