libads/krb5_setpw.c

ソースコードを見る。

データ構造

struct  kpasswd_errors

関数

static DATA_BLOB encode_krb5_setpw (const char *principal, const char *password)
static krb5_error_code build_kpasswd_request (uint16 pversion, krb5_context context, krb5_auth_context auth_context, krb5_data *ap_req, const char *princ, const char *passwd, BOOL use_tcp, krb5_data *packet)
static krb5_error_code setpw_result_code_string (krb5_context context, int result_code, const char **code_string)
krb5_error_code kpasswd_err_to_krb5_err (krb5_error_code res_code)
static krb5_error_code parse_setpw_reply (krb5_context context, BOOL use_tcp, krb5_auth_context auth_context, krb5_data *packet)
static ADS_STATUS do_krb5_kpasswd_request (krb5_context context, const char *kdc_host, uint16 pversion, krb5_creds *credsp, const char *princ, const char *newpw)
ADS_STATUS ads_krb5_set_password (const char *kdc_host, const char *princ, const char *newpw, int time_offset)
static krb5_error_code kerb_prompter (krb5_context ctx, void *data, const char *name, const char *banner, int num_prompts, krb5_prompt prompts[])
static ADS_STATUS ads_krb5_chg_password (const char *kdc_host, const char *principal, const char *oldpw, const char *newpw, int time_offset)
ADS_STATUS kerberos_set_password (const char *kpasswd_server, const char *auth_principal, const char *auth_password, const char *target_principal, const char *new_password, int time_offset)
ADS_STATUS ads_set_machine_password (ADS_STRUCT *ads, const char *machine_account, const char *password)
 Set the machine account password


関数

static DATA_BLOB encode_krb5_setpw ( const char *  principal,
const char *  password 
) [static]

krb5_setpw.c61 行で定義されています。

参照先 asn1_free()asn1_pop_tag()asn1_push_tag()asn1_write_GeneralString()asn1_write_Integer()asn1_write_OctetString()cdata_blob()strchr_m().

参照元 build_kpasswd_request().

00062 {
00063         char* princ_part1 = NULL;
00064         char* princ_part2 = NULL;
00065         char* realm = NULL;
00066         char* c;
00067         char* princ;
00068 
00069         ASN1_DATA req;
00070         DATA_BLOB ret;
00071 
00072 
00073         princ = SMB_STRDUP(principal);
00074 
00075         if ((c = strchr_m(princ, '/')) == NULL) {
00076                 c = princ; 
00077         } else {
00078                 *c = '\0';
00079                 c++;
00080                 princ_part1 = princ;
00081         }
00082 
00083         princ_part2 = c;
00084 
00085         if ((c = strchr_m(c, '@')) != NULL) {
00086                 *c = '\0';
00087                 c++;
00088                 realm = c;
00089         } else {
00090                 /* We must have a realm component. */
00091                 return data_blob(NULL, 0);
00092         }
00093 
00094         memset(&req, 0, sizeof(req));
00095         
00096         asn1_push_tag(&req, ASN1_SEQUENCE(0));
00097         asn1_push_tag(&req, ASN1_CONTEXT(0));
00098         asn1_write_OctetString(&req, password, strlen(password));
00099         asn1_pop_tag(&req);
00100 
00101         asn1_push_tag(&req, ASN1_CONTEXT(1));
00102         asn1_push_tag(&req, ASN1_SEQUENCE(0));
00103 
00104         asn1_push_tag(&req, ASN1_CONTEXT(0));
00105         asn1_write_Integer(&req, 1);
00106         asn1_pop_tag(&req);
00107 
00108         asn1_push_tag(&req, ASN1_CONTEXT(1));
00109         asn1_push_tag(&req, ASN1_SEQUENCE(0));
00110 
00111         if (princ_part1) {
00112                 asn1_write_GeneralString(&req, princ_part1);
00113         }
00114         
00115         asn1_write_GeneralString(&req, princ_part2);
00116         asn1_pop_tag(&req);
00117         asn1_pop_tag(&req);
00118         asn1_pop_tag(&req);
00119         asn1_pop_tag(&req);
00120 
00121         asn1_push_tag(&req, ASN1_CONTEXT(2));
00122         asn1_write_GeneralString(&req, realm);
00123         asn1_pop_tag(&req);
00124         asn1_pop_tag(&req);
00125 
00126         ret = data_blob(req.data, req.length);
00127         asn1_free(&req);
00128 
00129         free(princ);
00130 
00131         return ret;
00132 }       

