Author: jra Date: 2004-11-02 21:28:07 +0000 (Tue, 02 Nov 2004) New Revision: 3491
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=3491 Log: Fixes from testing kerberos salted principal fix. Jeremy. Modified: trunk/source/libads/kerberos.c trunk/source/libads/kerberos_keytab.c trunk/source/utils/net_ads.c Changeset: Modified: trunk/source/libads/kerberos.c =================================================================== --- trunk/source/libads/kerberos.c 2004-11-02 19:52:51 UTC (rev 3490) +++ trunk/source/libads/kerberos.c 2004-11-02 21:28:07 UTC (rev 3491) @@ -362,8 +362,8 @@ } if ((err = krb5_get_credentials(ctx, 0, ccache, &creds, &new_creds))) { - DEBUG(5,("get_service_ticket: krb5_get_credentials for %s failed: %s\n", - service_s, error_message(err))); + DEBUG(5,("get_service_ticket: krb5_get_credentials for %s enctype %d failed: %s\n", + service_s, enctype, error_message(err))); goto out; } @@ -602,24 +602,13 @@ Go through all the possible enctypes for this principal. ************************************************************************/ - void kerberos_derive_salting_principal(krb5_context context, +static void kerberos_derive_salting_principal_direct(krb5_context context, krb5_ccache ccache, krb5_enctype *enctypes, char *service_principal) { int i; - BOOL free_ccache = False; - if (ccache == NULL) { - krb5_error_code ret; - if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) { - DEBUG(0, ("kerberos_derive_salting_principal: krb5_cc_resolve for %s failed: %s\n", - LIBADS_CCACHE_NAME, error_message(ret))); - return; - } - free_ccache = True; - } - /* Try for each enctype separately, because the rules are * different for different enctypes. */ for (i = 0; enctypes[i] != 0; i++) { @@ -640,10 +629,49 @@ enctypes[i], enctypes); } +} - if (free_ccache && ccache) { - krb5_cc_close(context, ccache); +/************************************************************************ + Wrapper function for the above. + ************************************************************************/ + +void kerberos_derive_salting_principal(char *service_principal) +{ + krb5_context context = NULL; + krb5_enctype *enctypes = NULL; + krb5_ccache ccache = NULL; + krb5_error_code ret = 0; + + initialize_krb5_error_table(); + if ((ret = krb5_init_context(&context)) != 0) { + DEBUG(1,("kerberos_derive_cifs_salting_principals: krb5_init_context failed. %s\n", + error_message(ret))); + return; } + if ((ret = get_kerberos_allowed_etypes(context, &enctypes)) != 0) { + DEBUG(1,("kerberos_derive_cifs_salting_principals: get_kerberos_allowed_etypes failed. %s\n", + error_message(ret))); + goto out; + } + + if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) { + DEBUG(3, ("get_service_ticket: krb5_cc_resolve for %s failed: %s\n", + LIBADS_CCACHE_NAME, error_message(ret))); + goto out; + } + + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service_principal); + + out: + if (enctypes) { + free_kerberos_etypes(context, enctypes); + } + if (ccache) { + krb5_cc_destroy(context, ccache); + } + if (context) { + krb5_free_context(context); + } } /************************************************************************ @@ -681,38 +709,38 @@ if (asprintf(&service, "%s$", global_myname()) != -1) { strlower_m(service); - kerberos_derive_salting_principal(context, ccache, enctypes, service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); SAFE_FREE(service); } if (asprintf(&service, "cifs/%s", global_myname()) != -1) { strlower_m(service); - kerberos_derive_salting_principal(context, ccache, enctypes, service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); SAFE_FREE(service); } if (asprintf(&service, "host/%s", global_myname()) != -1) { strlower_m(service); - kerberos_derive_salting_principal(context, ccache, enctypes, service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); SAFE_FREE(service); } if (asprintf(&service, "cifs/%s.%s", global_myname(), lp_realm()) != -1) { strlower_m(service); - kerberos_derive_salting_principal(context, ccache, enctypes, service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); SAFE_FREE(service); } if (asprintf(&service, "host/%s.%s", global_myname(), lp_realm()) != -1) { strlower_m(service); - kerberos_derive_salting_principal(context, ccache, enctypes, service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); SAFE_FREE(service); } name_to_fqdn(my_fqdn, global_myname()); if (asprintf(&service, "cifs/%s", my_fqdn) != -1) { strlower_m(service); - kerberos_derive_salting_principal(context, ccache, enctypes, service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); SAFE_FREE(service); } if (asprintf(&service, "host/%s", my_fqdn) != -1) { strlower_m(service); - kerberos_derive_salting_principal(context, ccache, enctypes, service); + kerberos_derive_salting_principal_direct(context, ccache, enctypes, service); SAFE_FREE(service); } Modified: trunk/source/libads/kerberos_keytab.c =================================================================== --- trunk/source/libads/kerberos_keytab.c 2004-11-02 19:52:51 UTC (rev 3490) +++ trunk/source/libads/kerberos_keytab.c 2004-11-02 21:28:07 UTC (rev 3491) @@ -129,7 +129,7 @@ } /* Guess at how the KDC is salting keys for this principal. */ - kerberos_derive_salting_principal(context, NULL, enctypes, princ_s); + kerberos_derive_salting_principal(princ_s); ret = krb5_parse_name(context, princ_s, &princ); if (ret) { Modified: trunk/source/utils/net_ads.c =================================================================== --- trunk/source/utils/net_ads.c 2004-11-02 19:52:51 UTC (rev 3490) +++ trunk/source/utils/net_ads.c 2004-11-02 21:28:07 UTC (rev 3491) @@ -818,6 +818,20 @@ return -1; } + #ifdef HAVE_KRB5 + if (!kerberos_derive_salting_principal(machine_account)) { + DEBUG(1,("Failed to determine salting principal\n")); + ads_destroy(&ads); + return -1; + } + + if (!kerberos_derive_cifs_salting_principals()) { + DEBUG(1,("Failed to determine salting principals\n")); + ads_destroy(&ads); + return -1; + } +#endif + nt_status = pdb_init_trustpw_talloc(ctx, &trust); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1,("Could not initialise trust password\n"));