return NT_STATUS_OK;
}
+/**
+ * @brief Initialize a Kerberos credential cache for later use.
+ *
+ * This functions initializes a Kerberos credential cache. If ccache_name is not
+ * specified it will either use the default credential cache or create a memory
+ * credential cache. This depends on the authentication credentials specified,
+ * username and password.
+ *
+ * @param[in] cred The credentials structure to init the cache on.
+ *
+ * @param[in] lp_ctx The loadparm context to use.
+ *
+ * @param[in] ccache_name The name of the credential cache to open or
+ * NULL.
+ *
+ * @return true on success, false if an error occcured.
+ */
+_PUBLIC_ bool cli_credentials_ccache_init(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx,
+ const char *ccache_name)
+{
+ TALLOC_CTX *tmp_ctx;
+ krb5_error_code code;
+ enum credentials_obtained principal_obtained = CRED_UNINITIALISED;
+ struct ccache_container *ccc = NULL;
+ const char *principal;
+ const char *password = NULL;
+ bool use_memory_ccache = false;
+ bool ok = false;
+
+ if (cred->krb5_ccache_obtained != CRED_UNINITIALISED) {
+ return false;
+ }
+
+ tmp_ctx = talloc_new(cred);
+ if (tmp_ctx == NULL) {
+ return false;
+ }
+
+ principal = cli_credentials_get_principal_and_obtained(cred,
+ tmp_ctx,
+ &principal_obtained);
+ if (principal == NULL) {
+ goto done;
+ }
+
+ ccc = talloc_zero(tmp_ctx, struct ccache_container);
+ if (ccc == NULL) {
+ goto done;
+ }
+
+ code = cli_credentials_get_krb5_context(cred,
+ lp_ctx,
+ &ccc->smb_krb5_context);
+ if (principal_obtained == CRED_SPECIFIED) {
+ password = cli_credentials_get_password(cred);
+ if (password != NULL) {
+ use_memory_ccache = true;
+ }
+ }
+
+ if (ccache_name == NULL && use_memory_ccache) {
+ ccache_name = talloc_asprintf(tmp_ctx, "MEMORY:cli_creds/%p", ccc);
+ if (ccache_name == NULL) {
+ goto done;
+ }
+ }
+
+ if (ccache_name != NULL) {
+ code = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context,
+ ccache_name,
+ &ccc->ccache);
+ } else {
+ code = krb5_cc_default(ccc->smb_krb5_context->krb5_context,
+ &ccc->ccache);
+ }
+ if (code != 0) {
+ goto done;
+ }
+
+ if (use_memory_ccache) {
+ talloc_set_destructor(ccc, free_mccache);
+ } else {
+ talloc_set_destructor(ccc, free_dccache);
+ }
+
+ cred->krb5_ccache = talloc_steal(cred, ccc);
+ cred->krb5_ccache_obtained = CRED_SPECIFIED;
+
+ ok = true;
+done:
+ talloc_free(tmp_ctx);
+ return ok;
+}
+
+/**
+ * @brief Destroy a Kerberos credential cache.
+ *
+ * This function destroys any existing contents of a cache and closes it.
+ *
+ * @param[in] cred The cli_credentials structure.
+ *
+ * @return true on success, false otherwise.
+ */
+_PUBLIC_ bool cli_credentials_ccache_destroy(struct cli_credentials *cred)
+{
+ struct ccache_container *ccc = cred->krb5_ccache;
+ krb5_error_code code;
+
+ code = krb5_cc_destroy(ccc->smb_krb5_context->krb5_context,
+ ccc->ccache);
+ if (code != 0) {
+ return false;
+ }
+ ccc->ccache = NULL;
+
+ TALLOC_FREE(cred->krb5_ccache);
+ cred->krb5_ccache_obtained = CRED_UNINITIALISED;
+
+ return true;
+}
+
+/**
+ * @brief Reinitialize the Kerberos credential cache
+ *
+ * If the credential cache is a memory credential cache it will be destroyed
+ * and a new clean cache will be allocated. Existing caches will just be
+ * reopened.
+ *
+ * @param[in] cred The credential structure
+ *
+ * @param[in] lp_ctx The loadparm context.
+ *
+ * @return true on success, false otherwise.
