The branch, v3-4-test has been updated via 2004627... s3-kerberos: fix the build on Mac OS X 10.6.2. via a9a3504... s3-kerberos: add a missing reference to authdata headers. via 41fb263... s3-kerberos: only use krb5 headers where required. via 83ee139... s3-kerberos: Fix Bug #6929: build with recent heimdal. via 9ea9c20... s3-kerberos: next step to resolve Bug #6929: build with recent heimdal. via 124c695... s3-kerberos: add check for prerequisite krb5/krb5.h header while checking for krb5/locate_plugin.h. via 0d19596... nsswitch: fix compile of winbind_krb5_locator with recent Heimdal versions. via e3a06f2... cifs.upcall: 2nd part of fix for Bug #6868: support building with Heimdal we well as with MIT. via 15832c2... s3-build: really fix build of winbind_krb5_locator. via 8900c0a... nsswitch: fix the build of the winbind krb5 locator plugin. from dbe41dc... s3:docs: Fix typo in man mount.cifs.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-4-test - Log ----------------------------------------------------------------- commit 200462730f39d7eaee3917801046b120bc807c3f Author: Günther Deschner <g...@samba.org> Date: Fri Nov 27 20:08:44 2009 +0100 s3-kerberos: fix the build on Mac OS X 10.6.2. Guenther (cherry picked from commit 51328a7056918bc75a7c1c442f47cf0271075542) commit a9a3504ede1306ceb86d99bceb5e8bf4d48f40c2 Author: Günther Deschner <g...@samba.org> Date: Fri Nov 27 18:51:56 2009 +0100 s3-kerberos: add a missing reference to authdata headers. Guenther (cherry picked from commit da79cbb0800dd647be864e8bbb5fe1132708174b) commit 41fb263aacc5dce50d3554598d08cb497ffd929f Author: Günther Deschner <g...@samba.org> Date: Fri Nov 27 15:52:57 2009 +0100 s3-kerberos: only use krb5 headers where required. This seems to be the only way to deal with mixed heimdal/MIT setups during merged build. Guenther commit 83ee139ddde91bffc7b5921eb5e6a4364a408d38 Author: Günther Deschner <g...@samba.org> Date: Fri Nov 27 01:06:36 2009 +0100 s3-kerberos: Fix Bug #6929: build with recent heimdal. Heimdal changed the KRB5_DEPRECATED define (which now may not take an identifier for activation) in new releases (like 1.3.1). Guenther (cherry picked from commit 1a8f8382740e352a83133b8c49aaedd4716210cd) commit 9ea9c2089ed0835f4cf8f5fb6fecf4f156b19520 Author: Günther Deschner <g...@samba.org> Date: Thu Nov 26 10:15:45 2009 +0100 s3-kerberos: next step to resolve Bug #6929: build with recent heimdal. Based on patch from Allan <al...@archlinux.org>. Also should fix the FreeBSD build on the buildfarm. Guenther (cherry picked from commit 5b3a32be97a37c119e837bdee8f049684565458c) commit 124c695872a6630cc6670a0547e1c3e6507be748 Author: Günther Deschner <g...@samba.org> Date: Wed Nov 25 21:33:48 2009 +0100 s3-kerberos: add check for prerequisite krb5/krb5.h header while checking for krb5/locate_plugin.h. (Needed for new Heimdal versions). Guenther (cherry picked from commit c438b2b3923db66672ec82e795eef543de5fcb8a) commit 0d19596e123d63343d31ca1783cc1f56d4f21684 Author: Günther Deschner <g...@samba.org> Date: Wed Nov 25 15:21:54 2009 +0100 nsswitch: fix compile of winbind_krb5_locator with recent Heimdal versions. Guenther (cherry picked from commit 51864219cc12ceb66c281355f3e1191d5e32842d) commit e3a06f282d5e5c06bd006497dd8736a531e6cb3b Author: Günther Deschner <g...@samba.org> Date: Wed Nov 25 15:06:19 2009 +0100 cifs.upcall: 2nd part of fix for Bug #6868: support building with Heimdal we well as with MIT. Guenther (cherry picked from commit 660ee2e74523194e5f6b2b6428d76628beb74717) commit 15832c25f0d252646045b292530556239805e737 Author: Günther Deschner <g...