00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022 #include "includes.h"
00023
00024 #ifdef HAVE_KRB5
00025
00026 #define DEFAULT_KPASSWD_PORT 464
00027
00028 #define KRB5_KPASSWD_VERS_CHANGEPW 1
00029
00030 #define KRB5_KPASSWD_VERS_SETPW 0xff80
00031 #define KRB5_KPASSWD_VERS_SETPW_ALT 2
00032
00033 #define KRB5_KPASSWD_SUCCESS 0
00034 #define KRB5_KPASSWD_MALFORMED 1
00035 #define KRB5_KPASSWD_HARDERROR 2
00036 #define KRB5_KPASSWD_AUTHERROR 3
00037 #define KRB5_KPASSWD_SOFTERROR 4
00038 #define KRB5_KPASSWD_ACCESSDENIED 5
00039 #define KRB5_KPASSWD_BAD_VERSION 6
00040 #define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7
00041
00042
00043
00044 #define KRB5_KPASSWD_POLICY_REJECT 8
00045 #define KRB5_KPASSWD_BAD_PRINCIPAL 9
00046 #define KRB5_KPASSWD_ETYPE_NOSUPP 10
00047
00048
00049
00050
00051
00052
00053 #define krb5_is_krb_error(packet) \
00054 ( packet && packet->length && (((char *)packet->data)[0] == 0x7e || ((char *)packet->data)[0] == 0x5e))
00055
00056
00057
00058
00059
00060
00061 static DATA_BLOB encode_krb5_setpw(const char *principal, const char *password)
00062 {
00063 char* princ_part1 = NULL;
00064 char* princ_part2 = NULL;
00065 char* realm = NULL;
00066 char* c;
00067 char* princ;
00068
00069 ASN1_DATA req;
00070 DATA_BLOB ret;
00071
00072
00073 princ = SMB_STRDUP(principal);
00074
00075 if ((c = strchr_m(princ, '/')) == NULL) {
00076 c = princ;
00077 } else {
00078 *c = '\0';
00079 c++;
00080 princ_part1 = princ;
00081 }
00082
00083 princ_part2 = c;
00084
00085 if ((c = strchr_m(c, '@')) != NULL) {
00086 *c = '\0';
00087 c++;
00088 realm = c;
00089 } else {
00090
00091 return data_blob(NULL, 0);
00092 }
00093
00094 memset(&req, 0, sizeof(req));
00095
00096 asn1_push_tag(&req, ASN1_SEQUENCE(0));
00097 asn1_push_tag(&req, ASN1_CONTEXT(0));
00098 asn1_write_OctetString(&req, password, strlen(password));
00099 asn1_pop_tag(&req);
00100
00101 asn1_push_tag(&req, ASN1_CONTEXT(1));
00102 asn1_push_tag(&req, ASN1_SEQUENCE(0));
00103
00104 asn1_push_tag(&req, ASN1_CONTEXT(0));
00105 asn1_write_Integer(&req, 1);
00106 asn1_pop_tag(&req);
00107
00108 asn1_push_tag(&req, ASN1_CONTEXT(1));
00109 asn1_push_tag(&req, ASN1_SEQUENCE(0));
00110
00111 if (princ_part1) {
00112 asn1_write_GeneralString(&req, princ_part1);
00113 }
00114
00115 asn1_write_GeneralString(&req, princ_part2);
00116 asn1_pop_tag(&req);
00117 asn1_pop_tag(&req);
00118 asn1_pop_tag(&req);
00119 asn1_pop_tag(&req);
00120
00121 asn1_push_tag(&req, ASN1_CONTEXT(2));
00122 asn1_write_GeneralString(&req, realm);
00123 asn1_pop_tag(&req);
00124 asn1_pop_tag(&req);
00125
00126 ret = data_blob(req.data, req.length);
00127 asn1_free(&req);
00128
00129 free(princ);
00130
00131 return ret;
00132 }
00133
00134 static krb5_error_code build_kpasswd_request(uint16 pversion,
00135 krb5_context context,
00136 krb5_auth_context auth_context,
00137 krb5_data *ap_req,
00138 const char *princ,
00139 const char *passwd,
00140 BOOL use_tcp,
00141 krb5_data *packet)
00142 {
00143 krb5_error_code ret;
00144 krb5_data cipherpw;
00145 krb5_data encoded_setpw;
00146 krb5_replay_data replay;
00147 char *p, *msg_start;
00148 DATA_BLOB setpw;