static krb5_error_code build_kpasswd_request ( uint16  pversion,
krb5_context  context,
krb5_auth_context  auth_context,
krb5_data *  ap_req,
const char *  princ,
const char *  passwd,
BOOL  use_tcp,
krb5_data *  packet 
) [static]

krb5_setpw.c134 行で定義されています。

参照先 data_blob_::datadata_blob()data_blob_free()encode_krb5_setpw()data_blob_::length.

参照元 do_krb5_kpasswd_request().

00142 {
00143         krb5_error_code ret;
00144         krb5_data cipherpw;
00145         krb5_data encoded_setpw;
00146         krb5_replay_data replay;
00147         char *p, *msg_start;
00148         DATA_BLOB setpw;
00149         unsigned int msg_length;
00150 
00151         ret = krb5_auth_con_setflags(context,
00152                                      auth_context,KRB5_AUTH_CONTEXT_DO_SEQUENCE);
00153         if (ret) {
00154                 DEBUG(1,("krb5_auth_con_setflags failed (%s)\n",
00155                          error_message(ret)));
00156                 return ret;
00157         }
00158 
00159         /* handle protocol differences in chpw and setpw */
00160         if (pversion  == KRB5_KPASSWD_VERS_CHANGEPW)
00161                 setpw = data_blob(passwd, strlen(passwd));
00162         else if (pversion == KRB5_KPASSWD_VERS_SETPW ||
00163                  pversion == KRB5_KPASSWD_VERS_SETPW_ALT)
00164                 setpw = encode_krb5_setpw(princ, passwd);
00165         else
00166                 return EINVAL;
00167 
00168         if (setpw.data == NULL || setpw.length == 0) {
00169                 return EINVAL;
00170         }
00171 
00172         encoded_setpw.data = (char *)setpw.data;
00173         encoded_setpw.length = setpw.length;
00174 
00175         ret = krb5_mk_priv(context, auth_context,
00176                            &encoded_setpw, &cipherpw, &replay);
00177         
00178         data_blob_free(&setpw);         /*from 'encode_krb5_setpw(...)' */
00179         
00180         if (ret) {
00181                 DEBUG(1,("krb5_mk_priv failed (%s)\n", error_message(ret)));
00182                 return ret;
00183         }
00184 
00185         packet->data = (char *)SMB_MALLOC(ap_req->length + cipherpw.length + (use_tcp ? 10 : 6 ));
00186         if (!packet->data)
00187                 return -1;
00188 
00189 
00190 
00191         /* see the RFC for details */
00192 
00193         msg_start = p = ((char *)packet->data) + (use_tcp ? 4 : 0);
00194         p += 2;
00195         RSSVAL(p, 0, pversion);
00196         p += 2;
00197         RSSVAL(p, 0, ap_req->length);
00198         p += 2;
00199         memcpy(p, ap_req->data, ap_req->length);
00200         p += ap_req->length;
00201         memcpy(p, cipherpw.data, cipherpw.length);
00202         p += cipherpw.length;
00203         packet->length = PTR_DIFF(p,packet->data);
00204         msg_length = PTR_DIFF(p,msg_start);
00205 
00206         if (use_tcp) {
00207                 RSIVAL(packet->data, 0, msg_length);
00208         }
00209         RSSVAL(msg_start, 0, msg_length);
00210         
00211         free(cipherpw.data);    /* from 'krb5_mk_priv(...)' */
00212 
00213         return 0;
00214 }

static krb5_error_code setpw_result_code_string ( krb5_context  context,
int  result_code,
const char **  code_string 
) [static]

krb5_setpw.c233 行で定義されています。

参照元 parse_setpw_reply().