@samba.org> Date: Thu Nov 19 13:44:33 2009 +0100 s3-build: really fix build of winbind_krb5_locator. Guenther (cherry picked from commit fc9f199f2619635f73e8ee7f3b5359521d63f325) commit 8900c0a1c8dd16cd98bfd219232d3bc57acb033a Author: Günther Deschner <g...@samba.org> Date: Wed Oct 21 02:44:44 2009 +0200 nsswitch: fix the build of the winbind krb5 locator plugin. Guenther (cherry picked from commit b9d9353b548d9b2ab684aa171f511174e6414762) ----------------------------------------------------------------------- Summary of changes: nsswitch/winbind_krb5_locator.c | 5 + source3/Makefile.in | 2 +- source3/client/cifs.upcall.c | 3 + source3/configure.in | 23 +++++- source3/include/ads.h | 71 ++++----------- source3/include/includes.h | 156 +------------------------------- source3/include/krb5_protos.h | 147 ++++++++++++++++++++++++++++++ source3/include/proto.h | 4 - source3/include/smb_krb5.h | 72 +++++++++++++++ source3/libads/ads_status.c | 1 + source3/libads/authdata.c | 1 + source3/libads/kerberos.c | 1 + source3/libads/kerberos_keytab.c | 1 + source3/libads/kerberos_verify.c | 1 + source3/libads/krb5_errs.c | 1 + source3/libads/krb5_setpw.c | 1 + source3/libnet/libnet.h | 1 + source3/libsmb/cliconnect.c | 1 + source3/libsmb/clikrb5.c | 5 +- source3/libsmb/clispnego.c | 1 + source3/rpc_client/cli_pipe.c | 1 + source3/utils/ntlm_auth.c | 1 + source3/winbindd/winbindd_cred_cache.c | 2 + source3/winbindd/winbindd_pam.c | 2 + 24 files changed, 287 insertions(+), 217 deletions(-) create mode 100644 source3/include/krb5_protos.h create mode 100644 source3/include/smb_krb5.h Changeset truncated at 500 lines: diff --git a/nsswitch/winbind_krb5_locator.c b/nsswitch/winbind_krb5_locator.c index b9e35bd..db6e8d0 100644 --- a/nsswitch/winbind_krb5_locator.c +++ b/nsswitch/winbind_krb5_locator.c @@ -26,6 +26,11 @@ #if defined(HAVE_KRB5) && defined(HAVE_KRB5_LOCATE_PLUGIN_H) +#if HAVE_COM_ERR_H +#include <com_err.h> +#endif + +#include <krb5.h> #include <krb5/locate_plugin.h> #ifndef KRB5_PLUGIN_NO_HANDLE diff --git a/source3/Makefile.in b/source3/Makefile.in index fb45056..f1f8471 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -2390,7 +2390,7 @@ bin/v...@exeext@: $(BINARY_PREREQS) $(VLP_OBJ) @LIBTALLOC_TARGET@ @LIBTDB_TARGET@ bin/winbind_krb5_locat...@shlibext@: $(BINARY_PREREQS) $(WINBIND_KRB5_LOCATOR_OBJ) @LIBWBCLIENT_TARGET@ @echo "Linking $@" - @$(SHLD) $(LDSHFLAGS) -o $@ $(WINBIND_KRB5_LOCATOR_OBJ) $(LIBWBCLIENT_LIBS) \ + @$(SHLD) $(LDSHFLAGS) -o $@ $(WINBIND_KRB5_LOCATOR_OBJ) $(LIBWBCLIENT_LIBS) $(KRB5LIBS) \ @sonamef...@`basename $...@` bin/pam_winbi...@shlibext@: $(BINARY_PREREQS) $(PAM_WINBIND_OBJ) @LIBTALLOC_TARGET@ @LIBWBCLIENT_TARGET@ diff --git a/source3/client/cifs.upcall.c b/source3/client/cifs.upcall.c index ecd0348..1617e0e 100644 --- a/source3/client/cifs.upcall.c +++ b/source3/client/cifs.upcall.c @@ -26,6 +26,7 @@ create dns_resolver * * /usr/local/sbin/cifs.upcall %k */ #include "includes.h" +#include "smb_krb5.h" #include <keyutils.h> #include <getopt.h> @@ -104,7 +105,9 @@ err_endseq: err_ccstart: krb5_free_principal(context, principal); err_princ: +#if defined(KRB5_TC_OPENCLOSE) krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE); +#endif krb5_cc_close(context, ccache); err_cache: krb5_free_context(context); diff --git a/source3/configure.in b/source3/configure.in index 70a8fe8..705aa9b 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -3297,11 +3297,32 @@ if test x"$with_ads_support" != x"no"; then CPPFLAGS=$ac_save_CPPFLAGS LDFLAGS=$ac_save_LDFLAGS fi - AC_CHECK_HEADERS(krb5/locate_plugin.h) + AC_CHECK_HEADERS([krb5/locate_plugin.h], [], [], +[[#ifdef HAVE_KRB5_H + #include <krb5.h> + #endif +]]) + if test x"$ac_cv_header_krb5_locate_plugin_h" = x"yes"; then WINBIND_KRB5_LOCATOR="bin/winbind_krb5_locator.