00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022
00023
00024 #define KRB5_PRIVATE 1
00025 #define KRB5_DEPRECATED 1
00026
00027 #include "includes.h"
00028
00029 #ifdef HAVE_KRB5
00030
00031 #ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE
00032 #define KRB5_KEY_TYPE(k) ((k)->keytype)
00033 #define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length)
00034 #define KRB5_KEY_DATA(k) ((k)->keyvalue.data)
00035 #else
00036 #define KRB5_KEY_TYPE(k) ((k)->enctype)
00037 #define KRB5_KEY_LENGTH(k) ((k)->length)
00038 #define KRB5_KEY_DATA(k) ((k)->contents)
00039 #endif
00040
00041
00042
00043
00044
00045
00046
00047
00048
00049
00050 krb5_error_code smb_krb5_parse_name(krb5_context context,
00051 const char *name,
00052 krb5_principal *principal)
00053 {
00054 krb5_error_code ret;
00055 char *utf8_name;
00056
00057 if (push_utf8_allocate(&utf8_name, name) == (size_t)-1) {
00058 return ENOMEM;
00059 }
00060
00061 ret = krb5_parse_name(context, utf8_name, principal);
00062 SAFE_FREE(utf8_name);
00063 return ret;
00064 }
00065
00066 #ifdef HAVE_KRB5_PARSE_NAME_NOREALM
00067
00068
00069
00070
00071 static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context,
00072 const char *name,
00073 krb5_principal *principal)
00074 {
00075 krb5_error_code ret;
00076 char *utf8_name;
00077
00078 *principal = NULL;
00079 if (push_utf8_allocate(&utf8_name, name) == (size_t)-1) {
00080 return ENOMEM;
00081 }
00082
00083 ret = krb5_parse_name_norealm(context, utf8_name, principal);
00084 SAFE_FREE(utf8_name);
00085 return ret;
00086 }
00087 #endif
00088
00089
00090
00091
00092
00093
00094 krb5_error_code smb_krb5_unparse_name(krb5_context context,
00095 krb5_const_principal principal,
00096 char **unix_name)
00097 {
00098 krb5_error_code ret;
00099 char *utf8_name;
00100
00101 *unix_name = NULL;
00102 ret = krb5_unparse_name(context, principal, &utf8_name);
00103 if (ret) {
00104 return ret;
00105 }
00106
00107 if (pull_utf8_allocate(unix_name, utf8_name)==-1) {
00108 krb5_free_unparsed_name(context, utf8_name);
00109 return ENOMEM;
00110 }
00111 krb5_free_unparsed_name(context, utf8_name);
00112 return 0;
00113 }
00114
00115 #ifndef HAVE_KRB5_SET_REAL_TIME
00116
00117
00118
00119 krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds)
00120 {
00121 krb5_error_code ret;
00122 int32_t sec, usec;
00123
00124 ret = krb5_us_timeofday(context, &sec, &usec);
00125 if (ret)
00126 return ret;
00127
00128 context->kdc_sec_offset = seconds - sec;
00129 context->kdc_usec_offset = microseconds - usec;
00130
00131 return 0;
00132 }
00133 #endif
00134
00135 #if !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES)
00136
00137 #if defined(HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES)
00138
00139
00140
00141
00142
00143
00144
00145
00146
00147 krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc)
00148 {
00149 return krb5_set_default_tgs_enctypes(ctx, enc);
00150 }
00151
00152 #elif defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES)
00153
00154
00155 krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc)
00156 {
00157 return krb5_set_default_in_tkt_etypes(ctx, enc);
00158 }
00159
00160 #endif
00161
00162 #endif
00163
00164 #if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS)
00165
00166 void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr)
00167 {
00168 pkaddr->addr_type = KRB5_ADDRESS_INET;
00169 pkaddr->address.length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
00170 pkaddr->address.data = (char *)&(((struct sockaddr_in *)paddr)->sin_addr);
00171 }
00172 #elif defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS)
00173
00174 void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr)
00175 {
00176 pkaddr->addrtype = ADDRTYPE_INET;
00177 pkaddr->length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
00178 pkaddr->contents = (krb5_octet *)&(((struct sockaddr_in *)paddr)->sin_addr);
00179 }
00180 #else
00181 #error UNKNOWN_ADDRTYPE
00182 #endif
00183
00184 #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
00185 int create_kerberos_key_from_string_direct(krb5_context context,
00186 krb5_principal host_princ,
00187 krb5_data *password,
00188 krb5_keyblock *key,
00189 krb5_enctype enctype)
00190 {
00191 int ret;
00192 krb5_data salt;
00193 krb5_encrypt_block eblock;
00194
00195 ret = krb5_principal2salt(context, host_princ, &salt);
00196 if (ret) {
00197 DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
00198 return ret;
00199 }
00200 krb5_use_enctype(context, &eblock, enctype);
00201 ret = krb5_string_to_key(context, &eblock, key, password, &salt);
00202 SAFE_FREE(salt.data);
00203 return ret;
00204 }
00205 #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
00206 int create_kerberos_key_from_string_direct(krb5_context context,
00207 krb5_principal host_princ,
00208 krb5_data *password,
00209 krb5_keyblock *key,
00210 krb5_enctype enctype)
00211 {
00212 int ret;