00149 unsigned int msg_length;
00150
00151 ret = krb5_auth_con_setflags(context,
00152 auth_context,KRB5_AUTH_CONTEXT_DO_SEQUENCE);
00153 if (ret) {
00154 DEBUG(1,("krb5_auth_con_setflags failed (%s)\n",
00155 error_message(ret)));
00156 return ret;
00157 }
00158
00159
00160 if (pversion == KRB5_KPASSWD_VERS_CHANGEPW)
00161 setpw = data_blob(passwd, strlen(passwd));
00162 else if (pversion == KRB5_KPASSWD_VERS_SETPW ||
00163 pversion == KRB5_KPASSWD_VERS_SETPW_ALT)
00164 setpw = encode_krb5_setpw(princ, passwd);
00165 else
00166 return EINVAL;
00167
00168 if (setpw.data == NULL || setpw.length == 0) {
00169 return EINVAL;
00170 }
00171
00172 encoded_setpw.data = (char *)setpw.data;
00173 encoded_setpw.length = setpw.length;
00174
00175 ret = krb5_mk_priv(context, auth_context,
00176 &encoded_setpw, &cipherpw, &replay);
00177
00178 data_blob_free(&setpw);
00179
00180 if (ret) {
00181 DEBUG(1,("krb5_mk_priv failed (%s)\n", error_message(ret)));
00182 return ret;
00183 }
00184
00185 packet->data = (char *)SMB_MALLOC(ap_req->length + cipherpw.length + (use_tcp ? 10 : 6 ));
00186 if (!packet->data)
00187 return -1;
00188
00189
00190
00191
00192
00193 msg_start = p = ((char *)packet->data) + (use_tcp ? 4 : 0);
00194 p += 2;
00195 RSSVAL(p, 0, pversion);
00196 p += 2;
00197 RSSVAL(p, 0, ap_req->length);
00198 p += 2;
00199 memcpy(p, ap_req->data, ap_req->length);
00200 p += ap_req->length;
00201 memcpy(p, cipherpw.data, cipherpw.length);
00202 p += cipherpw.length;
00203 packet->length = PTR_DIFF(p,packet->data);
00204 msg_length = PTR_DIFF(p,msg_start);
00205
00206 if (use_tcp) {
00207 RSIVAL(packet->data, 0, msg_length);
00208 }
00209 RSSVAL(msg_start, 0, msg_length);
00210
00211 free(cipherpw.data);
00212
00213 return 0;
00214 }
00215
00216 static const struct kpasswd_errors {
00217 int result_code;
00218 const char *error_string;
00219 } kpasswd_errors[] = {
00220 {KRB5_KPASSWD_MALFORMED, "Malformed request error"},
00221 {KRB5_KPASSWD_HARDERROR, "Server error"},
00222 {KRB5_KPASSWD_AUTHERROR, "Authentication error"},
00223 {KRB5_KPASSWD_SOFTERROR, "Password change rejected"},
00224 {KRB5_KPASSWD_ACCESSDENIED, "Client does not have proper authorization"},
00225 {KRB5_KPASSWD_BAD_VERSION, "Protocol version not supported"},
00226 {KRB5_KPASSWD_INITIAL_FLAG_NEEDED, "Authorization ticket must have initial flag set"},
00227 {KRB5_KPASSWD_POLICY_REJECT, "Password rejected due to policy requirements"},
00228 {KRB5_KPASSWD_BAD_PRINCIPAL, "Target principal does not exist"},
00229 {KRB5_KPASSWD_ETYPE_NOSUPP, "Unsupported encryption type"},
00230 {0, NULL}
00231 };
00232
00233 static krb5_error_code setpw_result_code_string(krb5_context context,
00234 int result_code,
00235 const char **code_string)
00236 {
00237 unsigned int idx = 0;
00238
00239 while (kpasswd_errors[idx].error_string != NULL) {
00240 if (kpasswd_errors[idx].result_code ==
00241 result_code) {
00242 *code_string = kpasswd_errors[idx].error_string;
00243 return 0;
00244 }
00245 idx++;
00246 }
00247 *code_string = "Password change failed";
00248 return (0);
00249 }
00250
00251 krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code)
00252 {
