Fix blocker bug 5745 kerberos authentication with (lib)smbclient is broken.

[kai/samba.git] / source / libsmb / clikrb5.c

diff --git a/source/libsmb/clikrb5.c b/source/libsmb/clikrb5.c
index fa21ad346739be1e6ece8f31253f92cda3446149..b8afb579778ffe9557963b32d9f6c872a7d76a58 100644 (file)
--- a/source/libsmb/clikrb5.c
+++ b/source/libsmb/clikrb5.c
@@ -27,18 +27,6 @@
 
 #ifdef HAVE_KRB5
 
-#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */
-#define KRB5_KEY_TYPE(k)       ((k)->keytype) 
-#define KRB5_KEY_LENGTH(k)     ((k)->keyvalue.length)
-#define KRB5_KEY_DATA(k)       ((k)->keyvalue.data)
-#define KRB5_KEY_DATA_CAST     void
-#else /* MIT */
-#define        KRB5_KEY_TYPE(k)        ((k)->enctype)
-#define KRB5_KEY_LENGTH(k)     ((k)->length)
-#define KRB5_KEY_DATA(k)       ((k)->contents)
-#define KRB5_KEY_DATA_CAST     krb5_octet
-#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
-
 #define GSSAPI_CHECKSUM      0x8003             /* Checksum type value for Kerberos */
 #define GSSAPI_BNDLENGTH     16                 /* Bind Length (rfc-1964 pg.3) */
 #define GSSAPI_CHECKSUM_SIZE (12+GSSAPI_BNDLENGTH)
@@ -761,16 +749,22 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
                                                ccache,
                                                &in_data );
                if (retval) {
-                       DEBUG( 1, ("ads_krb5_get_fwd_ticket failed (%s)\n", error_message( retval ) ) );
-                       goto cleanup_creds;
-               }
-
-               if (retval) {
-                       DEBUG( 1, ("krb5_auth_con_set_req_cksumtype failed (%s)\n",
-                               error_message( retval ) ) );
-                       goto cleanup_creds;
+                       DEBUG( 3, ("ads_krb5_get_fwd_ticket failed (%s)\n",
+                                  error_message( retval ) ) );
+
+                       /*
+                        * This is not fatal. Delete the *auth_context and continue
+                        * with krb5_mk_req_extended to get a non-forwardable ticket.
+                        */
+
+                       if (in_data.data) {
+                               free( in_data.data );
+                               in_data.data = NULL;
+                               in_data.length = 0;
+                       }
+                       krb5_auth_con_free(context, *auth_context);
+                       *auth_context = NULL;
                }
-
        }
 #endif
 
@@ -1057,6 +1051,7 @@ get_key_from_keytab(krb5_context context,
        krb5_error_code ret;
        krb5_keytab keytab;
        char *name = NULL;
+       krb5_keyblock *keyp;
 
        /* We have to open a new keytab handle here, as MIT does
           an implicit open/getnext/close on krb5_kt_get_entry. We
@@ -1089,14 +1084,9 @@ get_key_from_keytab(krb5_context context,
                goto out;
        }
 
-#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
-       ret = krb5_copy_keyblock(context, &entry.keyblock, out_key);
-#elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) /* MIT */
-       ret = krb5_copy_keyblock(context, &entry.key, out_key);
-#else
-#error UNKNOWN_KRB5_KEYTAB_ENTRY_FORMAT
-#endif
+       keyp = KRB5_KT_KEY(&entry);
 
+       ret = krb5_copy_keyblock(context, keyp, out_key);
        if (ret) {
                DEBUG(0,("get_key_from_keytab: failed to copy key: %s\n", error_message(ret)));
                goto out;
@@ -1584,15 +1574,9 @@ done:
 #endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_FREE */
 }
 
- krb5_enctype smb_get_enctype_from_kt_entry(const krb5_keytab_entry *kt_entry)
+ krb5_enctype smb_get_enctype_from_kt_entry(krb5_keytab_entry *kt_entry)
 {
-#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY              /* MIT */
-       return kt_entry->key.enctype;
-#elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK) /* Heimdal */
-       return kt_entry->keyblock.keytype;
-#else
-#error UNKNOWN_KRB5_KEYTAB_ENTRY_KEYBLOCK_FORMAT
-#endif
+       return KRB5_KEY_TYPE(KRB5_KT_KEY(kt_entry));
 }