00213 krb5_salt salt;
00214
00215 ret = krb5_get_pw_salt(context, host_princ, &salt);
00216 if (ret) {
00217 DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
00218 return ret;
00219 }
00220
00221 ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
00222 krb5_free_salt(context, salt);
00223 return ret;
00224 }
00225 #else
00226 #error UNKNOWN_CREATE_KEY_FUNCTIONS
00227 #endif
00228
00229 int create_kerberos_key_from_string(krb5_context context,
00230 krb5_principal host_princ,
00231 krb5_data *password,
00232 krb5_keyblock *key,
00233 krb5_enctype enctype)
00234 {
00235 krb5_principal salt_princ = NULL;
00236 int ret;
00237
00238
00239
00240
00241
00242 salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype);
00243 ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype);
00244 if (salt_princ) {
00245 krb5_free_principal(context, salt_princ);
00246 }
00247 return ret;
00248 }
00249
00250 #if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
00251 krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
00252 krb5_enctype **enctypes)
00253 {
00254 return krb5_get_permitted_enctypes(context, enctypes);
00255 }
00256 #elif defined(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES)
00257 krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
00258 krb5_enctype **enctypes)
00259 {
00260 return krb5_get_default_in_tkt_etypes(context, enctypes);
00261 }
00262 #else
00263 #error UNKNOWN_GET_ENCTYPES_FUNCTIONS
00264 #endif
00265
00266 #if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
00267 krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context,
00268 krb5_auth_context auth_context,
00269 krb5_keyblock *keyblock)
00270 {
00271 return krb5_auth_con_setkey(context, auth_context, keyblock);
00272 }
00273 #endif
00274
00275 BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_pac_data)
00276 {
00277 DATA_BLOB pac_contents;
00278 ASN1_DATA data;
00279 int data_type;
00280
00281 if (!auth_data->length) {
00282 return False;
00283 }
00284
00285 asn1_load(&data, *auth_data);
00286 asn1_start_tag(&data, ASN1_SEQUENCE(0));
00287 asn1_start_tag(&data, ASN1_SEQUENCE(0));
00288 asn1_start_tag(&data, ASN1_CONTEXT(0));
00289 asn1_read_Integer(&data, &data_type);
00290
00291 if (data_type != KRB5_AUTHDATA_WIN2K_PAC ) {
00292 DEBUG(10,("authorization data is not a Windows PAC (type: %d)\n", data_type));
00293 asn1_free(&data);
00294 return False;
00295 }
00296
00297 asn1_end_tag(&data);
00298 asn1_start_tag(&data, ASN1_CONTEXT(1));
00299 asn1_read_OctetString(&data, &pac_contents);
00300 asn1_end_tag(&data);
00301 asn1_end_tag(&data);
00302 asn1_end_tag(&data);
00303 asn1_free(&data);
00304
00305 *unwrapped_pac_data = data_blob_talloc(mem_ctx, pac_contents.data, pac_contents.length);
00306
00307 data_blob_free(&pac_contents);
00308
00309 return True;
00310 }
00311
00312 BOOL get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt)
00313 {
00314 DATA_BLOB auth_data_wrapped;
00315 BOOL got_auth_data_pac = False;
00316 int i;
00317
00318 #if defined(HAVE_KRB5_TKT_ENC_PART2)
00319 if (tkt->enc_part2 && tkt->enc_part2->authorization_data &&
00320 tkt->enc_part2->authorization_data[0] &&
00321 tkt->enc_part2->authorization_data[0]->length)
00322 {
00323 for (i = 0; tkt->enc_part2->authorization_data[i] != NULL; i++) {
00324
00325 if (tkt->enc_part2->authorization_data[i]->ad_type !=
00326 KRB5_AUTHDATA_IF_RELEVANT) {
00327 DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n",
00328 tkt->enc_part2->authorization_data[i]->ad_type));
00329 continue;
00330 }
00331
00332 auth_data_wrapped = data_blob(tkt->enc_part2->authorization_data[i]->contents,
00333 tkt->enc_part2->authorization_data[i]->length);
00334
00335
00336 got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data);
00337 data_blob_free(&auth_data_wrapped);
00338
00339 if (got_auth_data_pac) {
00340 return true;
00341 }
00342 }
00343
00344 return got_auth_data_pac;
00345 }
00346
00347 #else
00348 if (tkt->ticket.authorization_data &&
00349 tkt->ticket.authorization_data->len)
00350 {
00351 for (i = 0; i < tkt->ticket.authorization_data->len; i++) {
00352
00353 if (tkt->ticket.authorization_data->val[i].ad_type !=
00354 KRB5_AUTHDATA_IF_RELEVANT) {
00355 DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n",
00356 tkt->ticket.authorization_data->val[i].ad_type));
00357 continue;
00358 }
00359
00360 auth_data_wrapped = data_blob(tkt->ticket.authorization_data->val[i].ad_data.data,
00361 tkt->ticket.authorization_data->val[i].ad_data.length);
00362
00363
00364 got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data);
00365 data_blob_free(&auth_data_wrapped);
00366
00367 if (got_auth_data_pac) {
00368 return true;
00369 }
00370 }
00371
00372 return got_auth_data_pac;
00373 }
00374 #endif
00375 return False;
00376 }
00377
00378 krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt)
00379 {
00380 #if defined(HAVE_KRB5_TKT_ENC_PART2)
00381 return tkt->enc_part2->client;
