DATA_BLOB session_key;
DATA_BLOB pac;
- krb5_context krb5_context;
+ struct smb_krb5_context *smb_krb5_context;
krb5_ccache ccache;
const char *ccache_name;
if (gensec_gssapi_state->client_name != GSS_C_NO_NAME) {
maj_stat = gss_release_name(&min_stat, &gensec_gssapi_state->client_name);
}
- if (gensec_gssapi_state->krb5_context) {
- krb5_free_context(gensec_gssapi_state->krb5_context);
- }
return 0;
}
gensec_gssapi_state->session_key = data_blob(NULL, 0);
gensec_gssapi_state->pac = data_blob(NULL, 0);
- gensec_gssapi_state->krb5_context = NULL;
-
gensec_gssapi_state->cred = GSS_C_NO_CREDENTIAL;
talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destory);
gensec_gssapi_state->gss_oid = gss_mech_krb5;
- ret = krb5_init_context(&gensec_gssapi_state->krb5_context);
+ ret = smb_krb5_init_context(gensec_gssapi_state,
+ &gensec_gssapi_state->smb_krb5_context);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
- smb_get_krb5_error_message(gensec_gssapi_state->krb5_context,
- ret, gensec_gssapi_state)));
+ error_message(ret)));
return NT_STATUS_INTERNAL_ERROR;
}
-
- if (lp_realm() && *lp_realm()) {
- char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm());
- if (!upper_realm) {
- DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm()));
- return NT_STATUS_NO_MEMORY;
- }
- ret = krb5_set_default_realm(gensec_gssapi_state->krb5_context, upper_realm);
- if (ret) {
- DEBUG(1,("gensec_krb5_start: krb5_set_default_realm failed (%s)\n",
- smb_get_krb5_error_message(gensec_gssapi_state->krb5_context,
- ret, gensec_gssapi_state)));
- return NT_STATUS_INTERNAL_ERROR;
- }
- }
-
return NT_STATUS_OK;
}
gensec_gssapi_state = gensec_security->private_data;
- name_token.value = talloc_asprintf(gensec_gssapi_state, "%s@%s", gensec_get_target_service(gensec_security),
+ name_token.value = talloc_asprintf(gensec_gssapi_state, "%s@%s",
+ gensec_get_target_service(gensec_security),
gensec_get_target_hostname(gensec_security));
name_token.length = strlen(name_token.value);
return NT_STATUS_UNSUCCESSFUL;
}
- name_token.value = cli_credentials_get_principal(gensec_get_credentials(gensec_security), gensec_gssapi_state),
+ name_token.value = cli_credentials_get_principal(gensec_get_credentials(gensec_security),
+ gensec_gssapi_state),
name_token.length = strlen(name_token.value);
maj_stat = gss_import_name (&min_stat,
nt_status = kinit_to_ccache(gensec_gssapi_state,
gensec_get_credentials(gensec_security),
- gensec_gssapi_state->krb5_context,
+ gensec_gssapi_state->smb_krb5_context,
&gensec_gssapi_state->ccache, &gensec_gssapi_state->ccache_name);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
DATA_BLOB session_key;
DATA_BLOB pac;
enum GENSEC_KRB5_STATE state_position;
- krb5_context context;
+ struct smb_krb5_context *smb_krb5_context;
krb5_auth_context auth_context;
krb5_ccache ccache;
krb5_data ticket;
cksum.checksum.data = sig->signature;
- ret = krb5_crypto_init(gensec_krb5_state->context,
+ ret = krb5_crypto_init(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->keyblock,
0,
&crypto);
}
for (i=0; i < 40; i++) {
keyusage = i;
- ret = krb5_verify_checksum(gensec_krb5_state->context,
+ ret = krb5_verify_checksum(gensec_krb5_state->smb_krb5_context->krb5_context,
crypto,
keyusage,
pac_data.data,
break;
}
}
- krb5_crypto_destroy(gensec_krb5_state->context, crypto);
+ krb5_crypto_destroy(gensec_krb5_state->smb_krb5_context->krb5_context, crypto);
if (ret) {
DEBUG(0,("NOT verifying PAC checksums yet!\n"));
struct gensec_krb5_state *gensec_krb5_state = ptr;
if (gensec_krb5_state->ticket.length) {