$SHLIBEXT" EXTRA_ALL_TARGETS="$EXTRA_ALL_TARGETS $WINBIND_KRB5_LOCATOR" fi + + # check for new heimdal KRB5_DEPRECATED handling + + AC_CACHE_CHECK([for KRB5_DEPRECATED define taking an identifier], + samba_cv_HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER,[ + AC_TRY_COMPILE( + [#define KRB5_DEPRECATED 1 + #include <krb5.h>], + [], + samba_cv_HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER=yes, + samba_cv_HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER=no)]) + + if test x"$samba_cv_HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER" = x"yes"; then + AC_DEFINE(HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER, 1, + [Whether to use deprecated krb5 interfaces]) + fi fi # Now we have determined whether we really want ADS support diff --git a/source3/include/ads.h b/source3/include/ads.h index 0fa19b5..3921c77 100644 --- a/source3/include/ads.h +++ b/source3/include/ads.h @@ -6,6 +6,24 @@ basically this is a wrapper around ldap */ +/* + * This should be under the HAVE_KRB5 flag but since they're used + * in lp_kerberos_method(), they ned to be always available + */ +#define KERBEROS_VERIFY_SECRETS 0 +#define KERBEROS_VERIFY_SYSTEM_KEYTAB 1 +#define KERBEROS_VERIFY_DEDICATED_KEYTAB 2 +#define KERBEROS_VERIFY_SECRETS_AND_KEYTAB 3 + +/* + * If you add any entries to the above, please modify the below expressions + * so they remain accurate. + */ +#define USE_KERBEROS_KEYTAB (KERBEROS_VERIFY_SECRETS != lp_kerberos_method()) +#define USE_SYSTEM_KEYTAB \ + ((KERBEROS_VERIFY_SECRETS_AND_KEYTAB == lp_kerberos_method()) || \ + (KERBEROS_VERIFY_SYSTEM_KEYTAB == lp_kerberos_method())) + enum wb_posix_mapping { WB_POSIX_MAP_UNKNOWN = -1, WB_POSIX_MAP_TEMPLATE = 0, @@ -339,62 +357,9 @@ typedef void **ADS_MODLIST; /* Kerberos environment variable names */ #define KRB5_ENV_CCNAME "KRB5CCNAME" -/* Heimdal uses a slightly different name */ -#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5) -#define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5 -#endif - -/* The older versions of heimdal that don't have this - define don't seem to use it anyway. I'm told they - always use a subkey */ -#ifndef HAVE_AP_OPTS_USE_SUBKEY -#define AP_OPTS_USE_SUBKEY 0 -#endif - #define WELL_KNOWN_GUID_COMPUTERS "AA312825768811D1ADED00C04FD8D5CD" #define WELL_KNOWN_GUID_USERS "A9D1CA15768811D1ADED00C04FD8D5CD" -#ifndef KRB5_ADDR_NETBIOS -#define KRB5_ADDR_NETBIOS 0x14 -#endif - -#ifndef KRB5KRB_ERR_RESPONSE_TOO_BIG -#define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L) -#endif - -#ifdef HAVE_KRB5 -typedef struct { -#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */ - krb5_address **addrs; -#elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */ - krb5_addresses *addrs; -#else -#error UNKNOWN_KRB5_ADDRESS_TYPE -#endif /* defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) */ -} smb_krb5_addresses; - -#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */ -#define