00382 #else
00383 return tkt->client;
00384 #endif
00385 }
00386
00387 #if !defined(HAVE_KRB5_LOCATE_KDC)
00388
00389
00390
00391
00392
00393
00394 #if defined(KRB5_KRBHST_INIT)
00395
00396 krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters)
00397 {
00398 krb5_krbhst_handle hnd;
00399 krb5_krbhst_info *hinfo;
00400 krb5_error_code rc;
00401 int num_kdcs, i;
00402 struct sockaddr *sa;
00403 struct addrinfo *ai;
00404
00405 *addr_pp = NULL;
00406 *naddrs = 0;
00407
00408 rc = krb5_krbhst_init(ctx, realm->data, KRB5_KRBHST_KDC, &hnd);
00409 if (rc) {
00410 DEBUG(0, ("smb_krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc)));
00411 return rc;
00412 }
00413
00414 for ( num_kdcs = 0; (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); num_kdcs++)
00415 ;
00416
00417 krb5_krbhst_reset(ctx, hnd);
00418
00419 if (!num_kdcs) {
00420 DEBUG(0, ("smb_krb5_locate_kdc: zero kdcs found !\n"));
00421 krb5_krbhst_free(ctx, hnd);
00422 return -1;
00423 }
00424
00425 sa = SMB_MALLOC_ARRAY( struct sockaddr, num_kdcs );
00426 if (!sa) {
00427 DEBUG(0, ("smb_krb5_locate_kdc: malloc failed\n"));
00428 krb5_krbhst_free(ctx, hnd);
00429 naddrs = 0;
00430 return -1;
00431 }
00432
00433 memset(sa, '\0', sizeof(struct sockaddr) * num_kdcs );
00434
00435 for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) {
00436
00437 #if defined(HAVE_KRB5_KRBHST_GET_ADDRINFO)
00438 rc = krb5_krbhst_get_addrinfo(ctx, hinfo, &ai);
00439 if (rc) {
00440 DEBUG(0,("krb5_krbhst_get_addrinfo failed: %s\n", error_message(rc)));
00441 continue;
00442 }
00443 #endif
00444 if (hinfo->ai && hinfo->ai->ai_family == AF_INET)
00445 memcpy(&sa[i], hinfo->ai->ai_addr, sizeof(struct sockaddr));
00446 }
00447
00448 krb5_krbhst_free(ctx, hnd);
00449
00450 *naddrs = num_kdcs;
00451 *addr_pp = sa;
00452 return 0;
00453 }
00454
00455 #else
00456
00457 krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm,
00458 struct sockaddr **addr_pp, int *naddrs, int get_masters)
00459 {
00460 DEBUG(0, ("unable to explicitly locate the KDC on this platform\n"));
00461 return KRB5_KDC_UNREACH;
00462 }
00463
00464 #endif
00465
00466 #else
00467
00468 krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm,
00469 struct sockaddr **addr_pp, int *naddrs, int get_masters)
00470 {
00471 return krb5_locate_kdc(ctx, realm, addr_pp, naddrs, get_masters);
00472 }
00473
00474 #endif
00475
00476 #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
00477 void krb5_free_unparsed_name(krb5_context context, char *val)
00478 {
00479 SAFE_FREE(val);
00480 }
00481 #endif
00482
00483 void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
00484 {
00485 #if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
00486 if (pdata->data) {
00487 krb5_free_data_contents(context, pdata);
00488 }
00489 #else
00490 SAFE_FREE(pdata->data);
00491 #endif
00492 }
00493
00494 void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype)
00495 {
00496 #if defined(HAVE_KRB5_KEYBLOCK_IN_CREDS)
00497 KRB5_KEY_TYPE((&pcreds->keyblock)) = enctype;
00498 #elif defined(HAVE_KRB5_SESSION_IN_CREDS)
00499 KRB5_KEY_TYPE((&pcreds->session)) = enctype;
00500 #else
00501 #error UNKNOWN_KEYBLOCK_MEMBER_IN_KRB5_CREDS_STRUCT
00502 #endif
00503 }
00504
00505 BOOL kerberos_compatible_enctypes(krb5_context context,
00506 krb5_enctype enctype1,
00507 krb5_enctype enctype2)
00508 {
00509 #if defined(HAVE_KRB5_C_ENCTYPE_COMPARE)
00510 krb5_boolean similar = 0;
00511
00512 krb5_c_enctype_compare(context, enctype1, enctype2, &similar);
00513 return similar ? True : False;
00514 #elif defined(HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS)
00515 return krb5_enctypes_compatible_keys(context, enctype1, enctype2) ? True : False;
00516 #endif
00517 }
00518
00519 static BOOL ads_cleanup_expired_creds(krb5_context context,
00520 krb5_ccache ccache,
00521 krb5_creds *credsp)
00522 {
00523 krb5_error_code retval;
00524 const char *cc_type = krb5_cc_get_type(context, ccache);
00525
00526 DEBUG(3, ("ads_cleanup_expired_creds: Ticket in ccache[%s:%s] expiration %s\n",
00527 cc_type, krb5_cc_get_name(context, ccache),
00528 http_timestring(credsp->times.endtime)));
00529
00530
00531
00532
00533 if (credsp->times.endtime >= (time(NULL) + 10))
00534 return False;
00535
00536
00537
00538
00539
00540
00541 if (strequal(cc_type, "FILE")) {
00542 DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a %s ccache\n", cc_type));
00543 return False;
00544 }
00545
00546 retval = krb5_cc_remove_cred(context, ccache, 0, credsp);
00547 if (retval) {
00548 DEBUG(1, ("ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err %s\n",
00549 error_message(retval)));
00550
00551
00552 }
00553 return True;
00554 }
00555
00556
00557
00558
00559 static krb5_error_code ads_krb5_mk_req(krb5_context context,
00560 krb5_auth_context *auth_context,
00561 const krb5_flags ap_req_options,
00562 const char *principal,
00563 krb5_ccache ccache,
00564 krb5_data *outbuf,