- kerberos_free_data_contents(gensec_krb5_state->context,
+ kerberos_free_data_contents(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->ticket);
}
/* ccache freed in a child destructor */
- krb5_free_keyblock_contents(gensec_krb5_state->context,
+ krb5_free_keyblock_contents(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->keyblock);
if (gensec_krb5_state->auth_context) {
- krb5_auth_con_free(gensec_krb5_state->context,
+ krb5_auth_con_free(gensec_krb5_state->smb_krb5_context->krb5_context,
gensec_krb5_state->auth_context);
}
- if (gensec_krb5_state->context) {
- krb5_free_context(gensec_krb5_state->context);
- }
return 0;
}
gensec_security->private_data = gensec_krb5_state;
initialize_krb5_error_table();
- gensec_krb5_state->context = NULL;
gensec_krb5_state->auth_context = NULL;
gensec_krb5_state->ccache = NULL;
ZERO_STRUCT(gensec_krb5_state->ticket);
talloc_set_destructor(gensec_krb5_state, gensec_krb5_destory);
- ret = krb5_init_context(&gensec_krb5_state->context);
+ ret = smb_krb5_init_context(gensec_krb5_state,
+ &gensec_krb5_state->smb_krb5_context);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
error_message(ret)));
return NT_STATUS_INTERNAL_ERROR;
}
- if (lp_realm() && *lp_realm()) {
- char *upper_realm = strupper_talloc(gensec_krb5_state, lp_realm());
- if (!upper_realm) {
- DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm()));
- return NT_STATUS_NO_MEMORY;
- }
- ret = krb5_set_default_realm(gensec_krb5_state->context, upper_realm);
- if (ret) {
- DEBUG(1,("gensec_krb5_start: krb5_set_default_realm failed (%s)\n",
- smb_get_krb5_error_message(gensec_krb5_state->context,
- ret, gensec_krb5_state)));
- return NT_STATUS_INTERNAL_ERROR;
- }
- }
-
- ret = krb5_auth_con_init(gensec_krb5_state->context, &gensec_krb5_state->auth_context);
+ ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n",
- smb_get_krb5_error_message(gensec_krb5_state->context,
+ smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
ret, gensec_krb5_state)));
return NT_STATUS_INTERNAL_ERROR;
}
TODO: If the user set a username, we should use an in-memory CCACHE (see below)
*/
- ret = krb5_cc_default(gensec_krb5_state->context, &gensec_krb5_state->ccache);
+ ret = krb5_cc_default(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->ccache);
if (ret) {
DEBUG(1,("krb5_cc_default failed (%s)\n",
- smb_get_krb5_error_message(gensec_krb5_state->context, ret, gensec_krb5_state)));
+ smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
return NT_STATUS_INTERNAL_ERROR;
}
krb5_data in_data;
in_data.length = 0;
- ret = krb5_mk_req(gensec_krb5_state->context,
+ ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->auth_context,
AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
gensec_get_target_service(gensec_security),
return NT_STATUS_OK;
case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n",
- hostname, smb_get_krb5_error_message(gensec_krb5_state->context, ret, gensec_krb5_state)));
+ hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
return NT_STATUS_ACCESS_DENIED;
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5KRB_AP_ERR_TKT_EXPIRED:
case KRB5_KDCREP_SKEW:
{
DEBUG(3, ("kerberos (mk_req) failed: %s\n",
- smb_get_krb5_error_message(gensec_krb5_state->context, ret, gensec_krb5_state)));
+ smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
/* fall down to remaining code */
}
nt_status = kinit_to_ccache(gensec_krb5_state,
gensec_security->credentials,
- gensec_krb5_state->context,
+ gensec_krb5_state->smb_krb5_context,
&gensec_krb5_state->ccache,