00236 {
00237         unsigned int idx = 0;
00238 
00239         while (kpasswd_errors[idx].error_string != NULL) {
00240                 if (kpasswd_errors[idx].result_code == 
00241                     result_code) {
00242                         *code_string = kpasswd_errors[idx].error_string;
00243                         return 0;
00244                 }
00245                 idx++;
00246         }
00247         *code_string = "Password change failed";
00248         return (0);
00249 }

krb5_error_code kpasswd_err_to_krb5_err ( krb5_error_code  res_code  ) 

krb5_setpw.c251 行で定義されています。

参照元 parse_setpw_reply().

00252 {
00253         switch(res_code) {
00254                 case KRB5_KPASSWD_ACCESSDENIED:
00255                         return KRB5KDC_ERR_BADOPTION;
00256                 case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
00257                         return KRB5KDC_ERR_BADOPTION;
00258                         /* return KV5M_ALT_METHOD; MIT-only define */
00259                 case KRB5_KPASSWD_ETYPE_NOSUPP:
00260                         return KRB5KDC_ERR_ETYPE_NOSUPP;
00261                 case KRB5_KPASSWD_BAD_PRINCIPAL:
00262                         return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
00263                 case KRB5_KPASSWD_POLICY_REJECT:
00264                 case KRB5_KPASSWD_SOFTERROR:
00265                         return KRB5KDC_ERR_POLICY;
00266                 default:
00267                         return KRB5KRB_ERR_GENERIC;
00268         }
00269 }

static krb5_error_code parse_setpw_reply ( krb5_context  context,
BOOL  use_tcp,
krb5_auth_context  auth_context,
krb5_data *  packet 
) [static]

krb5_setpw.c270 行で定義されています。

参照先 handle_krberror_packet()kpasswd_err_to_krb5_err()setpw_result_code_string().

参照元 do_krb5_kpasswd_request().