00565 time_t *expire_time)
00566 {
00567 krb5_error_code retval;
00568 krb5_principal server;
00569 krb5_creds * credsp;
00570 krb5_creds creds;
00571 krb5_data in_data;
00572 BOOL creds_ready = False;
00573 int i = 0, maxtries = 3;
00574
00575 retval = smb_krb5_parse_name(context, principal, &server);
00576 if (retval) {
00577 DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal));
00578 return retval;
00579 }
00580
00581
00582 ZERO_STRUCT(creds);
00583 if ((retval = krb5_copy_principal(context, server, &creds.server))) {
00584 DEBUG(1,("ads_krb5_mk_req: krb5_copy_principal failed (%s)\n",
00585 error_message(retval)));
00586 goto cleanup_princ;
00587 }
00588
00589 if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) {
00590
00591
00592 DEBUG(3,("ads_krb5_mk_req: krb5_cc_get_principal failed (%s)\n",
00593 error_message(retval)));
00594 goto cleanup_creds;
00595 }
00596
00597 while (!creds_ready && (i < maxtries)) {
00598
00599 if ((retval = krb5_get_credentials(context, 0, ccache,
00600 &creds, &credsp))) {
00601 DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n",
00602 principal, error_message(retval)));
00603 goto cleanup_creds;
00604 }
00605
00606
00607 if ((unsigned)credsp->times.starttime > time(NULL)) {
00608 time_t t = time(NULL);
00609 int time_offset =(int)((unsigned)credsp->times.starttime-t);
00610 DEBUG(4,("ads_krb5_mk_req: Advancing clock by %d seconds to cope with clock skew\n", time_offset));
00611 krb5_set_real_time(context, t + time_offset + 1, 0);
00612 }
00613
00614 if (!ads_cleanup_expired_creds(context, ccache, credsp)) {
00615 creds_ready = True;
00616 }
00617
00618 i++;
00619 }
00620
00621 DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s:%s) is valid until: (%s - %u)\n",
00622 principal, krb5_cc_get_type(context, ccache), krb5_cc_get_name(context, ccache),
00623 http_timestring((unsigned)credsp->times.endtime),
00624 (unsigned)credsp->times.endtime));
00625
00626 if (expire_time) {
00627 *expire_time = (time_t)credsp->times.endtime;
00628 }
00629
00630 in_data.length = 0;
00631 retval = krb5_mk_req_extended(context, auth_context, ap_req_options,
00632 &in_data, credsp, outbuf);
00633 if (retval) {
00634 DEBUG(1,("ads_krb5_mk_req: krb5_mk_req_extended failed (%s)\n",
00635 error_message(retval)));
00636 }
00637
00638 krb5_free_creds(context, credsp);
00639
00640 cleanup_creds:
00641 krb5_free_cred_contents(context, &creds);
00642
00643 cleanup_princ:
00644 krb5_free_principal(context, server);
00645
00646 return retval;
00647 }
00648
00649
00650
00651
00652 int cli_krb5_get_ticket(const char *principal, time_t time_offset,
00653 DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
00654 uint32 extra_ap_opts, const char *ccname,
00655 time_t *tgs_expire)
00656
00657 {
00658 krb5_error_code retval;
00659 krb5_data packet;
00660 krb5_context context = NULL;
00661 krb5_ccache ccdef = NULL;
00662 krb5_auth_context auth_context = NULL;
00663 krb5_enctype enc_types[] = {
00664 #ifdef ENCTYPE_ARCFOUR_HMAC
00665 ENCTYPE_ARCFOUR_HMAC,
00666 #endif
00667 ENCTYPE_DES_CBC_MD5,
00668 ENCTYPE_DES_CBC_CRC,
00669 ENCTYPE_NULL};
00670
00671 initialize_krb5_error_table();
00672 retval = krb5_init_context(&context);
00673 if (retval) {
00674 DEBUG(1,("cli_krb5_get_ticket: krb5_init_context failed (%s)\n",
00675 error_message(retval)));
00676 goto failed;
00677 }
00678
00679 if (time_offset != 0) {
00680 krb5_set_real_time(context, time(NULL) + time_offset, 0);
00681 }
00682
00683 if ((retval = krb5_cc_resolve(context, ccname ?
00684 ccname : krb5_cc_default_name(context), &ccdef))) {
00685 DEBUG(1,("cli_krb5_get_ticket: krb5_cc_default failed (%s)\n",
00686 error_message(retval)));
00687 goto failed;
00688 }
00689
00690 if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) {
00691 DEBUG(1,("cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (%s)\n",
00692 error_message(retval)));
00693 goto failed;
00694 }
00695
00696 if ((retval = ads_krb5_mk_req(context,
00697 &auth_context,
00698 AP_OPTS_USE_SUBKEY | (krb5_flags)extra_ap_opts,
00699 principal,
00700 ccdef, &packet,
00701 tgs_expire))) {
00702 goto failed;
00703 }
00704
00705 get_krb5_smb_session_key(context, auth_context, session_key_krb5, False);
00706
00707 *ticket = data_blob(packet.data, packet.length);
00708
00709 kerberos_free_data_contents(context, &packet);
00710
00711 failed:
00712
00713 if ( context ) {
00714 if (ccdef)
00715 krb5_cc_close(context, ccdef);
00716 if (auth_context)
00717 krb5_auth_con_free(context, auth_context);
00718 krb5_free_context(context);
00719 }
00720
00721 return retval;
00722 }
00723
00724 BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote)
00725 {
00726 krb5_keyblock *skey;
00727 krb5_error_code err;
00728 BOOL ret = False;
00729
00730 if (remote)
00731 err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
00732 else
00733 err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