&ccache_name);
default:
DEBUG(0, ("kerberos: %s\n",
- smb_get_krb5_error_message(gensec_krb5_state->context, ret, gensec_krb5_state)));
+ smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
return NT_STATUS_UNSUCCESSFUL;
}
}
{
if (ret) {
DEBUG(1,("ads_krb5_mk_req (request ticket) failed (%s)\n",
- smb_get_krb5_error_message(gensec_krb5_state->context, ret, out_mem_ctx)));
+ smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, out_mem_ctx)));
nt_status = NT_STATUS_LOGON_FAILURE;
} else {
DATA_BLOB unwrapped_out;
inbuf.data = unwrapped_in.data;
inbuf.length = unwrapped_in.length;
- ret = krb5_rd_rep(gensec_krb5_state->context,
+ ret = krb5_rd_rep(gensec_krb5_state->smb_krb5_context->krb5_context,
gensec_krb5_state->auth_context,
&inbuf, &repl);
if (ret) {
DEBUG(1,("krb5_rd_rep (mutual authentication) failed (%s)\n",
- smb_get_krb5_error_message(gensec_krb5_state->context, ret, out_mem_ctx)));
+ smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, out_mem_ctx)));
dump_data_pw("Mutual authentication message:\n", inbuf.data, inbuf.length);
nt_status = NT_STATUS_ACCESS_DENIED;
} else {
gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
}
if (repl) {
- krb5_free_ap_rep_enc_part(gensec_krb5_state->context, repl);
+ krb5_free_ap_rep_enc_part(gensec_krb5_state->smb_krb5_context->krb5_context, repl);
}
return nt_status;
}
/* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
nt_status = ads_verify_ticket(out_mem_ctx,
- gensec_krb5_state->context,
+ gensec_krb5_state->smb_krb5_context->krb5_context,
gensec_krb5_state->auth_context,
lp_realm(),
gensec_get_target_service(gensec_security), &in,
} else {
/* TODO: check the tok_id */
nt_status = ads_verify_ticket(out_mem_ctx,
- gensec_krb5_state->context,
+ gensec_krb5_state->smb_krb5_context->krb5_context,
gensec_krb5_state->auth_context,
lp_realm(),
gensec_get_target_service(gensec_security),
}
static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security,
- DATA_BLOB *session_key)
+ DATA_BLOB *session_key)
{
struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
- krb5_context context = gensec_krb5_state->context;
+ krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
krb5_auth_context auth_context = gensec_krb5_state->auth_context;
krb5_keyblock *skey;
krb5_error_code err;
simple kerberos5 routines for active directory
Copyright (C) Andrew Tridgell 2001
Copyright (C) Luke Howard 2002-2003
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
return ret;
}
+
+static int smb_krb5_context_destory_1(void *ptr)
+{
+ struct smb_krb5_context *ctx = ptr;
+ krb5_free_context(ctx->krb5_context);
+ return 0;
+}
+
+#if defined(HAVE_KRB5_INITLOG) && defined(HAVE_KRB5_ADDLOG_FUNC) && defined(HAVE_KRB5_FREELOG)
+static int smb_krb5_context_destory_2(void *ptr)
+{
+ struct smb_krb5_context *ctx = ptr;
+
+ /* Otherwise krb5_free_context will try and close what we have already free()ed */
+ krb5_set_warn_dest(ctx->krb5_context, NULL);
+ krb5_freelog(ctx->krb5_context, ctx->logf);
+ smb_krb5_context_destory_1(ptr);
+ return 0;
+}
+
+/* We never close down the DEBUG system, and no need to unreference the use */
+static void smb_krb5_debug_close(void *private) {
+ return;
+}
+
+static void smb_krb5_debug_wrapper(const char *timestr, const char *msg, void *private)
+{
+ DEBUG(3, ("Kerberos: %s\n", msg));
+}
+
+#endif
+
+ krb5_error_code smb_krb5_init_context(TALLOC_CTX *parent_ctx,
+ struct smb_krb5_context **smb_krb5_context)
+{
+ krb5_error_code ret;
+ TALLOC_CTX *tmp_ctx;
+
+ *smb_krb5_context = talloc(parent_ctx, struct smb_krb5_context);
