diff options
Diffstat (limited to 'source/libads/kerberos_verify.c')
-rw-r--r-- | source/libads/kerberos_verify.c | 110 |
1 files changed, 43 insertions, 67 deletions
diff --git a/source/libads/kerberos_verify.c b/source/libads/kerberos_verify.c index 2eb5d660929..0ec03ef4bf2 100644 --- a/source/libads/kerberos_verify.c +++ b/source/libads/kerberos_verify.c @@ -81,9 +81,9 @@ static BOOL ads_keytab_verify_ticket(krb5_context context, ZERO_STRUCT(kt_entry); ZERO_STRUCT(kt_cursor); - ret = smb_krb5_open_keytab(context, NULL, False, &keytab); + ret = krb5_kt_default(context, &keytab); if (ret) { - DEBUG(1, ("ads_keytab_verify_ticket: smb_krb5_open_keytab failed (%s)\n", error_message(ret))); + DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_default failed (%s)\n", error_message(ret))); goto out; } @@ -214,14 +214,7 @@ static krb5_error_code ads_secrets_verify_ticket(krb5_context context, BOOL auth_ok = False; char *password_s = NULL; krb5_data password; - krb5_enctype enctypes[] = { -#if defined(ENCTYPE_ARCFOUR_HMAC) - ENCTYPE_ARCFOUR_HMAC, -#endif - ENCTYPE_DES_CBC_CRC, - ENCTYPE_DES_CBC_MD5, - ENCTYPE_NULL - }; + krb5_enctype enctypes[4] = { ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, 0, 0 }; krb5_data packet; int i; @@ -229,6 +222,9 @@ static krb5_error_code ads_secrets_verify_ticket(krb5_context context, *keyblock = NULL; *perr = 0; +#if defined(ENCTYPE_ARCFOUR_HMAC) + enctypes[2] = ENCTYPE_ARCFOUR_HMAC; +#endif if (!secrets_init()) { DEBUG(1,("ads_secrets_verify_ticket: secrets_init failed\n")); @@ -311,8 +307,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, char **principal, PAC_DATA **pac_data, DATA_BLOB *ap_rep, - DATA_BLOB *session_key, - BOOL use_replay_cache) + DATA_BLOB *session_key) { NTSTATUS sret = NT_STATUS_LOGON_FAILURE; NTSTATUS pac_ret; @@ -325,7 +320,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, krb5_keyblock *keyblock = NULL; time_t authtime; krb5_error_code ret = 0; - int flags = 0; + krb5_principal host_princ = NULL; krb5_const_principal client_principal = NULL; char *host_princ_s = NULL; @@ -338,8 +333,8 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, *principal = NULL; *pac_data = NULL; - *ap_rep = data_blob_null; - *session_key = data_blob_null; + *ap_rep = data_blob(NULL,0); + *session_key = data_blob(NULL,0); initialize_krb5_error_table(); ret = krb5_init_context(&context); @@ -368,13 +363,6 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, goto out; } - krb5_auth_con_getflags( context, auth_context, &flags ); - if ( !use_replay_cache ) { - /* Disable default use of a replay cache */ - flags &= ~KRB5_AUTH_CONTEXT_DO_TIME; - krb5_auth_con_setflags( context, auth_context, flags ); - } - asprintf(&host_princ_s, "%s$", global_myname()); if (!host_princ_s) { goto out; @@ -389,62 +377,50 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, } - if ( use_replay_cache ) { - - /* Lock a mutex surrounding the replay as there is no - locking in the MIT krb5 code surrounding the replay - cache... */ + /* Lock a mutex surrounding the replay as there is no locking in the MIT krb5 + * code surrounding the replay cache... */ - if (!grab_server_mutex("replay cache mutex")) { - DEBUG(1,("ads_verify_ticket: unable to protect " - "replay cache with mutex.\n")); - ret = KRB5_CC_IO; - goto out; - } + if (!grab_server_mutex("replay cache mutex")) { + DEBUG(1,("ads_verify_ticket: unable to protect replay cache with mutex.\n")); + ret = KRB5_CC_IO; + goto out; + } - got_replay_mutex = True; + got_replay_mutex = True; - /* JRA. We must set the rcache here. This will prevent - replay attacks. */ - - ret = krb5_get_server_rcache(context, - krb5_princ_component(context, host_princ, 0), - &rcache); - if (ret) { - DEBUG(1,("ads_verify_ticket: krb5_get_server_rcache " - "failed (%s)\n", error_message(ret))); - goto out; - } + /* + * JRA. We must set the rcache here. This will prevent replay attacks. + */ - ret = krb5_auth_con_setrcache(context, auth_context, rcache); - if (ret) { - DEBUG(1,("ads_verify_ticket: krb5_auth_con_setrcache " - "failed (%s)\n", error_message(ret))); - goto out; - } + ret = krb5_get_server_rcache(context, krb5_princ_component(context, host_princ, 0), &rcache); + if (ret) { + DEBUG(1,("ads_verify_ticket: krb5_get_server_rcache failed (%s)\n", error_message(ret))); + goto out; } - /* Try secrets.tdb first and fallback to the krb5.keytab if - necessary */ - - auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ, - ticket, &tkt, &keyblock, &ret); + ret = krb5_auth_con_setrcache(context, auth_context, rcache); + if (ret) { + DEBUG(1,("ads_verify_ticket: krb5_auth_con_setrcache failed (%s)\n", error_message(ret))); + goto out; + } - if (!auth_ok && lp_use_kerberos_keytab()) { - auth_ok = ads_keytab_verify_ticket(context, auth_context, - ticket, &tkt, &keyblock, &ret); + if (lp_use_kerberos_keytab()) { + auth_ok = ads_keytab_verify_ticket(context, auth_context, ticket, &tkt, &keyblock, &ret); + } + if (!auth_ok) { + auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ, + ticket, &tkt, &keyblock, &ret); } - if ( use_replay_cache ) { - release_server_mutex(); - got_replay_mutex = False; + release_server_mutex(); + got_replay_mutex = False; + #if 0 - /* Heimdal leaks here, if we fix the leak, MIT crashes */ - if (rcache) { - krb5_rc_close(context, rcache); - } + /* Heimdal leaks here, if we fix the leak, MIT crashes */ + if (rcache) { + krb5_rc_close(context, rcache); + } #endif - } if (!auth_ok) { DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n", |