00253 switch(res_code) {
00254 case KRB5_KPASSWD_ACCESSDENIED:
00255 return KRB5KDC_ERR_BADOPTION;
00256 case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
00257 return KRB5KDC_ERR_BADOPTION;
00258
00259 case KRB5_KPASSWD_ETYPE_NOSUPP:
00260 return KRB5KDC_ERR_ETYPE_NOSUPP;
00261 case KRB5_KPASSWD_BAD_PRINCIPAL:
00262 return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
00263 case KRB5_KPASSWD_POLICY_REJECT:
00264 case KRB5_KPASSWD_SOFTERROR:
00265 return KRB5KDC_ERR_POLICY;
00266 default:
00267 return KRB5KRB_ERR_GENERIC;
00268 }
00269 }
00270 static krb5_error_code parse_setpw_reply(krb5_context context,
00271 BOOL use_tcp,
00272 krb5_auth_context auth_context,
00273 krb5_data *packet)
00274 {
00275 krb5_data ap_rep;
00276 char *p;
00277 int vnum, ret, res_code;
00278 krb5_data cipherresult;
00279 krb5_data clearresult;
00280 krb5_ap_rep_enc_part *ap_rep_enc;
00281 krb5_replay_data replay;
00282 unsigned int msg_length = packet->length;
00283
00284
00285 if (packet->length < (use_tcp ? 8 : 4)) {
00286 return KRB5KRB_AP_ERR_MODIFIED;
00287 }
00288
00289 p = packet->data;
00290
00291
00292
00293 if (krb5_is_krb_error(packet)) {
00294
00295 ret = handle_krberror_packet(context, packet);
00296 if (ret) {
00297 return ret;
00298 }
00299 }
00300
00301
00302
00303 if (use_tcp) {
00304 msg_length -= 4;
00305 if (RIVAL(p, 0) != msg_length) {
00306 DEBUG(1,("Bad TCP packet length (%d/%d) from kpasswd server\n",
00307 RIVAL(p, 0), msg_length));
00308 return KRB5KRB_AP_ERR_MODIFIED;
00309 }
00310
00311 p += 4;
00312 }
00313
00314 if (RSVAL(p, 0) != msg_length) {
00315 DEBUG(1,("Bad packet length (%d/%d) from kpasswd server\n",
00316 RSVAL(p, 0), msg_length));
00317 return KRB5KRB_AP_ERR_MODIFIED;
00318 }
00319
00320 p += 2;
00321
00322 vnum = RSVAL(p, 0); p += 2;
00323
00324
00325 if (vnum != KRB5_KPASSWD_VERS_SETPW &&
00326 vnum != KRB5_KPASSWD_VERS_SETPW_ALT &&
00327 vnum != KRB5_KPASSWD_VERS_CHANGEPW) {
00328 DEBUG(1,("Bad vnum (%d) from kpasswd server\n", vnum));
00329 return KRB5KDC_ERR_BAD_PVNO;
00330 }
00331
00332 ap_rep.length = RSVAL(p, 0); p += 2;
00333
00334 if (p + ap_rep.length >= (char *)packet->data + packet->length) {
00335 DEBUG(1,("ptr beyond end of packet from kpasswd server\n"));
00336 return KRB5KRB_AP_ERR_MODIFIED;
00337 }
00338
00339 if (ap_rep.length == 0) {
00340 DEBUG(1,("got unencrypted setpw result?!\n"));
00341 return KRB5KRB_AP_ERR_MODIFIED;
00342 }
00343
00344
00345 ap_rep.data = p;
00346 p += ap_rep.length;
00347
00348 ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc);
00349 if (ret) {
00350 DEBUG(1,("failed to rd setpw reply (%s)\n", error_message(ret)));
00351 return KRB5KRB_AP_ERR_MODIFIED;
00352 }
00353
00354 krb5_free_ap_rep_enc_part(context, ap_rep_enc);
00355
00356 cipherresult.data = p;
00357 cipherresult.length = ((char *)packet->data + packet->length) - p;
00358
00359 ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
00360 &replay);
00361 if (ret) {
00362 DEBUG(1,("failed to decrypt setpw reply (%s)\n", error_message(ret)));
00363 return KRB5KRB_AP_ERR_MODIFIED;
00364 }
00365
00366 if (clearresult.length < 2) {
00367 free(clearresult.data);