+ tmp_ctx = talloc_new(*smb_krb5_context);
+
+ if (!*smb_krb5_context || !tmp_ctx) {
+ talloc_free(*smb_krb5_context);
+ talloc_free(tmp_ctx);
+ return ENOMEM;
+ }
+
+ ret = krb5_init_context(&(*smb_krb5_context)->krb5_context);
+ if (ret) {
+ DEBUG(1,("krb5_init_context failed (%s)\n",
+ error_message(ret)));
+ return ret;
+ }
+
+ talloc_set_destructor(*smb_krb5_context, smb_krb5_context_destory_1);
+
+ if (lp_realm() && *lp_realm()) {
+ char *upper_realm = strupper_talloc(tmp_ctx, lp_realm());
+ if (!upper_realm) {
+ DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm()));
+ return ENOMEM;
+ }
+ ret = krb5_set_default_realm((*smb_krb5_context)->krb5_context, lp_realm());
+ if (ret) {
+ DEBUG(1,("krb5_set_default_realm failed (%s)\n",
+ smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
+ talloc_free(*smb_krb5_context);
+ return ret;
+ }
+ }
+
+#if defined(HAVE_KRB5_INITLOG) && defined(HAVE_KRB5_ADDLOG_FUNC) && defined(HAVE_KRB5_FREELOG)
+ /* TODO: Should we have a different name here? */
+ ret = krb5_initlog((*smb_krb5_context)->krb5_context, "Samba", &(*smb_krb5_context)->logf);
+
+ if (ret) {
+ DEBUG(1,("krb5_initlog failed (%s)\n",
+ smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
+ talloc_free(*smb_krb5_context);
+ return ret;
+ }
+
+ talloc_set_destructor(*smb_krb5_context, smb_krb5_context_destory_2);
+
+ ret = krb5_addlog_func((*smb_krb5_context)->krb5_context, (*smb_krb5_context)->logf, 0 /* min */, -1 /* max */,
+ smb_krb5_debug_wrapper, smb_krb5_debug_close, NULL);
+ if (ret) {
+ DEBUG(1,("krb5_addlog_func failed (%s)\n",
+ smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
+ talloc_free(*smb_krb5_context);
+ return ret;
+ }
+ krb5_set_warn_dest((*smb_krb5_context)->krb5_context, (*smb_krb5_context)->logf);
+
+#endif
+ talloc_free(tmp_ctx);
+ return 0;
+}
+
#endif
AC_CHECK_FUNC_EXT(krb5_enctypes_compatible_keys, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_get_error_string, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_free_error_string, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_initlog, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_freelog, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_addlog_func, $KRB5_LIBS)
LIBS="$LIBS $KRB5_LIBS"
#if defined(HAVE_KRB5)
+struct smb_krb5_context {
+ krb5_context krb5_context;
+ krb5_log_facility *logf;
+};
+
+
/* not really ASN.1, but RFC 1964 */
#define TOK_ID_KRB_AP_REQ "\x01\x00"
#define TOK_ID_KRB_AP_REP "\x02\x00"
krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx);
NTSTATUS kinit_to_ccache(TALLOC_CTX *parent_ctx,
- struct cli_credentials *credentials,
- krb5_context context,
- krb5_ccache *ccache,
- const char **ccache_name);
+ struct cli_credentials *credentials,
+ struct smb_krb5_context *smb_krb5_context,
+ krb5_ccache *ccache,
+ const char **ccache_name);
+krb5_error_code smb_krb5_init_context(TALLOC_CTX *parent_ctx,
+ struct smb_krb5_context **smb_krb5_context);
#endif /* HAVE_KRB5 */
#include "auth/auth.h"
struct ccache_container {
- krb5_context krb5_context;
+ struct smb_krb5_context *smb_krb5_context;
krb5_ccache ccache;
} ccache_container;
-#if 0
static int free_ccache(void *ptr) {
struct ccache_container *ccc = ptr;
/* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */
- krb5_cc_close(ccc->krb5_context, ccc->ccache);
+ krb5_cc_close(ccc->smb_krb5_context->krb5_context, ccc->ccache);
return 0;
}
-#endif
/**
* Return a freshly allocated ccache (destroyed by destructor on child
NTSTATUS kinit_to_ccache(TALLOC_CTX *parent_ctx,