00734 if (err == 0 && skey != NULL) {
00735 DEBUG(10, ("Got KRB5 session key of length %d\n", (int)KRB5_KEY_LENGTH(skey)));
00736 *session_key = data_blob(KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
00737 dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
00738
00739 ret = True;
00740
00741 krb5_free_keyblock(context, skey);
00742 } else {
00743 DEBUG(10, ("KRB5 error getting session key %d\n", err));
00744 }
00745
00746 return ret;
00747 }
00748
00749
00750 #if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) && !defined(HAVE_KRB5_PRINC_COMPONENT)
00751 const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i );
00752
00753 const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i )
00754 {
00755 static krb5_data kdata;
00756
00757 kdata.data = (char *)krb5_principal_get_comp_string(context, principal, i);
00758 kdata.length = strlen((const char *)kdata.data);
00759 return &kdata;
00760 }
00761 #endif
00762
00763 krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry)
00764 {
00765 #if defined(HAVE_KRB5_KT_FREE_ENTRY)
00766 return krb5_kt_free_entry(context, kt_entry);
00767 #elif defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
00768 return krb5_free_keytab_entry_contents(context, kt_entry);
00769 #else
00770 #error UNKNOWN_KT_FREE_FUNCTION
00771 #endif
00772 }
00773
00774 void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
00775 PAC_SIGNATURE_DATA *sig)
00776 {
00777 #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM
00778 cksum->cksumtype = (krb5_cksumtype)sig->type;
00779 cksum->checksum.length = sig->signature.buf_len;
00780 cksum->checksum.data = sig->signature.buffer;
00781 #else
00782 cksum->checksum_type = (krb5_cksumtype)sig->type;
00783 cksum->length = sig->signature.buf_len;
00784 cksum->contents = sig->signature.buffer;
00785 #endif
00786 }
00787
00788 krb5_error_code smb_krb5_verify_checksum(krb5_context context,
00789 krb5_keyblock *keyblock,
00790 krb5_keyusage usage,
00791 krb5_checksum *cksum,
00792 uint8 *data,
00793 size_t length)
00794 {
00795 krb5_error_code ret;
00796
00797
00798
00799
00800
00801
00802
00803
00804
00805
00806
00807 #if defined(HAVE_KRB5_C_VERIFY_CHECKSUM)
00808 {
00809 krb5_boolean checksum_valid = False;
00810 krb5_data input;
00811
00812 input.data = (char *)data;
00813 input.length = length;
00814
00815 ret = krb5_c_verify_checksum(context,
00816 keyblock,
00817 usage,
00818 &input,
00819 cksum,
00820 &checksum_valid);
00821 if (ret) {
00822 DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n",
00823 error_message(ret)));
00824 return ret;
00825 }
00826
00827 if (!checksum_valid)
00828 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
00829 }
00830
00831 #elif KRB5_VERIFY_CHECKSUM_ARGS == 6 && defined(HAVE_KRB5_CRYPTO_INIT) && defined(HAVE_KRB5_CRYPTO) && defined(HAVE_KRB5_CRYPTO_DESTROY)
00832
00833
00834
00835
00836 {
00837
00838 krb5_crypto crypto;
00839 ret = krb5_crypto_init(context,
00840 keyblock,
00841 0,
00842 &crypto);
00843 if (ret) {
00844 DEBUG(0,("smb_krb5_verify_checksum: krb5_crypto_init() failed: %s\n",
00845 error_message(ret)));
00846 return ret;
00847 }
00848
00849 ret = krb5_verify_checksum(context,
00850 crypto,
00851 usage,
00852 data,
00853 length,
00854 cksum);
00855
00856 krb5_crypto_destroy(context, crypto);
00857 }
00858
00859 #else
00860 #error UNKNOWN_KRB5_VERIFY_CHECKSUM_FUNCTION
00861 #endif
00862
00863 return ret;
00864 }
00865
00866 time_t get_authtime_from_tkt(krb5_ticket *tkt)
00867 {
00868 #if defined(HAVE_KRB5_TKT_ENC_PART2)
00869 return tkt->enc_part2->times.authtime;
00870 #else
00871 return tkt->ticket.authtime;
00872 #endif
00873 }
00874
00875 #ifdef HAVE_KRB5_DECODE_AP_REQ
00876 static int get_kvno_from_ap_req(krb5_ap_req *ap_req)
00877 {
00878 #ifdef HAVE_TICKET_POINTER_IN_KRB5_AP_REQ
00879 if (ap_req->ticket->enc_part.kvno)
00880 return ap_req->ticket->enc_part.kvno;
00881 #else
00882 if (ap_req->ticket.enc_part.kvno)
00883 return *ap_req->ticket.enc_part.kvno;
00884 #endif
00885 return 0;
00886 }
00887
00888 static krb5_enctype get_enctype_from_ap_req(krb5_ap_req *ap_req)
00889 {
00890 #ifdef HAVE_ETYPE_IN_ENCRYPTEDDATA
00891 return ap_req->ticket.enc_part.etype;
00892 #else
00893 return ap_req->ticket->enc_part.enctype;
00894 #endif
00895 }
00896 #endif
00897
00898 static krb5_error_code
00899 get_key_from_keytab(krb5_context context,
00900 krb5_const_principal server,
00901 krb5_enctype enctype,
00902 krb5_kvno kvno,
00903 krb5_keyblock **out_key)
00904 {
00905 krb5_keytab_entry entry;
00906 krb5_error_code ret;
00907 krb5_keytab keytab;
00908 char *name = NULL;
00909
00910
00911
00912
00913
00914
00915 ret = krb5_kt_default(context, &keytab);
00916 if (ret) {
00917 DEBUG(0,("get_key_from_keytab: failed to open keytab: %s\n", error_message(ret)));
00918 return ret;
00919 }
00920
00921 if ( DEBUGLEVEL >= 10 ) {
00922 if (smb_krb5_unparse_name(context, server, &name) == 0) {
