summaryrefslogtreecommitdiff
path: root/source/libads/kerberos_verify.c
diff options
context:
space:
mode:
Diffstat (limited to 'source/libads/kerberos_verify.c')
-rw-r--r--source/libads/kerberos_verify.c110
1 files changed, 43 insertions, 67 deletions
diff --git a/source/libads/kerberos_verify.c b/source/libads/kerberos_verify.c
index 2eb5d660929..0ec03ef4bf2 100644
--- a/source/libads/kerberos_verify.c
+++ b/source/libads/kerberos_verify.c
@@ -81,9 +81,9 @@ static BOOL ads_keytab_verify_ticket(krb5_context context,
ZERO_STRUCT(kt_entry);
ZERO_STRUCT(kt_cursor);
- ret = smb_krb5_open_keytab(context, NULL, False, &keytab);
+ ret = krb5_kt_default(context, &keytab);
if (ret) {
- DEBUG(1, ("ads_keytab_verify_ticket: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
+ DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_default failed (%s)\n", error_message(ret)));
goto out;
}
@@ -214,14 +214,7 @@ static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
BOOL auth_ok = False;
char *password_s = NULL;
krb5_data password;
- krb5_enctype enctypes[] = {
-#if defined(ENCTYPE_ARCFOUR_HMAC)
- ENCTYPE_ARCFOUR_HMAC,
-#endif
- ENCTYPE_DES_CBC_CRC,
- ENCTYPE_DES_CBC_MD5,
- ENCTYPE_NULL
- };
+ krb5_enctype enctypes[4] = { ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, 0, 0 };
krb5_data packet;
int i;
@@ -229,6 +222,9 @@ static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
*keyblock = NULL;
*perr = 0;
+#if defined(ENCTYPE_ARCFOUR_HMAC)
+ enctypes[2] = ENCTYPE_ARCFOUR_HMAC;
+#endif
if (!secrets_init()) {
DEBUG(1,("ads_secrets_verify_ticket: secrets_init failed\n"));
@@ -311,8 +307,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
char **principal,
PAC_DATA **pac_data,
DATA_BLOB *ap_rep,
- DATA_BLOB *session_key,
- BOOL use_replay_cache)
+ DATA_BLOB *session_key)
{
NTSTATUS sret = NT_STATUS_LOGON_FAILURE;
NTSTATUS pac_ret;
@@ -325,7 +320,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
krb5_keyblock *keyblock = NULL;
time_t authtime;
krb5_error_code ret = 0;
- int flags = 0;
+
krb5_principal host_princ = NULL;
krb5_const_principal client_principal = NULL;
char *host_princ_s = NULL;
@@ -338,8 +333,8 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
*principal = NULL;
*pac_data = NULL;
- *ap_rep = data_blob_null;
- *session_key = data_blob_null;
+ *ap_rep = data_blob(NULL,0);
+ *session_key = data_blob(NULL,0);
initialize_krb5_error_table();
ret = krb5_init_context(&context);
@@ -368,13 +363,6 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
goto out;
}
- krb5_auth_con_getflags( context, auth_context, &flags );
- if ( !use_replay_cache ) {
- /* Disable default use of a replay cache */
- flags &= ~KRB5_AUTH_CONTEXT_DO_TIME;
- krb5_auth_con_setflags( context, auth_context, flags );
- }
-
asprintf(&host_princ_s, "%s$", global_myname());
if (!host_princ_s) {
goto out;
@@ -389,62 +377,50 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
}
- if ( use_replay_cache ) {
-
- /* Lock a mutex surrounding the replay as there is no
- locking in the MIT krb5 code surrounding the replay
- cache... */
+ /* Lock a mutex surrounding the replay as there is no locking in the MIT krb5
+ * code surrounding the replay cache... */
- if (!grab_server_mutex("replay cache mutex")) {
- DEBUG(1,("ads_verify_ticket: unable to protect "
- "replay cache with mutex.\n"));
- ret = KRB5_CC_IO;
- goto out;
- }
+ if (!grab_server_mutex("replay cache mutex")) {
+ DEBUG(1,("ads_verify_ticket: unable to protect replay cache with mutex.\n"));
+ ret = KRB5_CC_IO;
+ goto out;
+ }
- got_replay_mutex = True;
+ got_replay_mutex = True;
- /* JRA. We must set the rcache here. This will prevent
- replay attacks. */
-
- ret = krb5_get_server_rcache(context,
- krb5_princ_component(context, host_princ, 0),
- &rcache);
- if (ret) {
- DEBUG(1,("ads_verify_ticket: krb5_get_server_rcache "
- "failed (%s)\n", error_message(ret)));
- goto out;
- }
+ /*
+ * JRA. We must set the rcache here. This will prevent replay attacks.
+ */
- ret = krb5_auth_con_setrcache(context, auth_context, rcache);
- if (ret) {
- DEBUG(1,("ads_verify_ticket: krb5_auth_con_setrcache "
- "failed (%s)\n", error_message(ret)));
- goto out;
- }
+ ret = krb5_get_server_rcache(context, krb5_princ_component(context, host_princ, 0), &rcache);
+ if (ret) {
+ DEBUG(1,("ads_verify_ticket: krb5_get_server_rcache failed (%s)\n", error_message(ret)));
+ goto out;
}
- /* Try secrets.tdb first and fallback to the krb5.keytab if
- necessary */
-
- auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
- ticket, &tkt, &keyblock, &ret);
+ ret = krb5_auth_con_setrcache(context, auth_context, rcache);
+ if (ret) {
+ DEBUG(1,("ads_verify_ticket: krb5_auth_con_setrcache failed (%s)\n", error_message(ret)));
+ goto out;
+ }
- if (!auth_ok && lp_use_kerberos_keytab()) {
- auth_ok = ads_keytab_verify_ticket(context, auth_context,
- ticket, &tkt, &keyblock, &ret);
+ if (lp_use_kerberos_keytab()) {
+ auth_ok = ads_keytab_verify_ticket(context, auth_context, ticket, &tkt, &keyblock, &ret);
+ }
+ if (!auth_ok) {
+ auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
+ ticket, &tkt, &keyblock, &ret);
}
- if ( use_replay_cache ) {
- release_server_mutex();
- got_replay_mutex = False;
+ release_server_mutex();
+ got_replay_mutex = False;
+
#if 0
- /* Heimdal leaks here, if we fix the leak, MIT crashes */
- if (rcache) {
- krb5_rc_close(context, rcache);
- }
+ /* Heimdal leaks here, if we fix the leak, MIT crashes */
+ if (rcache) {
+ krb5_rc_close(context, rcache);
+ }
#endif
- }
if (!auth_ok) {
DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n",
View Lorry Controller Status