00368 ret = KRB5KRB_AP_ERR_MODIFIED;
00369 return KRB5KRB_AP_ERR_MODIFIED;
00370 }
00371
00372 p = clearresult.data;
00373
00374 res_code = RSVAL(p, 0);
00375
00376 free(clearresult.data);
00377
00378 if ((res_code < KRB5_KPASSWD_SUCCESS) ||
00379 (res_code > KRB5_KPASSWD_ETYPE_NOSUPP)) {
00380 return KRB5KRB_AP_ERR_MODIFIED;
00381 }
00382
00383 if (res_code == KRB5_KPASSWD_SUCCESS) {
00384 return 0;
00385 } else {
00386 const char *errstr;
00387 setpw_result_code_string(context, res_code, &errstr);
00388 DEBUG(1, ("Error changing password: %s (%d)\n", errstr, res_code));
00389
00390 return kpasswd_err_to_krb5_err(res_code);
00391 }
00392 }
00393
00394 static ADS_STATUS do_krb5_kpasswd_request(krb5_context context,
00395 const char *kdc_host,
00396 uint16 pversion,
00397 krb5_creds *credsp,
00398 const char *princ,
00399 const char *newpw)
00400 {
00401 krb5_auth_context auth_context = NULL;
00402 krb5_data ap_req, chpw_req, chpw_rep;
00403 int ret, sock;
00404 socklen_t addr_len;
00405 struct sockaddr remote_addr, local_addr;
00406 struct in_addr *addr = interpret_addr2(kdc_host);
00407 krb5_address local_kaddr, remote_kaddr;
00408 BOOL use_tcp = False;
00409
00410
00411 ret = krb5_mk_req_extended(context, &auth_context, AP_OPTS_USE_SUBKEY,
00412 NULL, credsp, &ap_req);
00413 if (ret) {
00414 DEBUG(1,("krb5_mk_req_extended failed (%s)\n", error_message(ret)));
00415 return ADS_ERROR_KRB5(ret);
00416 }
00417
00418 do {
00419
00420 if (!use_tcp) {
00421
00422 sock = open_udp_socket(kdc_host, DEFAULT_KPASSWD_PORT);
00423
00424 } else {
00425
00426 sock = open_socket_out(SOCK_STREAM, addr, DEFAULT_KPASSWD_PORT,
00427 LONG_CONNECT_TIMEOUT);
00428 }
00429
00430 if (sock == -1) {
00431 int rc = errno;
00432 SAFE_FREE(ap_req.data);
00433 krb5_auth_con_free(context, auth_context);
00434 DEBUG(1,("failed to open kpasswd socket to %s (%s)\n",
00435 kdc_host, strerror(errno)));
00436 return ADS_ERROR_SYSTEM(rc);
00437 }
00438
00439 addr_len = sizeof(remote_addr);
00440 getpeername(sock, &remote_addr, &addr_len);
00441 addr_len = sizeof(local_addr);
00442 getsockname(sock, &local_addr, &addr_len);
00443
00444 setup_kaddr(&remote_kaddr, &remote_addr);
00445 setup_kaddr(&local_kaddr, &local_addr);
00446
00447 ret = krb5_auth_con_setaddrs(context, auth_context, &local_kaddr, NULL);
00448 if (ret) {
00449 close(sock);
00450 SAFE_FREE(ap_req.data);
00451 krb5_auth_con_free(context, auth_context);
00452 DEBUG(1,("krb5_auth_con_setaddrs failed (%s)\n", error_message(ret)));
00453 return ADS_ERROR_KRB5(ret);
00454 }
00455
00456 ret = build_kpasswd_request(pversion, context, auth_context, &ap_req,
00457 princ, newpw, use_tcp, &chpw_req);
00458 if (ret) {
00459 close(sock);
00460 SAFE_FREE(ap_req.data);
00461 krb5_auth_con_free(context, auth_context);
00462 DEBUG(1,("build_setpw_request failed (%s)\n", error_message(ret)));
00463 return ADS_ERROR_KRB5(ret);
00464 }
00465
00466 ret = write(sock, chpw_req.data, chpw_req.length);
00467
00468 if (ret != chpw_req.length) {
00469 close(sock);
00470 SAFE_FREE(chpw_req.data);
00471 SAFE_FREE(ap_req.data);
00472 krb5_auth_con_free(context, auth_context);