00274 {
00275         krb5_data ap_rep;
00276         char *p;
00277         int vnum, ret, res_code;
00278         krb5_data cipherresult;
00279         krb5_data clearresult;
00280         krb5_ap_rep_enc_part *ap_rep_enc;
00281         krb5_replay_data replay;
00282         unsigned int msg_length = packet->length;
00283 
00284 
00285         if (packet->length < (use_tcp ? 8 : 4)) {
00286                 return KRB5KRB_AP_ERR_MODIFIED;
00287         }
00288         
00289         p = packet->data;
00290         /*
00291         ** see if it is an error
00292         */
00293         if (krb5_is_krb_error(packet)) {
00294 
00295                 ret = handle_krberror_packet(context, packet);
00296                 if (ret) {
00297                         return ret;
00298                 }
00299         }
00300 
00301         
00302         /* tcp... */
00303         if (use_tcp) {
00304                 msg_length -= 4;
00305                 if (RIVAL(p, 0) != msg_length) {
00306                         DEBUG(1,("Bad TCP packet length (%d/%d) from kpasswd server\n",
00307                         RIVAL(p, 0), msg_length));
00308                         return KRB5KRB_AP_ERR_MODIFIED;
00309                 }
00310 
00311                 p += 4;
00312         }
00313         
00314         if (RSVAL(p, 0) != msg_length) {
00315                 DEBUG(1,("Bad packet length (%d/%d) from kpasswd server\n",
00316                          RSVAL(p, 0), msg_length));
00317                 return KRB5KRB_AP_ERR_MODIFIED;
00318         }
00319 
00320         p += 2;
00321 
00322         vnum = RSVAL(p, 0); p += 2;
00323 
00324         /* FIXME: According to standard there is only one type of reply */      
00325         if (vnum != KRB5_KPASSWD_VERS_SETPW && 
00326             vnum != KRB5_KPASSWD_VERS_SETPW_ALT && 
00327             vnum != KRB5_KPASSWD_VERS_CHANGEPW) {
00328                 DEBUG(1,("Bad vnum (%d) from kpasswd server\n", vnum));
00329                 return KRB5KDC_ERR_BAD_PVNO;
00330         }
00331         
00332         ap_rep.length = RSVAL(p, 0); p += 2;
00333         
00334         if (p + ap_rep.length >= (char *)packet->data + packet->length) {
00335                 DEBUG(1,("ptr beyond end of packet from kpasswd server\n"));
00336                 return KRB5KRB_AP_ERR_MODIFIED;
00337         }
00338         
00339         if (ap_rep.length == 0) {
00340                 DEBUG(1,("got unencrypted setpw result?!\n"));
00341                 return KRB5KRB_AP_ERR_MODIFIED;
00342         }
00343 
00344         /* verify ap_rep */
00345         ap_rep.data = p;
00346         p += ap_rep.length;
00347         
00348         ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc);
00349         if (ret) {
00350                 DEBUG(1,("failed to rd setpw reply (%s)\n", error_message(ret)));
00351                 return KRB5KRB_AP_ERR_MODIFIED;
00352         }
00353         
00354         krb5_free_ap_rep_enc_part(context, ap_rep_enc);
00355         
00356         cipherresult.data = p;
00357         cipherresult.length = ((char *)packet->data + packet->length) - p;
00358                 
00359         ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
00360                            &replay);
00361         if (ret) {
00362                 DEBUG(1,("failed to decrypt setpw reply (%s)\n", error_message(ret)));
00363                 return KRB5KRB_AP_ERR_MODIFIED;
00364         }
00365 
00366         if (clearresult.length < 2) {
00367                 free(clearresult.data);
00368                 ret = KRB5KRB_AP_ERR_MODIFIED;
00369                 return KRB5KRB_AP_ERR_MODIFIED;
00370         }
00371         
00372         p = clearresult.data;
00373         
00374         res_code = RSVAL(p, 0);
00375         
00376         free(clearresult.data);
00377 
00378         if ((res_code < KRB5_KPASSWD_SUCCESS) || 
00379             (res_code > KRB5_KPASSWD_ETYPE_NOSUPP)) {
00380                 return KRB5KRB_AP_ERR_MODIFIED;
00381         }
00382 
00383         if (res_code == KRB5_KPASSWD_SUCCESS) {
00384                 return 0;
00385         } else {
00386                 const char *errstr;
00387                 setpw_result_code_string(context, res_code, &errstr);
00388                 DEBUG(1, ("Error changing password: %s (%d)\n", errstr, res_code));
00389 
00390                 return kpasswd_err_to_krb5_err(res_code);
00391         }
00392 }

static ADS_STATUS do_krb5_kpasswd_request ( krb5_context  context,
const char *  kdc_host,
uint16  pversion,
krb5_creds *  credsp,
const char *  princ,
const char *  newpw 
) [static]

krb5_setpw.c394 行で定義されています。

参照先 build_kpasswd_request()errnointerpret_addr2()open_socket_out()open_udp_socket()parse_setpw_reply()setup_kaddr()strerror().

参照元 ads_krb5_chg_password()ads_krb5_set_password().