+ */
+_PUBLIC_ bool cli_credentials_ccache_reinit(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx)
+{
+ krb5_context context;
+ krb5_error_code code;
+ char *tmp_name = NULL;
+ const char *ccache_name;
+ bool ok;
+ int cmp;
+
+ if (cred->krb5_ccache_obtained == CRED_UNINITIALISED) {
+ return false;
+ }
+ context = cred->krb5_ccache->smb_krb5_context->krb5_context;
+
+ code = krb5_cc_get_full_name(context,
+ cred->krb5_ccache->ccache,
+ &tmp_name);
+ if (code != 0) {
+ return false;
+ }
+
+ ccache_name = tmp_name;
+ cmp = strncasecmp_m(ccache_name, "MEMORY:", 7);
+ if (cmp == 0) {
+ ccache_name = NULL;
+ }
+
+ TALLOC_FREE(cred->krb5_ccache);
+ cred->krb5_ccache_obtained = CRED_UNINITIALISED;
+
+ ok = cli_credentials_ccache_init(cred, lp_ctx, ccache_name);
+ krb5_free_string(context, tmp_name);
+
+ return ok;
+}
+
+/**
+ * @brief Get the credential cache containter
+ *
+ * @param[in] cred The cli_credentials to get the ccache from.
+ *
+ * @return A pointer to the credential cache containter or NULL on error.
+ */
+_PUBLIC_ struct ccache_container *cli_credentials_ccache_get(struct cli_credentials *cred)
+{
+ return cred->krb5_ccache;
+}
+
+_PUBLIC_ bool cli_credentials_ccache_update_principal(struct cli_credentials *creds)
+{
+ krb5_context context;
+ struct ccache_container *ccc = cli_credentials_ccache_get(creds);
+ krb5_principal cc_principal = NULL;
+ krb5_error_code code;
+ char *principal;
+ char *realm;
+ bool ok;
+
+ if (ccc == NULL) {
+ return false;
+ }
+ context = ccc->smb_krb5_context->krb5_context;
+
+ code = krb5_cc_get_principal(context,
+ ccc->ccache,
+ &cc_principal);
+ if (code != 0) {
+ switch (code) {
+ /* Empty cache */
+ case KRB5_CC_NOTFOUND:
+ case KRB5_FCC_NOFILE:
+ return true;
+ }
+ return false;
+ }
+
+ code = smb_krb5_unparse_name(creds,
+ context,
+ cc_principal,
+ &principal);
+ if (code != 0) {
+ return false;
+ }
+
+ ok = cli_credentials_set_principal(creds,
+ principal,
+ CRED_SPECIFIED);
+ TALLOC_FREE(principal);
+ if (!ok) {
+ krb5_free_principal(context, cc_principal);
+ return ok;
+ }
+
+ realm = smb_krb5_principal_get_realm(context, cc_principal);
+ krb5_free_principal(context, cc_principal);
+ if (realm == NULL) {
+ return false;
+ }
+ ok = cli_credentials_set_realm(creds,
+ realm,
+ CRED_SPECIFIED);
+ SAFE_FREE(realm);
+
+ return ok;
+}
+
static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
struct ccache_container *ccache,
enum credentials_obtained obtained,
return ENOMEM;
}
- realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context,
- princ);
+ realm = smb_krb5_principal_get_realm(
+ cred, ccache->smb_krb5_context->krb5_context, princ);
krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
if (realm == NULL) {
return ENOMEM;
}
ok = cli_credentials_set_realm(cred, realm, obtained);
- SAFE_FREE(realm);
+ TALLOC_FREE(realm);
if (!ok) {
return ENOMEM;
}
if (ret) {
(*error_string) = error_message(ret);
+ TALLOC_FREE(ccc);
return ret;
}
+ }
+
+ cred->ccache = ccc;
+ cred->ccache_obtained = obtained;
- cred->ccache = ccc;
- cred->ccache_obtained = obtained;
- talloc_steal(cred, ccc);
+ cli_credentials_invalidate_client_gss_creds(
+ cred, cred->ccache_obtained);
- cli_credentials_invalidate_client_gss_creds(cred, cred->ccache_obtained);
- return 0;
- }
return 0;
}
const struct ccache_container *old_ccc = NULL;
struct ccache_container *ccc = NULL;
char *ccache_name = NULL;
+ krb5_principal princ;
old_ccc = cred->ccache;
if (old_ccc == NULL) {
return 0;
}
+ ret = krb5_cc_get_principal(
+ old_ccc->smb_krb5_context->krb5_context,
+ old_ccc->ccache,
+ &princ);
+ if (ret != 0) {
+ /*
+ * This is an empty ccache. No point in copying anything.
+ */
+ cred->ccache = NULL;
+ return 0;
+ }
+ krb5_free_principal(old_ccc->smb_krb5_context->krb5_context, princ);
+
ccc = talloc(cred, struct ccache_container);
if (ccc == NULL) {
return ENOMEM;
git.samba.org / metze / samba / wip.git / blobdiff