summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2017-05-19 17:17:00 +0200
committerStefan Metzmacher <metze@samba.org>2017-06-27 16:57:44 +0200
commit504b446d8dc7410ad63eba9d214e9cf271cf3b2f (patch)
treeab189c647780f341b3c5765943025fdcbc75d802
parent1a26805ad9f19f02a52d9eaa4f2f11ff20ee76ac (diff)
downloadsamba-504b446d8dc7410ad63eba9d214e9cf271cf3b2f.tar.gz
s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c
These don't use any krb5_context related functions and they just work on secrets.tdb, so they really belong to machine_account_secrets.c. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
-rw-r--r--source3/include/secrets.h4
-rw-r--r--source3/libads/kerberos.c97
-rw-r--r--source3/libads/kerberos_proto.h3
-rw-r--r--source3/libnet/libnet_keytab.c1
-rw-r--r--source3/passdb/machine_account_secrets.c96
5 files changed, 101 insertions, 100 deletions
diff --git a/source3/include/secrets.h b/source3/include/secrets.h
index f397129b128..c40a9514164 100644
--- a/source3/include/secrets.h
+++ b/source3/include/secrets.h
@@ -133,6 +133,10 @@ bool secrets_store_machine_pw_sync(const char *pass, const char *oldpass, const
uint32_t secure_channel,
bool delete_join);
+char* kerberos_standard_des_salt( void );
+bool kerberos_secrets_store_des_salt( const char* salt );
+char *kerberos_secrets_fetch_salt_princ(void);
+
/* The following definitions come from passdb/secrets_lsa.c */
NTSTATUS lsa_secret_get(TALLOC_CTX *mem_ctx,
const char *secret_name,
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 6cfbca69a07..cfb09a704cb 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -272,103 +272,6 @@ int ads_kdestroy(const char *cc_name)
return code;
}
-/************************************************************************
- Return the standard DES salt key
-************************************************************************/
-
-char* kerberos_standard_des_salt( void )
-{
- fstring salt;
-
- fstr_sprintf( salt, "host/%s.%s@", lp_netbios_name(), lp_realm() );
- (void)strlower_m( salt );
- fstrcat( salt, lp_realm() );
-
- return SMB_STRDUP( salt );
-}
-
-/************************************************************************
-************************************************************************/
-
-static char* des_salt_key( void )
-{
- char *key;
-
- if (asprintf(&key, "%s/DES/%s", SECRETS_SALTING_PRINCIPAL,
- lp_realm()) == -1) {
- return NULL;
- }
-
- return key;
-}
-
-/************************************************************************
-************************************************************************/
-
-bool kerberos_secrets_store_des_salt( const char* salt )
-{
- char* key;
- bool ret;
-
- if ( (key = des_salt_key()) == NULL ) {
- DEBUG(0,("kerberos_secrets_store_des_salt: failed to generate key!\n"));
- return False;
- }
-
- if ( !salt ) {
- DEBUG(8,("kerberos_secrets_store_des_salt: deleting salt\n"));
- secrets_delete( key );
- return True;
- }
-
- DEBUG(3,("kerberos_secrets_store_des_salt: Storing salt \"%s\"\n", salt));
-
- ret = secrets_store( key, salt, strlen(salt)+1 );
-
- SAFE_FREE( key );
-
- return ret;
-}
-
-/************************************************************************
-************************************************************************/
-
-static
-char* kerberos_secrets_fetch_des_salt( void )
-{
- char *salt, *key;
-
- if ( (key = des_salt_key()) == NULL ) {
- DEBUG(0,("kerberos_secrets_fetch_des_salt: failed to generate key!\n"));
- return NULL;
- }
-
- salt = (char*)secrets_fetch( key, NULL );
-
- SAFE_FREE( key );
-
- return salt;
-}
-
-/************************************************************************
- Routine to get the salting principal for this service.
- Caller must free if return is not null.