00400 {
00401         krb5_auth_context auth_context = NULL;
00402         krb5_data ap_req, chpw_req, chpw_rep;
00403         int ret, sock;
00404         socklen_t addr_len;
00405         struct sockaddr remote_addr, local_addr;
00406         struct in_addr *addr = interpret_addr2(kdc_host);
00407         krb5_address local_kaddr, remote_kaddr;
00408         BOOL    use_tcp = False;
00409 
00410 
00411         ret = krb5_mk_req_extended(context, &auth_context, AP_OPTS_USE_SUBKEY,
00412                                    NULL, credsp, &ap_req);
00413         if (ret) {
00414                 DEBUG(1,("krb5_mk_req_extended failed (%s)\n", error_message(ret)));
00415                 return ADS_ERROR_KRB5(ret);
00416         }
00417 
00418         do {
00419 
00420                 if (!use_tcp) {
00421 
00422                         sock = open_udp_socket(kdc_host, DEFAULT_KPASSWD_PORT);
00423 
00424                 } else {
00425 
00426                         sock = open_socket_out(SOCK_STREAM, addr, DEFAULT_KPASSWD_PORT, 
00427                                                LONG_CONNECT_TIMEOUT);
00428                 }
00429 
00430                 if (sock == -1) {
00431                         int rc = errno;
00432                         SAFE_FREE(ap_req.data);
00433                         krb5_auth_con_free(context, auth_context);
00434                         DEBUG(1,("failed to open kpasswd socket to %s (%s)\n", 
00435                                  kdc_host, strerror(errno)));
00436                         return ADS_ERROR_SYSTEM(rc);
00437                 }
00438                 
00439                 addr_len = sizeof(remote_addr);
00440                 getpeername(sock, &remote_addr, &addr_len);
00441                 addr_len = sizeof(local_addr);
00442                 getsockname(sock, &local_addr, &addr_len);
00443                 
00444                 setup_kaddr(&remote_kaddr, &remote_addr);
00445                 setup_kaddr(&local_kaddr, &local_addr);
00446         
00447                 ret = krb5_auth_con_setaddrs(context, auth_context, &local_kaddr, NULL);
00448                 if (ret) {
00449                         close(sock);
00450                         SAFE_FREE(ap_req.data);
00451                         krb5_auth_con_free(context, auth_context);
00452                         DEBUG(1,("krb5_auth_con_setaddrs failed (%s)\n", error_message(ret)));
00453                         return ADS_ERROR_KRB5(ret);
00454                 }
00455         
00456                 ret = build_kpasswd_request(pversion, context, auth_context, &ap_req,
00457                                           princ, newpw, use_tcp, &chpw_req);
00458                 if (ret) {
00459                         close(sock);
00460                         SAFE_FREE(ap_req.data);
00461                         krb5_auth_con_free(context, auth_context);
00462                         DEBUG(1,("build_setpw_request failed (%s)\n", error_message(ret)));
00463                         return ADS_ERROR_KRB5(ret);
00464                 }
00465 
00466                 ret = write(sock, chpw_req.data, chpw_req.length); 
00467 
00468                 if (ret != chpw_req.length) {
00469                         close(sock);
00470                         SAFE_FREE(chpw_req.data);
00471                         SAFE_FREE(ap_req.data);
00472                         krb5_auth_con_free(context, auth_context);
00473                         DEBUG(1,("send of chpw failed (%s)\n", strerror(errno)));
00474                         return ADS_ERROR_SYSTEM(errno);
00475                 }
00476         
00477                 SAFE_FREE(chpw_req.data);
00478         
00479                 chpw_rep.length = 1500;
00480                 chpw_rep.data = (char *) SMB_MALLOC(chpw_rep.length);
00481                 if (!chpw_rep.data) {
00482                         close(sock);
00483                         SAFE_FREE(ap_req.data);
00484                         krb5_auth_con_free(context, auth_context);
00485                         DEBUG(1,("send of chpw failed (%s)\n", strerror(errno)));
00486                         errno = ENOMEM;
00487                         return ADS_ERROR_SYSTEM(errno);
00488                 }
00489         
00490                 ret = read(sock, chpw_rep.data, chpw_rep.length);
00491                 if (ret < 0) {
00492                         close(sock);
00493                         SAFE_FREE(chpw_rep.data);
00494                         SAFE_FREE(ap_req.data);
00495                         krb5_auth_con_free(context, auth_context);
00496                         DEBUG(1,("recv of chpw reply failed (%s)\n", strerror(errno)));
00497                         return ADS_ERROR_SYSTEM(errno);
00498                 }
00499         
00500                 close(sock);
00501                 chpw_rep.length = ret;
00502         
00503                 ret = krb5_auth_con_setaddrs(context, auth_context, NULL,&remote_kaddr);
00504                 if (ret) {
00505                         SAFE_FREE(chpw_rep.data);
00506                         SAFE_FREE(ap_req.data);
00507                         krb5_auth_con_free(context, auth_context);
00508                         DEBUG(1,("krb5_auth_con_setaddrs on reply failed (%s)\n", 
00509                                  error_message(ret)));
00510                         return ADS_ERROR_KRB5(ret);
00511                 }
00512         
00513                 ret = parse_setpw_reply(context, use_tcp, auth_context, &chpw_rep);
00514                 SAFE_FREE(chpw_rep.data);
00515         
00516                 if (ret) {
00517                         
00518                         if (ret == KRB5KRB_ERR_RESPONSE_TOO_BIG && !use_tcp) {
00519                                 DEBUG(5, ("Trying setpw with TCP!!!\n"));
00520                                 use_tcp = True;
00521                                 continue;
00522                         }
00523 
00524                         SAFE_FREE(ap_req.data);
00525                         krb5_auth_con_free(context, auth_context);
00526                         DEBUG(1,("parse_setpw_reply failed (%s)\n", 
00527                                  error_message(ret)));
00528                         return ADS_ERROR_KRB5(ret);
00529                 }
00530         
00531                 SAFE_FREE(ap_req.data);
00532                 krb5_auth_con_free(context, auth_context);
00533         } while ( ret );
00534 
00535         return ADS_SUCCESS;
00536 }