struct cli_credentials *credentials,
- krb5_context context,
+ struct smb_krb5_context *smb_krb5_context,
krb5_ccache *ccache,
const char **ccache_name)
{
cli_credentials_get_principal(credentials, mem_ctx),
generate_random_str(mem_ctx, 16));
- ret = krb5_cc_resolve(context, ccache_string, ccache);
+ ret = krb5_cc_resolve(smb_krb5_context->krb5_context, ccache_string, ccache);
if (ret) {
DEBUG(1,("failed to generate a new krb5 keytab (%s): %s\n",
ccache_string,
return NT_STATUS_INTERNAL_ERROR;
}
- mem_ctx->krb5_context = context;
+ mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
mem_ctx->ccache = *ccache;
-#if 0
talloc_set_destructor(mem_ctx, free_ccache);
-#endif
- ret = kerberos_kinit_password_cc(context, *ccache,
+ ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, *ccache,
cli_credentials_get_principal(credentials, mem_ctx),
password, NULL, &kdc_time);
time_t t = time(NULL);
int time_offset =(unsigned)kdc_time-t;
DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
- krb5_set_real_time(context, t + time_offset + 1, 0);
+ krb5_set_real_time(smb_krb5_context->krb5_context, t + time_offset + 1, 0);
}
if (ret == KRB5KRB_AP_ERR_SKEW || ret == KRB5_KDCREP_SKEW) {
DEBUG(1,("kinit for %s failed (%s)\n",
cli_credentials_get_principal(credentials, mem_ctx),
- smb_get_krb5_error_message(context,
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
talloc_free(mem_ctx);
return NT_STATUS_TIME_DIFFERENCE_AT_DC;
if (ret) {
DEBUG(1,("kinit for %s failed (%s)\n",
cli_credentials_get_principal(credentials, mem_ctx),
- smb_get_krb5_error_message(context,
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
talloc_free(mem_ctx);
return NT_STATUS_WRONG_PASSWORD;
}
}
- krb5_warnx(context, "hdb_ldb_create: hdb_name '%s'\n", (*db)->hdb_name);
-
(*db)->hdb_openp = 0;
(*db)->hdb_open = LDB_open;
(*db)->hdb_close = LDB_close;
src_sock_addr.sin_family = PF_INET;
/* Call krb5 */
- if (krb5_kdc_process_krb5_request(kdc_socket->kdc->krb5_context,
+ if (krb5_kdc_process_krb5_request(kdc_socket->kdc->smb_krb5_context->krb5_context,
kdc_socket->kdc->config,
blob.data, blob.length,
&reply,
*/
static NTSTATUS kdc_add_socket(struct kdc_server *kdc, const char *address)
{
- struct kdc_socket *kdc_socket;
+ struct kdc_socket *kdc_socket;
NTSTATUS status;
kdc_socket = talloc(kdc, struct kdc_socket);
initialize_krb5_error_table();
- ret = krb5_init_context(&kdc->krb5_context);
+ ret = smb_krb5_init_context(kdc, &kdc->smb_krb5_context);
if (ret) {
DEBUG(1,("kdc_task_init: krb5_init_context failed (%s)\n",
error_message(ret)));
return;
}
- /* TODO: Fill in the hdb and logging details */
- kdc_openlog(kdc->krb5_context, kdc->config);
-
+ kdc->config->logf = kdc->smb_krb5_context->logf;
kdc->config->db = talloc(kdc->config, struct HDB *);
if (!kdc->config->db) {
task_terminate(task, "kdc: out of memory");
}
kdc->config->num_db = 1;
- ret = hdb_ldb_create(kdc->krb5_context, &kdc->config->db[0], lp_sam_url());
+ ret = hdb_ldb_create(kdc->smb_krb5_context->krb5_context,
+ &kdc->config->db[0], lp_sam_url());
if (ret != 0) {
DEBUG(1, ("kdc_task_init: hdb_ldb_create fails: %s\n",
- smb_get_krb5_error_message(kdc->krb5_context, ret, kdc)));
+ smb_get_krb5_error_message(kdc->smb_krb5_context->krb5_context, ret, kdc)));
task_terminate(task, "kdc: hdb_ldb_create failed");
return;
}
struct kdc_server {
struct task_server *task;
struct krb5_kdc_configuration *config;
- krb5_context krb5_context;
+ struct smb_krb5_context *smb_krb5_context;
};
/* hold information about one kdc socket */
git.samba.org / samba.git / commitdiff