2 Unix SMB/CIFS implementation.
3 simple kerberos5 routines for active directory
4 Copyright (C) Andrew Tridgell 2001
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 we can't use krb5_mk_req because w2k wants the service to be in a particular format
27 static krb5_error_code krb5_mk_req2(krb5_context context,
28 krb5_auth_context *auth_context,
29 const krb5_flags ap_req_options,
30 const char *principal,
34 krb5_error_code retval;
35 krb5_principal server;
40 retval = krb5_parse_name(context, principal, &server);
42 DEBUG(1,("Failed to parse principal %s\n", principal));
46 /* obtain ticket & session key */
47 memset((char *)&creds, 0, sizeof(creds));
48 if ((retval = krb5_copy_principal(context, server, &creds.server))) {
49 DEBUG(1,("krb5_copy_principal failed (%s)\n",
50 error_message(retval)));
54 if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) {
55 DEBUG(1,("krb5_cc_get_principal failed (%s)\n",
56 error_message(retval)));
60 if ((retval = krb5_get_credentials(context, 0,
61 ccache, &creds, &credsp))) {
62 DEBUG(1,("krb5_get_credentials failed for %s (%s)\n",
63 principal, error_message(retval)));
67 /* cope with the ticket being in the future due to clock skew */
68 if ((unsigned)credsp->times.starttime > time(NULL)) {
69 time_t t = time(NULL);
70 int time_offset = (unsigned)credsp->times.starttime - t;
71 DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
72 krb5_set_real_time(context, t + time_offset + 1, 0);
76 retval = krb5_mk_req_extended(context, auth_context, ap_req_options,
77 &in_data, credsp, outbuf);
79 DEBUG(1,("krb5_mk_req_extended failed (%s)\n",
80 error_message(retval)));
83 krb5_free_creds(context, credsp);
86 krb5_free_cred_contents(context, &creds);
89 krb5_free_principal(context, server);
95 get a kerberos5 ticket for the given service
97 DATA_BLOB krb5_get_ticket(char *principal, time_t time_offset)
99 krb5_error_code retval;
102 krb5_context context;
103 krb5_auth_context auth_context = NULL;
105 krb5_enctype enc_types[] = {
106 #ifdef ENCTYPE_ARCFOUR_HMAC
107 ENCTYPE_ARCFOUR_HMAC,
112 retval = krb5_init_context(&context);
114 DEBUG(1,("krb5_init_context failed (%s)\n",
115 error_message(retval)));
119 if (time_offset != 0) {
120 krb5_set_real_time(context, time(NULL) + time_offset, 0);
123 if ((retval = krb5_cc_default(context, &ccdef))) {
124 DEBUG(1,("krb5_cc_default failed (%s)\n",
125 error_message(retval)));
129 if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) {
130 DEBUG(1,("krb5_set_default_tgs_ktypes failed (%s)\n",
131 error_message(retval)));
135 if ((retval = krb5_mk_req2(context,
143 ret = data_blob(packet.data, packet.length);
144 /* Hmm, heimdal dooesn't have this - what's the correct call? */
145 /* krb5_free_data_contents(context, &packet); */
146 krb5_free_context(context);
151 krb5_free_context(context);
153 return data_blob(NULL, 0);
157 #else /* HAVE_KRB5 */
158 /* this saves a few linking headaches */
159 DATA_BLOB krb5_get_ticket(char *principal, time_t time_offset)
161 DEBUG(0,("NO KERBEROS SUPPORT\n"));
162 return data_blob(NULL, 0);