ADS_STATUS ads_krb5_set_password ( const char *  kdc_host,
const char *  princ,
const char *  newpw,
int  time_offset 
)

krb5_setpw.c538 行で定義されています。

参照先 asprintf()do_krb5_kpasswd_request()krb5_set_real_time()smb_krb5_parse_name()strchr_m().

参照元 ads_set_machine_password()ads_user_add()kerberos_set_password().

00540 {
00541 
00542         ADS_STATUS aret;
00543         krb5_error_code ret = 0;
00544         krb5_context context = NULL;
00545         krb5_principal principal = NULL;
00546         char *princ_name = NULL;
00547         char *realm = NULL;
00548         krb5_creds creds, *credsp = NULL;
00549 #if KRB5_PRINC_REALM_RETURNS_REALM
00550         krb5_realm orig_realm;
00551 #else
00552         krb5_data orig_realm;
00553 #endif
00554         krb5_ccache ccache = NULL;
00555 
00556         ZERO_STRUCT(creds);
00557         
00558         initialize_krb5_error_table();
00559         ret = krb5_init_context(&context);
00560         if (ret) {
00561                 DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
00562                 return ADS_ERROR_KRB5(ret);
00563         }
00564         
00565         if (time_offset != 0) {
00566                 krb5_set_real_time(context, time(NULL) + time_offset, 0);
00567         }
00568 
00569         ret = krb5_cc_default(context, &ccache);
00570         if (ret) {
00571                 krb5_free_context(context);
00572                 DEBUG(1,("Failed to get default creds (%s)\n", error_message(ret)));
00573                 return ADS_ERROR_KRB5(ret);
00574         }
00575 
00576         realm = strchr_m(princ, '@');
00577         if (!realm) {
00578                 krb5_cc_close(context, ccache);
00579                 krb5_free_context(context);
00580                 DEBUG(1,("Failed to get realm\n"));
00581                 return ADS_ERROR_KRB5(-1);
00582         }
00583         realm++;
00584 
00585         asprintf(&princ_name, "kadmin/changepw@%s", realm);
00586         ret = smb_krb5_parse_name(context, princ_name, &creds.server);
00587         if (ret) {
00588                 krb5_cc_close(context, ccache);
00589                 krb5_free_context(context);
00590                 DEBUG(1,("Failed to parse kadmin/changepw (%s)\n", error_message(ret)));
00591                 return ADS_ERROR_KRB5(ret);
00592         }
00593 
00594         /* parse the principal we got as a function argument */
00595         ret = smb_krb5_parse_name(context, princ, &principal);
00596         if (ret) {
00597                 krb5_cc_close(context, ccache);
00598                 krb5_free_principal(context, creds.server);
00599                 krb5_free_context(context);
00600                 DEBUG(1,("Failed to parse %s (%s)\n", princ_name, error_message(ret)));
00601                 free(princ_name);
00602                 return ADS_ERROR_KRB5(ret);
00603         }
00604 
00605         free(princ_name);
00606 
00607         /* The creds.server principal takes ownership of this memory.
00608                 Remember to set back to original value before freeing. */
00609         orig_realm = *krb5_princ_realm(context, creds.server);
00610         krb5_princ_set_realm(context, creds.server, krb5_princ_realm(context, principal));