00473 DEBUG(1,("send of chpw failed (%s)\n", strerror(errno)));
00474 return ADS_ERROR_SYSTEM(errno);
00475 }
00476
00477 SAFE_FREE(chpw_req.data);
00478
00479 chpw_rep.length = 1500;
00480 chpw_rep.data = (char *) SMB_MALLOC(chpw_rep.length);
00481 if (!chpw_rep.data) {
00482 close(sock);
00483 SAFE_FREE(ap_req.data);
00484 krb5_auth_con_free(context, auth_context);
00485 DEBUG(1,("send of chpw failed (%s)\n", strerror(errno)));
00486 errno = ENOMEM;
00487 return ADS_ERROR_SYSTEM(errno);
00488 }
00489
00490 ret = read(sock, chpw_rep.data, chpw_rep.length);
00491 if (ret < 0) {
00492 close(sock);
00493 SAFE_FREE(chpw_rep.data);
00494 SAFE_FREE(ap_req.data);
00495 krb5_auth_con_free(context, auth_context);
00496 DEBUG(1,("recv of chpw reply failed (%s)\n", strerror(errno)));
00497 return ADS_ERROR_SYSTEM(errno);
00498 }
00499
00500 close(sock);
00501 chpw_rep.length = ret;
00502
00503 ret = krb5_auth_con_setaddrs(context, auth_context, NULL,&remote_kaddr);
00504 if (ret) {
00505 SAFE_FREE(chpw_rep.data);
00506 SAFE_FREE(ap_req.data);
00507 krb5_auth_con_free(context, auth_context);
00508 DEBUG(1,("krb5_auth_con_setaddrs on reply failed (%s)\n",
00509 error_message(ret)));
00510 return ADS_ERROR_KRB5(ret);
00511 }
00512
00513 ret = parse_setpw_reply(context, use_tcp, auth_context, &chpw_rep);
00514 SAFE_FREE(chpw_rep.data);
00515
00516 if (ret) {
00517
00518 if (ret == KRB5KRB_ERR_RESPONSE_TOO_BIG && !use_tcp) {
00519 DEBUG(5, ("Trying setpw with TCP!!!\n"));
00520 use_tcp = True;
00521 continue;
00522 }
00523
00524 SAFE_FREE(ap_req.data);
00525 krb5_auth_con_free(context, auth_context);
00526 DEBUG(1,("parse_setpw_reply failed (%s)\n",
00527 error_message(ret)));
00528 return ADS_ERROR_KRB5(ret);
00529 }
00530
00531 SAFE_FREE(ap_req.data);
00532 krb5_auth_con_free(context, auth_context);
00533 } while ( ret );
00534
00535 return ADS_SUCCESS;
00536 }
00537
00538 ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *princ,
00539 const char *newpw, int time_offset)
00540 {
00541
00542 ADS_STATUS aret;
00543 krb5_error_code ret = 0;
00544 krb5_context context = NULL;
00545 krb5_principal principal = NULL;
00546 char *princ_name = NULL;
00547 char *realm = NULL;
00548 krb5_creds creds, *credsp = NULL;
00549 #if KRB5_PRINC_REALM_RETURNS_REALM
00550 krb5_realm orig_realm;
00551 #else
00552 krb5_data orig_realm;
00553 #endif
00554 krb5_ccache ccache = NULL;
00555
00556 ZERO_STRUCT(creds);
00557
00558 initialize_krb5_error_table();
00559 ret = krb5_init_context(&context);
00560 if (ret) {
00561 DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
00562 return ADS_ERROR_KRB5(ret);
00563 }
00564
00565 if (time_offset != 0) {
00566 krb5_set_real_time(context, time(NULL) + time_offset, 0);
00567 }
00568
00569 ret = krb5_cc_default(context, &ccache);
00570 if (ret) {
00571 krb5_free_context(context);
00572 DEBUG(1,("Failed to get default creds (%s)\n", error_message(ret)));
00573 return ADS_ERROR_KRB5(ret);
00574 }
00575
00576 realm = strchr_m(princ, '@');
00577 if (!realm) {
00578 krb5_cc_close(context, ccache);
00579 krb5_free_context(context);
00580 DEBUG(1,("Failed to get realm\n"));
00581 return ADS_ERROR_KRB5(-1);
00582 }
00583 realm++;