00923 DEBUG(10,("get_key_from_keytab: will look for kvno %d, enctype %d and name: %s\n",
00924 kvno, enctype, name));
00925 SAFE_FREE(name);
00926 }
00927 }
00928
00929 ret = krb5_kt_get_entry(context,
00930 keytab,
00931 server,
00932 kvno,
00933 enctype,
00934 &entry);
00935
00936 if (ret) {
00937 DEBUG(0,("get_key_from_keytab: failed to retrieve key: %s\n", error_message(ret)));
00938 goto out;
00939 }
00940
00941 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK
00942 ret = krb5_copy_keyblock(context, &entry.keyblock, out_key);
00943 #elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEY)
00944 ret = krb5_copy_keyblock(context, &entry.key, out_key);
00945 #else
00946 #error UNKNOWN_KRB5_KEYTAB_ENTRY_FORMAT
00947 #endif
00948
00949 if (ret) {
00950 DEBUG(0,("get_key_from_keytab: failed to copy key: %s\n", error_message(ret)));
00951 goto out;
00952 }
00953
00954 smb_krb5_kt_free_entry(context, &entry);
00955
00956 out:
00957 krb5_kt_close(context, keytab);
00958 return ret;
00959 }
00960
00961
00962
00963 krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context,
00964 const krb5_data *inbuf,
00965 krb5_kvno *kvno,
00966 krb5_enctype *enctype)
00967 {
00968 #ifdef HAVE_KRB5_DECODE_AP_REQ
00969 {
00970 krb5_error_code ret;
00971 krb5_ap_req ap_req;
00972
00973 ret = krb5_decode_ap_req(context, inbuf, &ap_req);
00974 if (ret)
00975 return ret;
00976
00977 *kvno = get_kvno_from_ap_req(&ap_req);
00978 *enctype = get_enctype_from_ap_req(&ap_req);
00979
00980 free_AP_REQ(&ap_req);
00981 return 0;
00982 }
00983 #endif
00984
00985
00986 return KRB5KDC_ERR_BADOPTION;
00987 }
00988
00989 krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context,
00990 krb5_auth_context *auth_context,
00991 const krb5_data *inbuf,
00992 krb5_const_principal server,
00993 krb5_keytab keytab,
00994 krb5_flags *ap_req_options,
00995 krb5_ticket **ticket,
00996 krb5_keyblock **keyblock)
00997 {
00998 krb5_error_code ret;
00999 krb5_kvno kvno;
01000 krb5_enctype enctype;
01001 krb5_keyblock *local_keyblock;
01002
01003 ret = krb5_rd_req(context,
01004 auth_context,
01005 inbuf,
01006 server,
01007 keytab,
01008 ap_req_options,
01009 ticket);
01010 if (ret) {
01011 return ret;
01012 }
01013
01014 #ifdef KRB5_TICKET_HAS_KEYINFO
01015 enctype = (*ticket)->enc_part.enctype;
01016 kvno = (*ticket)->enc_part.kvno;
01017 #else
01018 ret = smb_krb5_get_keyinfo_from_ap_req(context, inbuf, &kvno, &enctype);
01019 if (ret) {
01020 return ret;
01021 }
01022 #endif
01023
01024 ret = get_key_from_keytab(context,
01025 server,
01026 enctype,
01027 kvno,
01028 &local_keyblock);
01029 if (ret) {
01030 DEBUG(0,("krb5_rd_req_return_keyblock_from_keytab: failed to call get_key_from_keytab\n"));
01031 goto out;
01032 }
01033
01034 out:
01035 if (ret && local_keyblock != NULL) {
01036 krb5_free_keyblock(context, local_keyblock);
01037 } else {
01038 *keyblock = local_keyblock;
01039 }
01040
01041 return ret;
01042 }
01043
01044 krb5_error_code smb_krb5_parse_name_norealm(krb5_context context,
01045 const char *name,
01046 krb5_principal *principal)
01047 {
01048 #ifdef HAVE_KRB5_PARSE_NAME_NOREALM
01049 return smb_krb5_parse_name_norealm_conv(context, name, principal);
01050 #endif
01051
01052
01053
01054
01055
01056
01057 return smb_krb5_parse_name(context, name, principal);
01058 }
01059
01060 BOOL smb_krb5_principal_compare_any_realm(krb5_context context,
01061 krb5_const_principal princ1,
01062 krb5_const_principal princ2)
01063 {
01064 #ifdef HAVE_KRB5_PRINCIPAL_COMPARE_ANY_REALM
01065
01066 return krb5_principal_compare_any_realm(context, princ1, princ2);
01067
01068
01069 #elif defined(HAVE_KRB5_PRINC_SIZE) || defined(krb5_princ_size)
01070
01071 int i, len1, len2;
01072 const krb5_data *p1, *p2;
01073
01074 len1 = krb5_princ_size(context, princ1);
01075 len2 = krb5_princ_size(context, princ2);
01076
01077 if (len1 != len2)
01078 return False;
01079
01080 for (i = 0; i < len1; i++) {
01081
01082 p1 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ1), i);
01083 p2 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ2), i);
01084
01085 if (p1->length != p2->length || memcmp(p1->data, p2->data, p1->length))
01086 return False;
01087 }
01088
01089 return True;
01090 #else
01091 #error NO_SUITABLE_PRINCIPAL_COMPARE_FUNCTION
01092 #endif
01093 }
01094
01095 krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
01096 const char *client_string,
01097 const char *service_string,
01098 time_t *expire_time)
01099 {
01100 krb5_error_code ret;
01101 krb5_context context = NULL;
01102 krb5_ccache ccache = NULL;
01103 krb5_principal client = NULL;
01104
01105 initialize_krb5_error_table();
01106 ret = krb5_init_context(&context);
01107 if (ret) {
01108 goto done;
01109 }
01110
01111 if (!ccache_string) {
01112 ccache_string = krb5_cc_default_name(context);
01113 }
01114
01115 DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
01116
01117