00611         
00612         ret = krb5_cc_get_principal(context, ccache, &creds.client);
00613         if (ret) {
00614                 krb5_cc_close(context, ccache);
00615                 krb5_princ_set_realm(context, creds.server, &orig_realm);
00616                 krb5_free_principal(context, creds.server);
00617                 krb5_free_principal(context, principal);
00618                 krb5_free_context(context);
00619                 DEBUG(1,("Failed to get principal from ccache (%s)\n", 
00620                          error_message(ret)));
00621                 return ADS_ERROR_KRB5(ret);
00622         }
00623         
00624         ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp); 
00625         if (ret) {
00626                 krb5_cc_close(context, ccache);
00627                 krb5_free_principal(context, creds.client);
00628                 krb5_princ_set_realm(context, creds.server, &orig_realm);
00629                 krb5_free_principal(context, creds.server);
00630                 krb5_free_principal(context, principal);
00631                 krb5_free_context(context);
00632                 DEBUG(1,("krb5_get_credentials failed (%s)\n", error_message(ret)));
00633                 return ADS_ERROR_KRB5(ret);
00634         }
00635         
00636         /* we might have to call krb5_free_creds(...) from now on ... */
00637 
00638         aret = do_krb5_kpasswd_request(context, kdc_host,
00639                                        KRB5_KPASSWD_VERS_SETPW,
00640                                        credsp, princ, newpw);
00641 
00642         krb5_free_creds(context, credsp);
00643         krb5_free_principal(context, creds.client);
00644         krb5_princ_set_realm(context, creds.server, &orig_realm);
00645         krb5_free_principal(context, creds.server);
00646         krb5_free_principal(context, principal);
00647         krb5_cc_close(context, ccache);
00648         krb5_free_context(context);
00649 
00650         return aret;
00651 }

static krb5_error_code kerb_prompter ( krb5_context  ctx,
void *  data,
const char *  name,
const char *  banner,
int  num_prompts,
krb5_prompt  prompts[] 
) [static]

krb5_setpw.c659 行で定義されています。

00664 {
00665         if (num_prompts == 0) return 0;
00666 
00667         memset(prompts[0].reply->data, 0, prompts[0].reply->length);
00668         if (prompts[0].reply->length > 0) {
00669                 if (data) {
00670                         strncpy(prompts[0].reply->data,
00671                                 (const char *)data,
00672                                 prompts[0].reply->length-1);
00673                         prompts[0].reply->length = strlen(prompts[0].reply->data);
00674                 } else {
00675                         prompts[0].reply->length = 0;
00676                 }
00677         }
00678         return 0;
00679 }

static ADS_STATUS ads_krb5_chg_password ( const char *  kdc_host,
const char *  principal,
const char *  oldpw,
const char *  newpw,
int  time_offset 
) [static]

krb5_setpw.c681 行で定義されています。

参照先 asprintf()do_krb5_kpasswd_request()kerb_prompter()passwordsmb_krb5_parse_name().

参照元 kerberos_set_password().

