diff options
author | Andreas Schneider <asn@samba.org> | 2015-04-23 19:18:32 +0200 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2015-07-17 01:38:15 +0200 |
commit | c9a8fff52519bb57040bf34b730263f191a6a88f (patch) | |
tree | 76fa1341733919c25e658fb7d262d47d898542e0 /source4/auth | |
parent | 74ca7753e50aeed9069d9d6700cf408254635ba0 (diff) | |
download | samba-c9a8fff52519bb57040bf34b730263f191a6a88f.tar.gz |
s4-auth: Always pass down the salt principal
We should always pass down the saltPrincipal to smb_krb5_update_keytab()
function.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/kerberos/srv_keytab.c | 101 |
1 files changed, 11 insertions, 90 deletions
diff --git a/source4/auth/kerberos/srv_keytab.c b/source4/auth/kerberos/srv_keytab.c index 32200850c11..ed7b1a39183 100644 --- a/source4/auth/kerberos/srv_keytab.c +++ b/source4/auth/kerberos/srv_keytab.c @@ -39,93 +39,6 @@ static void keytab_principals_free(krb5_context context, } } -static krb5_error_code salt_principal(TALLOC_CTX *parent_ctx, - const char *samAccountName, - const char *realm, - const char *saltPrincipal, - krb5_context context, - krb5_principal *salt_princ, - const char **error_string) -{ - - krb5_error_code ret; - char *machine_username; - char *salt_body; - char *lower_realm; - char *upper_realm; - - TALLOC_CTX *tmp_ctx; - - if (saltPrincipal) { - ret = krb5_parse_name(context, saltPrincipal, salt_princ); - if (ret) { - *error_string = smb_get_krb5_error_message( - context, ret, parent_ctx); - } - return ret; - } - - if (!samAccountName) { - (*error_string) = "Cannot determine salt principal, no " - "saltPrincipal or samAccountName specified"; - return EINVAL; - } - - if (!realm) { - *error_string = "Cannot make principal without a realm"; - return EINVAL; - } - - tmp_ctx = talloc_new(parent_ctx); - if (!tmp_ctx) { - *error_string = "Cannot allocate tmp_ctx"; - return ENOMEM; - } - - machine_username = strlower_talloc(tmp_ctx, samAccountName); - if (!machine_username) { - *error_string = "Cannot duplicate samAccountName"; - talloc_free(tmp_ctx); - return ENOMEM; - } - - if (machine_username[strlen(machine_username)-1] == '$') { - machine_username[strlen(machine_username)-1] = '\0'; - } - - lower_realm = strlower_talloc(tmp_ctx, realm); - if (!lower_realm) { - *error_string = "Cannot allocate to lower case realm"; - talloc_free(tmp_ctx); - return ENOMEM; - } - - upper_realm = strupper_talloc(tmp_ctx, realm); - if (!upper_realm) { - *error_string = "Cannot allocate to upper case realm"; - talloc_free(tmp_ctx); - return ENOMEM; - } - - salt_body = talloc_asprintf(tmp_ctx, "%s.%s", - machine_username, lower_realm); - if (!salt_body) { - *error_string = "Cannot form salt principal body"; - talloc_free(tmp_ctx); - return ENOMEM; - } - - ret = smb_krb5_make_principal(context, salt_princ, upper_realm, - "host", salt_body, NULL); - if (ret) { - *error_string = smb_get_krb5_error_message(context, - ret, parent_ctx); - } - - talloc_free(tmp_ctx); - return ret; -} - static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx, uint32_t num_principals, krb5_principal *principals, @@ -227,9 +140,11 @@ static krb5_error_code create_keytab(TALLOC_CTX *parent_ctx, /* The salt used to generate these entries may be different however, * fetch that */ - ret = salt_principal(mem_ctx, samAccountName, realm, saltPrincipal, - context, &salt_princ, error_string); + ret = krb5_parse_name(context, saltPrincipal, &salt_princ); if (ret) { + *error_string = smb_get_krb5_error_message(context, + ret, + parent_ctx); talloc_free(mem_ctx); return ret; } @@ -299,6 +214,11 @@ krb5_error_code smb_krb5_update_keytab(TALLOC_CTX *parent_ctx, return ENOENT; } + if (saltPrincipal == NULL) { + *error_string = "No saltPrincipal provided"; + return EINVAL; + } + ret = krb5_kt_resolve(context, keytab_name, &keytab); if (ret) { *error_string = smb_get_krb5_error_message(context, @@ -389,6 +309,7 @@ krb5_error_code smb_krb5_create_memory_keytab(TALLOC_CTX *parent_ctx, const char *new_secret, const char *samAccountName, const char *realm, + const char *salt_principal, int kvno, krb5_keytab *keytab, const char **keytab_name) @@ -415,7 +336,7 @@ krb5_error_code smb_krb5_create_memory_keytab(TALLOC_CTX *parent_ctx, ret = smb_krb5_update_keytab(mem_ctx, context, *keytab_name, samAccountName, realm, - NULL, 0, NULL, new_secret, NULL, + NULL, 0, salt_principal, new_secret, NULL, kvno, ENC_ALL_TYPES, false, keytab, &error_string); if (ret == 0) { |