00584
00585 asprintf(&princ_name, "kadmin/changepw@%s", realm);
00586 ret = smb_krb5_parse_name(context, princ_name, &creds.server);
00587 if (ret) {
00588 krb5_cc_close(context, ccache);
00589 krb5_free_context(context);
00590 DEBUG(1,("Failed to parse kadmin/changepw (%s)\n", error_message(ret)));
00591 return ADS_ERROR_KRB5(ret);
00592 }
00593
00594
00595 ret = smb_krb5_parse_name(context, princ, &principal);
00596 if (ret) {
00597 krb5_cc_close(context, ccache);
00598 krb5_free_principal(context, creds.server);
00599 krb5_free_context(context);
00600 DEBUG(1,("Failed to parse %s (%s)\n", princ_name, error_message(ret)));
00601 free(princ_name);
00602 return ADS_ERROR_KRB5(ret);
00603 }
00604
00605 free(princ_name);
00606
00607
00608
00609 orig_realm = *krb5_princ_realm(context, creds.server);
00610 krb5_princ_set_realm(context, creds.server, krb5_princ_realm(context, principal));
00611
00612 ret = krb5_cc_get_principal(context, ccache, &creds.client);
00613 if (ret) {
00614 krb5_cc_close(context, ccache);
00615 krb5_princ_set_realm(context, creds.server, &orig_realm);
00616 krb5_free_principal(context, creds.server);
00617 krb5_free_principal(context, principal);
00618 krb5_free_context(context);
00619 DEBUG(1,("Failed to get principal from ccache (%s)\n",
00620 error_message(ret)));
00621 return ADS_ERROR_KRB5(ret);
00622 }
00623
00624 ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp);
00625 if (ret) {
00626 krb5_cc_close(context, ccache);
00627 krb5_free_principal(context, creds.client);
00628 krb5_princ_set_realm(context, creds.server, &orig_realm);
00629 krb5_free_principal(context, creds.server);
00630 krb5_free_principal(context, principal);
00631 krb5_free_context(context);
00632 DEBUG(1,("krb5_get_credentials failed (%s)\n", error_message(ret)));
00633 return ADS_ERROR_KRB5(ret);
00634 }
00635
00636
00637
00638 aret = do_krb5_kpasswd_request(context, kdc_host,
00639 KRB5_KPASSWD_VERS_SETPW,
00640 credsp, princ, newpw);
00641
00642 krb5_free_creds(context, credsp);
00643 krb5_free_principal(context, creds.client);
00644 krb5_princ_set_realm(context, creds.server, &orig_realm);
00645 krb5_free_principal(context, creds.server);
00646 krb5_free_principal(context, principal);
00647 krb5_cc_close(context, ccache);
00648 krb5_free_context(context);
00649
00650 return aret;
00651 }
00652
00653
00654
00655
00656
00657
00658 static krb5_error_code
00659 kerb_prompter(krb5_context ctx, void *data,
00660 const char *name,
00661 const char *banner,
00662 int num_prompts,
00663 krb5_prompt prompts[])
00664 {
00665 if (num_prompts == 0) return 0;
00666
00667 memset(prompts[0].reply->data, 0, prompts[0].reply->length);
00668 if (prompts[0].reply->length > 0) {
00669 if (data) {
00670 strncpy(prompts[0].reply->data,
00671 (const char *)data,
00672 prompts[0].reply->length-1);
00673 prompts[0].reply->length = strlen(prompts[0].reply->data);
00674 } else {
00675 prompts[0].reply->length = 0;
00676 }
00677 }
00678 return 0;
00679 }
00680
00681 static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
00682 const char *principal,
00683 const char *oldpw,
00684 const char *newpw,
00685 int time_offset)