00686 {
00687     ADS_STATUS aret;
00688     krb5_error_code ret;
00689     krb5_context context = NULL;
00690     krb5_principal princ;
00691     krb5_get_init_creds_opt opts;
00692     krb5_creds creds;
00693     char *chpw_princ = NULL, *password;
00694 
00695     initialize_krb5_error_table();
00696     ret = krb5_init_context(&context);
00697     if (ret) {
00698         DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
00699         return ADS_ERROR_KRB5(ret);
00700     }
00701 
00702     if ((ret = smb_krb5_parse_name(context, principal,
00703                                     &princ))) {
00704         krb5_free_context(context);
00705         DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret)));
00706         return ADS_ERROR_KRB5(ret);
00707     }
00708 
00709     krb5_get_init_creds_opt_init(&opts);
00710     krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60);
00711     krb5_get_init_creds_opt_set_renew_life(&opts, 0);
00712     krb5_get_init_creds_opt_set_forwardable(&opts, 0);
00713     krb5_get_init_creds_opt_set_proxiable(&opts, 0);
00714 
00715     /* We have to obtain an INITIAL changepw ticket for changing password */
00716     asprintf(&chpw_princ, "kadmin/changepw@%s",
00717                                 (char *) krb5_princ_realm(context, princ));
00718     password = SMB_STRDUP(oldpw);
00719     ret = krb5_get_init_creds_password(context, &creds, princ, password,
00720                                            kerb_prompter, NULL, 
00721                                            0, chpw_princ, &opts);
00722     SAFE_FREE(chpw_princ);
00723     SAFE_FREE(password);
00724 
00725     if (ret) {
00726       if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
00727         DEBUG(1,("Password incorrect while getting initial ticket"));
00728       else
00729         DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret)));
00730 
00731         krb5_free_principal(context, princ);
00732         krb5_free_context(context);
00733         return ADS_ERROR_KRB5(ret);
00734     }
00735 
00736     aret = do_krb5_kpasswd_request(context, kdc_host,
00737                                    KRB5_KPASSWD_VERS_CHANGEPW,
00738                                    &creds, principal, newpw);
00739 
00740     krb5_free_principal(context, princ);
00741     krb5_free_context(context);
00742 
00743     return aret;
00744 }

ADS_STATUS kerberos_set_password ( const char *  kpasswd_server,
const char *  auth_principal,
const char *  auth_password,
const char *  target_principal,
const char *  new_password,
int  time_offset 
)

krb5_setpw.c747 行で定義されています。

参照先 ads_krb5_chg_password()ads_krb5_set_password()kerberos_kinit_password().

参照元 ads_change_trust_account_password()net_ads_password().

00751 {
00752     int ret;
00753 
00754     if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL))) {
00755         DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
00756         return ADS_ERROR_KRB5(ret);
00757     }
00758 
00759     if (!strcmp(auth_principal, target_principal))
00760         return ads_krb5_chg_password(kpasswd_server, target_principal,
00761                                      auth_password, new_password, time_offset);
00762     else
00763         return ads_krb5_set_password(kpasswd_server, target_principal,
00764                                      new_password, time_offset);
00765 }

ADS_STATUS ads_set_machine_password ( ADS_STRUCT ads,
const char *  machine_account,
const char *  password 
)

Set the machine account password

引数:
ads connection to ads server
hostname machine whose password is being set
password new password
戻り値:
status of password change

krb5_setpw.c775 行で定義されています。

参照先 ads_krb5_set_password()asprintf()ADS_STRUCT::authADS_STRUCT::configADS_STRUCT::kdc_serverADS_STRUCT::realmstatusADS_STRUCT::time_offset.

00778 {
00779         ADS_STATUS status;
00780         char *principal = NULL; 
00781 
00782         /*
00783           we need to use the '$' form of the name here (the machine account name), 
00784           as otherwise the server might end up setting the password for a user
00785           instead
00786          */
00787         asprintf(&principal, "%s@%s", machine_account, ads->config.realm);
00788         
00789         status = ads_krb5_set_password(ads->auth.kdc_server, principal, 
00790                                        password, ads->auth.time_offset);
00791         
00792         free(principal);
00793 
00794         return status;
00795 }


Sambaに対してSat Aug 29 21:23:42 2009に生成されました。  doxygen 1.4.7