KRB5_KEY_TYPE(k) ((k)->keytype) -#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length) -#define KRB5_KEY_DATA(k) ((k)->keyvalue.data) -#define KRB5_KEY_DATA_CAST void -#else /* MIT */ -#define KRB5_KEY_TYPE(k) ((k)->enctype) -#define KRB5_KEY_LENGTH(k) ((k)->length) -#define KRB5_KEY_DATA(k) ((k)->contents) -#define KRB5_KEY_DATA_CAST krb5_octet -#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */ - -#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */ -#define KRB5_KT_KEY(k) (&(k)->key) -#elif HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */ -#define KRB5_KT_KEY(k) (&(k)->keyblock) -#else -#error krb5_keytab_entry has no key or keyblock member -#endif /* HAVE_KRB5_KEYTAB_ENTRY_KEY */ - -#endif /* HAVE_KRB5 */ - enum ads_extended_dn_flags { ADS_EXTENDED_DN_HEX_STRING = 0, ADS_EXTENDED_DN_STRING = 1 /* not supported on win2k */ diff --git a/source3/include/includes.h b/source3/include/includes.h index ea9a159..471b955 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -20,11 +20,6 @@ along with this program. If not, see <http://www.gnu.org/licenses/>. */ -/* work around broken krb5.h on sles9 */ -#ifdef SIZEOF_LONG -#undef SIZEOF_LONG -#endif - #include "../replace/replace.h" /* make sure we have included the correct config.h */ @@ -146,9 +141,7 @@ #endif #endif /* HAVE_NETGROUP */ -#if HAVE_KRB5_H -#include <krb5.h> -#else +#ifndef HAVE_KRB5_H #undef HAVE_KRB5 #endif @@ -883,153 +876,6 @@ char *talloc_asprintf_strupper_m(TALLOC_CTX *t, const char *fmt, ...) PRINTF_ATT #define XATTR_REPLACE 0x2 /* set value, fail if attr does not exist */ #endif -/* - * This should be under the HAVE_KRB5 flag but since they're used - * in lp_kerberos_method(), they ned to be always available - */ -#define KERBEROS_VERIFY_SECRETS 0 -#define KERBEROS_VERIFY_SYSTEM_KEYTAB 1 -#define KERBEROS_VERIFY_DEDICATED_KEYTAB 2 -#define KERBEROS_VERIFY_SECRETS_AND_KEYTAB 3 - -/* - * If you add any entries to the above, please modify the below expressions - * so they remain accurate. - */ -#define USE_KERBEROS_KEYTAB (KERBEROS_VERIFY_SECRETS != lp_kerberos_method()) -#define USE_SYSTEM_KEYTAB \ - ((KERBEROS_VERIFY_SECRETS_AND_KEYTAB == lp_kerberos_method()) || \ - (KERBEROS_VERIFY_SYSTEM_KEYTAB == lp_kerberos_method())) - -#if defined(HAVE_KRB5) -krb5_error_code smb_krb5_parse_name(krb5_context context, - const char *name, /* in unix charset */ - krb5_principal *principal); - -krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx, - krb5_context context, - krb5_const_principal principal, - char **unix_name); - -#ifndef HAVE_KRB5_SET_REAL_TIME -krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds); -#endif - -krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc); - -#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) -krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock); -#endif - -#ifndef HAVE_KRB5_FREE_UNPARSED_NAME -void krb5_free_unparsed_name(krb5_context ctx, char *val); -#endif - -/* Stub out initialize_krb5_error_table since it is not present in all - * Kerberos implementations. If it's not present, it's not necessary to - * call it. - */ -#ifndef HAVE_INITIALIZE_KRB5_ERROR_TABLE -#define initialize_krb5_error_table() -#endif - -/* Samba wrapper function for krb5 functionality. */ -bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr); -int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype, bool no_salt); -bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt); -krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt); -krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters); -#if