01118 ret = krb5_cc_resolve(context, CONST_DISCARD(char *, ccache_string), &ccache);
01119 if (ret) {
01120 goto done;
01121 }
01122
01123 #ifdef HAVE_KRB5_GET_RENEWED_CREDS
01124 {
01125 krb5_creds creds;
01126
01127 if (client_string) {
01128 ret = smb_krb5_parse_name(context, client_string, &client);
01129 if (ret) {
01130 goto done;
01131 }
01132 } else {
01133 ret = krb5_cc_get_principal(context, ccache, &client);
01134 if (ret) {
01135 goto done;
01136 }
01137 }
01138
01139 ret = krb5_get_renewed_creds(context, &creds, client, ccache, CONST_DISCARD(char *, service_string));
01140 if (ret) {
01141 DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
01142 goto done;
01143 }
01144
01145
01146 ret = krb5_cc_initialize(context, ccache, client);
01147 if (ret) {
01148 goto done;
01149 }
01150
01151 ret = krb5_cc_store_cred(context, ccache, &creds);
01152
01153 if (expire_time) {
01154 *expire_time = (time_t) creds.times.endtime;
01155 }
01156
01157 krb5_free_cred_contents(context, &creds);
01158 }
01159 #elif defined(HAVE_KRB5_GET_KDC_CRED)
01160 {
01161 krb5_kdc_flags flags;
01162 krb5_creds creds_in;
01163 krb5_realm *client_realm;
01164 krb5_creds *creds;
01165
01166 memset(&creds_in, 0, sizeof(creds_in));
01167
01168 if (client_string) {
01169 ret = smb_krb5_parse_name(context, client_string, &creds_in.client);
01170 if (ret) {
01171 goto done;
01172 }
01173 } else {
01174 ret = krb5_cc_get_principal(context, ccache, &creds_in.client);
01175 if (ret) {
01176 goto done;
01177 }
01178 }
01179
01180 if (service_string) {
01181 ret = smb_krb5_parse_name(context, service_string, &creds_in.server);
01182 if (ret) {
01183 goto done;
01184 }
01185 } else {
01186
01187 client_realm = krb5_princ_realm(context, creds_in.client);
01188 if (!client_realm) {
01189 ret = ENOMEM;
01190 goto done;
01191 }
01192 ret = krb5_make_principal(context, &creds_in.server, *client_realm, KRB5_TGS_NAME, *client_realm, NULL);
01193 if (ret) {
01194 goto done;
01195 }
01196 }
01197
01198 flags.i = 0;
01199 flags.b.renewable = flags.b.renew = True;
01200
01201 ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &creds_in, &creds);
01202 if (ret) {
01203 DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
01204 goto done;
01205 }
01206
01207
01208 ret = krb5_cc_initialize(context, ccache, creds_in.client);
01209 if (ret) {
01210 goto done;
01211 }
01212
01213 ret = krb5_cc_store_cred(context, ccache, creds);
01214
01215 if (expire_time) {
01216 *expire_time = (time_t) creds->times.endtime;
01217 }
01218
01219 krb5_free_cred_contents(context, &creds_in);
01220 krb5_free_creds(context, creds);
01221 }
01222 #else
01223 #error No suitable krb5 ticket renew function available
01224 #endif
01225
01226
01227 done:
01228 if (client) {
01229 krb5_free_principal(context, client);
01230 }
01231 if (context) {
01232 krb5_free_context(context);
01233 }
01234 if (ccache) {
01235 krb5_cc_close(context, ccache);
01236 }
01237
01238 return ret;
01239
01240 }
01241
01242 krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr)
01243 {
01244 krb5_error_code ret = 0;
01245 if (addr == NULL) {
01246 return ret;
01247 }
01248 #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS)
01249 krb5_free_addresses(context, addr->addrs);
01250 #elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS)
01251 ret = krb5_free_addresses(context, addr->addrs);
01252 SAFE_FREE(addr->addrs);
01253 #endif
01254 SAFE_FREE(addr);
01255 addr = NULL;
01256 return ret;
01257 }
01258
01259 krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr)
01260 {
01261 krb5_error_code ret = 0;
01262 nstring buf;
01263 #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS)
01264 krb5_address **addrs = NULL;
01265 #elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS)
01266 krb5_addresses *addrs = NULL;
01267 #endif
01268
01269 *kerb_addr = (smb_krb5_addresses *)SMB_MALLOC(sizeof(smb_krb5_addresses));
01270 if (*kerb_addr == NULL) {
01271 return ENOMEM;
01272 }
01273
01274 put_name(buf, global_myname(), ' ', 0x20);
01275
01276 #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS)
01277 {
01278 int num_addr = 2;
01279
01280 addrs = (krb5_address **)SMB_MALLOC(sizeof(krb5_address *) * num_addr);
01281 if (addrs == NULL) {
01282 SAFE_FREE(kerb_addr);
01283 return ENOMEM;
01284 }
01285
01286 memset(addrs, 0, sizeof(krb5_address *) * num_addr);
01287
01288 addrs[0] = (krb5_address *)SMB_MALLOC(sizeof(krb5_address));
01289 if (addrs[0] == NULL) {
01290 SAFE_FREE(addrs);
01291 SAFE_FREE(kerb_addr);
01292 return ENOMEM;
01293 }
01294
01295 addrs[0]->magic = KV5M_ADDRESS;
01296 addrs[0]->addrtype = KRB5_ADDR_NETBIOS;
01297 addrs[0]->length = MAX_NETBIOSNAME_LEN;
01298 addrs[0]->contents = (unsigned char *)SMB_MALLOC(addrs[0]->length);
01299 if (addrs[0]->contents == NULL) {
01300 SAFE_FREE(addrs[0]);
01301 SAFE_FREE(addrs);
01302 SAFE_FREE(kerb_addr);
01303 return ENOMEM;
01304 }
01305
01306 memcpy(addrs[0]->contents, buf, addrs[0]->length);
