diff options
author | Stefan Metzmacher <metze@samba.org> | 2017-05-18 10:50:34 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2017-06-27 16:57:47 +0200 |
commit | 3e33fb8a3760dba2f25f661bd775a9bdddee8465 (patch) | |
tree | cd4fd0648d8d5c092a2ede19ecffe528b02ea05f /auth/credentials | |
parent | 3ffaf5f3fcbc77a3e2664ad5e9467e938b32b741 (diff) | |
download | samba-3e33fb8a3760dba2f25f661bd775a9bdddee8465.tar.gz |
auth/credentials: make use of smb_krb5_salt_principal() in cli_credentials_get_keytab()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'auth/credentials')
-rw-r--r-- | auth/credentials/credentials_krb5.c | 38 |
1 files changed, 26 insertions, 12 deletions
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index 6544e420536..6db294bfcc3 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -953,6 +953,7 @@ _PUBLIC_ struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ct return dst; } +#if 0 static int smb_krb5_create_salt_principal(TALLOC_CTX *mem_ctx, const char *samAccountName, const char *realm, @@ -1029,6 +1030,7 @@ out: talloc_free(tmp_ctx); return rc; } +#endif /* Get the keytab (actually, a container containing the krb5_keytab) * attached to this context. If this hasn't been done or set before, @@ -1045,9 +1047,10 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, krb5_keytab keytab; TALLOC_CTX *mem_ctx; const char *username = cli_credentials_get_username(cred); + const char *upn = NULL; const char *realm = cli_credentials_get_realm(cred); - const char *error_string; - const char *salt_principal; + char *salt_principal = NULL; + bool is_computer = false; if (cred->keytab_obtained >= (MAX(cred->principal_obtained, cred->username_obtained))) { @@ -1070,16 +1073,27 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, return ENOMEM; } - /* - * FIXME: Currently there is no better way than to create the correct - * salt principal by checking if the username ends with a '$'. It would - * be better if it is part of the credentials. - */ - ret = smb_krb5_create_salt_principal(mem_ctx, - username, - realm, - &salt_principal, - &error_string); + switch (cred->secure_channel_type) { + case SEC_CHAN_WKSTA: + case SEC_CHAN_BDC: + case SEC_CHAN_RODC: + is_computer = true; + break; + default: + upn = cli_credentials_get_principal(cred, mem_ctx); + if (upn == NULL) { + TALLOC_FREE(mem_ctx); + return ENOMEM; + } + break; + } + + ret = smb_krb5_salt_principal(realm, + username, /* sAMAccountName */ + upn, /* userPrincipalName */ + is_computer, + mem_ctx, + &salt_principal); if (ret) { talloc_free(mem_ctx); return ret; |