00686 {
00687 ADS_STATUS aret;
00688 krb5_error_code ret;
00689 krb5_context context = NULL;
00690 krb5_principal princ;
00691 krb5_get_init_creds_opt opts;
00692 krb5_creds creds;
00693 char *chpw_princ = NULL, *password;
00694
00695 initialize_krb5_error_table();
00696 ret = krb5_init_context(&context);
00697 if (ret) {
00698 DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
00699 return ADS_ERROR_KRB5(ret);
00700 }
00701
00702 if ((ret = smb_krb5_parse_name(context, principal,
00703 &princ))) {
00704 krb5_free_context(context);
00705 DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret)));
00706 return ADS_ERROR_KRB5(ret);
00707 }
00708
00709 krb5_get_init_creds_opt_init(&opts);
00710 krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60);
00711 krb5_get_init_creds_opt_set_renew_life(&opts, 0);
00712 krb5_get_init_creds_opt_set_forwardable(&opts, 0);
00713 krb5_get_init_creds_opt_set_proxiable(&opts, 0);
00714
00715
00716 asprintf(&chpw_princ, "kadmin/changepw@%s",
00717 (char *) krb5_princ_realm(context, princ));
00718 password = SMB_STRDUP(oldpw);
00719 ret = krb5_get_init_creds_password(context, &creds, princ, password,
00720 kerb_prompter, NULL,
00721 0, chpw_princ, &opts);
00722 SAFE_FREE(chpw_princ);
00723 SAFE_FREE(password);
00724
00725 if (ret) {
00726 if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
00727 DEBUG(1,("Password incorrect while getting initial ticket"));
00728 else
00729 DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret)));
00730
00731 krb5_free_principal(context, princ);
00732 krb5_free_context(context);
00733 return ADS_ERROR_KRB5(ret);
00734 }
00735
00736 aret = do_krb5_kpasswd_request(context, kdc_host,
00737 KRB5_KPASSWD_VERS_CHANGEPW,
00738 &creds, principal, newpw);
00739
00740 krb5_free_principal(context, princ);
00741 krb5_free_context(context);
00742
00743 return aret;
00744 }
00745
00746
00747 ADS_STATUS kerberos_set_password(const char *kpasswd_server,
00748 const char *auth_principal, const char *auth_password,
00749 const char *target_principal, const char *new_password,
00750 int time_offset)
00751 {
00752 int ret;
00753
00754 if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL))) {
00755 DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
00756 return ADS_ERROR_KRB5(ret);
00757 }
00758
00759 if (!strcmp(auth_principal, target_principal))
00760 return ads_krb5_chg_password(kpasswd_server, target_principal,
00761 auth_password, new_password, time_offset);
00762 else
00763 return ads_krb5_set_password(kpasswd_server, target_principal,
00764 new_password, time_offset);
00765 }
00766
00767
00768
00769
00770
00771
00772
00773
00774
00775 ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
00776 const char *machine_account,
00777 const char *password)
00778 {
00779 ADS_STATUS status;
00780 char *principal = NULL;
00781
00782
00783
00784
00785
00786
00787 asprintf(&principal, "%s@%s", machine_account, ads->config.realm);
00788
00789 status = ads_krb5_set_password(ads->auth.kdc_server, principal,
00790 password, ads->auth.time_offset);
00791
00792 free(principal);
00793
00794 return status;
00795 }
00796
00797
00798
00799 #endif