01307
01308 addrs[1] = NULL;
01309 }
01310 #elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS)
01311 {
01312 addrs = (krb5_addresses *)SMB_MALLOC(sizeof(krb5_addresses));
01313 if (addrs == NULL) {
01314 SAFE_FREE(kerb_addr);
01315 return ENOMEM;
01316 }
01317
01318 memset(addrs, 0, sizeof(krb5_addresses));
01319
01320 addrs->len = 1;
01321 addrs->val = (krb5_address *)SMB_MALLOC(sizeof(krb5_address));
01322 if (addrs->val == NULL) {
01323 SAFE_FREE(addrs);
01324 SAFE_FREE(kerb_addr);
01325 return ENOMEM;
01326 }
01327
01328 addrs->val[0].addr_type = KRB5_ADDR_NETBIOS;
01329 addrs->val[0].address.length = MAX_NETBIOSNAME_LEN;
01330 addrs->val[0].address.data = (unsigned char *)SMB_MALLOC(addrs->val[0].address.length);
01331 if (addrs->val[0].address.data == NULL) {
01332 SAFE_FREE(addrs->val);
01333 SAFE_FREE(addrs);
01334 SAFE_FREE(kerb_addr);
01335 return ENOMEM;
01336 }
01337
01338 memcpy(addrs->val[0].address.data, buf, addrs->val[0].address.length);
01339 }
01340 #else
01341 #error UNKNOWN_KRB5_ADDRESS_FORMAT
01342 #endif
01343 (*kerb_addr)->addrs = addrs;
01344
01345 return ret;
01346 }
01347
01348 void smb_krb5_free_error(krb5_context context, krb5_error *krberror)
01349 {
01350 #ifdef HAVE_KRB5_FREE_ERROR_CONTENTS
01351 krb5_free_error_contents(context, krberror);
01352 #else
01353 krb5_free_error(context, krberror);
01354 #endif
01355 }
01356
01357 krb5_error_code handle_krberror_packet(krb5_context context,
01358 krb5_data *packet)
01359 {
01360 krb5_error_code ret;
01361 BOOL got_error_code = False;
01362
01363 DEBUG(10,("handle_krberror_packet: got error packet\n"));
01364
01365 #ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
01366 {
01367 krb5_error krberror;
01368
01369 if ((ret = krb5_rd_error(context, packet, &krberror))) {
01370 DEBUG(10,("handle_krberror_packet: krb5_rd_error failed with: %s\n",
01371 error_message(ret)));
01372 return ret;
01373 }
01374
01375 if (krberror.e_data == NULL || krberror.e_data->data == NULL) {
01376 ret = (krb5_error_code) krberror.error_code;
01377 got_error_code = True;
01378 }
01379
01380 smb_krb5_free_error(context, &krberror);
01381 }
01382 #else
01383 {
01384 krb5_error *krberror;
01385
01386 if ((ret = krb5_rd_error(context, packet, &krberror))) {
01387 DEBUG(10,("handle_krberror_packet: krb5_rd_error failed with: %s\n",
01388 error_message(ret)));
01389 return ret;
01390 }
01391
01392 if (krberror->e_data.data == NULL) {
01393 ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
01394 got_error_code = True;
01395 }
01396 smb_krb5_free_error(context, krberror);
01397 }
01398 #endif
01399 if (got_error_code) {
01400 DEBUG(5,("handle_krberror_packet: got KERBERR from kpasswd: %s (%d)\n",
01401 error_message(ret), ret));
01402 }
01403 return ret;
01404 }
01405
01406 krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context,
01407 krb5_get_init_creds_opt **opt)
01408 {
01409 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
01410
01411 return krb5_get_init_creds_opt_alloc(context, opt);
01412 #else
01413
01414 krb5_get_init_creds_opt *my_opt;
01415
01416 *opt = NULL;
01417
01418 if ((my_opt = SMB_MALLOC(sizeof(krb5_get_init_creds_opt))) == NULL) {
01419 return ENOMEM;
01420 }
01421
01422 krb5_get_init_creds_opt_init(my_opt);
01423
01424 *opt = my_opt;
01425 return 0;
01426 #endif
01427 }
01428
01429 void smb_krb5_get_init_creds_opt_free(krb5_context context,
01430 krb5_get_init_creds_opt *opt)
01431 {
01432 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE
01433
01434 #ifdef KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT
01435
01436 krb5_get_init_creds_opt_free(context, opt);
01437 #else
01438
01439 krb5_get_init_creds_opt_free(opt);
01440 #endif
01441
01442 #else
01443
01444 SAFE_FREE(opt);
01445 opt = NULL;
01446 #endif
01447 }
01448
01449 krb5_error_code smb_krb5_mk_error(krb5_context context,
01450 krb5_error_code error_code,
01451 const krb5_principal server,
01452 krb5_data *reply)
01453 {
01454 #ifdef HAVE_SHORT_KRB5_MK_ERROR_INTERFACE
01455
01456
01457
01458
01459 krb5_error e;
01460
01461 memset(&e, 0, sizeof(e));
01462 krb5_us_timeofday(context, &e.stime, &e.susec);
01463 e.server = server;
01464 #if defined(krb5_err_base)
01465 e.error = error_code - krb5_err_base;
01466 #elif defined(ERROR_TABLE_BASE_krb5)
01467 e.error = error_code - ERROR_TABLE_BASE_krb5;
01468 #else
01469 e.error = error_code;
01470 #endif
01471
01472 return krb5_mk_error(context, &e, reply);
01473 #else
01474 return krb5_mk_error(context,
01475 error_code,
01476 NULL,
01477 NULL,
01478 NULL,
01479 server,
01480 NULL,
01481 NULL,
01482 reply);
01483 #endif
01484 }
01485
01486 #else
01487
01488 int cli_krb5_get_ticket(const char *principal, time_t time_offset,
01489 DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts,
01490 const char *ccname, time_t *tgs_expire)
01491 {
01492 DEBUG(0,("NO KERBEROS SUPPORT\n"));
01493 return 1;
01494 }
01495
01496 #endif