- ************************************************************************/
-
-char *kerberos_secrets_fetch_salt_princ(void)
-{
- char *salt_princ_s;
- /* lookup new key first */
-
- salt_princ_s = kerberos_secrets_fetch_des_salt();
- if (salt_princ_s == NULL) {
- /* fall back to host/machine.realm@REALM */
- salt_princ_s = kerberos_standard_des_salt();
- }
-
- return salt_princ_s;
-}
-
int create_kerberos_key_from_string(krb5_context context,
krb5_principal host_princ,
krb5_principal salt_princ,
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index e481d1d78a6..f92cabd757e 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -56,9 +56,6 @@ int kerberos_kinit_password_ext(const char *principal,
time_t renewable_time,
NTSTATUS *ntstatus);
int ads_kdestroy(const char *cc_name);
-char* kerberos_standard_des_salt( void );
-bool kerberos_secrets_store_des_salt( const char* salt );
-char *kerberos_secrets_fetch_salt_princ(void);
int kerberos_kinit_password(const char *principal,
const char *password,
diff --git a/source3/libnet/libnet_keytab.c b/source3/libnet/libnet_keytab.c
index 1b5ac672710..c76e7b298cf 100644
--- a/source3/libnet/libnet_keytab.c
+++ b/source3/libnet/libnet_keytab.c
@@ -22,6 +22,7 @@
#include "includes.h"
#include "smb_krb5.h"
#include "ads.h"
+#include "secrets.h"
#include "libnet/libnet_keytab.h"
#ifdef HAVE_KRB5
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
index 3f097ab4055..3f6d6b69f1c 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -553,6 +553,102 @@ bool secrets_store_machine_pw_sync(const char *pass, const char *oldpass, const
return ret;
}
+/************************************************************************
+ Return the standard DES salt key
+************************************************************************/
+
+char* kerberos_standard_des_salt( void )
+{
+ fstring salt;
+
+ fstr_sprintf( salt, "host/%s.%s@", lp_netbios_name(), lp_realm() );
+ (void)strlower_m( salt );
+ fstrcat( salt, lp_realm() );
+
+ return SMB_STRDUP( salt );
+}
+
+/************************************************************************
+************************************************************************/
+
+static char* des_salt_key( void )
+{
+ char *key;
+
+ if (asprintf(&key, "%s/DES/%s", SECRETS_SALTING_PRINCIPAL,
+ lp_realm()) == -1) {
+ return NULL;
+ }
+
+ return key;
+}
+
+/************************************************************************
+************************************************************************/
+
+bool kerberos_secrets_store_des_salt( const char* salt )
+{
+ char* key;
+ bool ret;
+
+ if ( (key = des_salt_key()) == NULL ) {
+ DEBUG(0,("kerberos_secrets_store_des_salt: failed to generate key!\n"));
+ return False;
+ }
+
+ if ( !salt ) {
+ DEBUG(8,("kerberos_secrets_store_des_salt: deleting salt\n"));
+ secrets_delete( key );
+ return True;
+ }
+
+ DEBUG(3,("kerberos_secrets_store_des_salt: Storing salt \"%s\"\n", salt));
+
+ ret = secrets_store( key, salt, strlen(salt)+1 );
+
+ SAFE_FREE( key );
+
+ return ret;
+}
+
+/************************************************************************
+************************************************************************/
+
+static
+char* kerberos_secrets_fetch_des_salt( void )
+{
+ char *salt, *key;
+
+ if ( (key = des_salt_key()) == NULL ) {
+ DEBUG(0,("kerberos_secrets_fetch_des_salt: failed to generate key!\n"));
+ return NULL;
+ }
+
+ salt = (char*)secrets_fetch( key, NULL );
+
+ SAFE_FREE( key );
+
+ return salt;
+}
+
+/************************************************************************
+ Routine to get the salting principal for this service.
+ Caller must free if return is not null.
+ ************************************************************************/
+
+char *kerberos_secrets_fetch_salt_princ(void)
+{
+ char *salt_princ_s;
+ /* lookup new key first */
+
+ salt_princ_s = kerberos_secrets_fetch_des_salt();
+ if (salt_princ_s == NULL) {
+ /* fall back to host/machine.realm@REALM */
+ salt_princ_s = kerberos_standard_des_salt();
+ }
+
+ return salt_princ_s;
+}
/************************************************************************
Routine to fetch the previous plaintext machine account password for a realm