defined(HAVE_KRB5_LOCATE_KDC) -krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters); -#endif -krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes); -bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote); -krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry); -krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, int enctype); -void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype); -bool kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2); -void kerberos_free_data_contents(krb5_context context, krb5_data *pdata); -NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx, - DATA_BLOB *pac_data_blob, - krb5_context context, - krb5_keyblock *service_keyblock, - krb5_const_principal client_principal, - time_t tgs_authtime, - struct PAC_DATA **pac_data_out); -void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum, - struct PAC_SIGNATURE_DATA *sig); -krb5_error_code smb_krb5_verify_checksum(krb5_context context, - const krb5_keyblock *keyblock, - krb5_keyusage usage, - krb5_checksum *cksum, - uint8 *data, - size_t length); -time_t get_authtime_from_tkt(krb5_ticket *tkt); -void smb_krb5_free_ap_req(krb5_context context, - krb5_ap_req *ap_req); -krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context, - const krb5_data *inbuf, - krb5_kvno *kvno, - krb5_enctype *enctype); -krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context, - krb5_auth_context *auth_context, - const krb5_data *inbuf, - krb5_const_principal server, - krb5_keytab keytab, - krb5_flags *ap_req_options, - krb5_ticket **ticket, - krb5_keyblock **keyblock); -krb5_error_code smb_krb5_parse_name_norealm(krb5_context context, - const char *name, - krb5_principal *principal); -bool smb_krb5_principal_compare_any_realm(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2); -int cli_krb5_get_ticket(const char *principal, time_t time_offset, - DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, const char *ccname, time_t *tgs_expire); -krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *expire_time); -krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code); -krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr); -krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr); -NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error); -krb5_error_code nt_status_to_krb5(NTSTATUS nt_status); -void smb_krb5_free_error(krb5_context context, krb5_error *krberror); -krb5_error_code handle_krberror_packet(krb5_context context, - krb5_data *packet); - -void smb_krb5_get_init_creds_opt_free(krb5_context context, - krb5_get_init_creds_opt *opt); -krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context, - krb5_get_init_creds_opt **opt); -krb5_error_code smb_krb5_mk_error(krb5_context context, - krb5_error_code error_code, - const krb5_principal server, - krb5_data *reply); -krb5_enctype smb_get_enctype_from_kt_entry(krb5_keytab_entry *kt_entry); -krb5_error_code smb_krb5_enctype_to_string(krb5_context context, - krb5_enctype enctype, - char **etype_s); -krb5_error_code smb_krb5_open_keytab(krb5_context context, - const char *keytab_name, - bool write_access, - krb5_keytab *keytab); -krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx, - krb5_context context, - krb5_keytab keytab, - const char **keytab_name); -int smb_krb5_kt_add_entry_ext(krb5_context context, - krb5_keytab keytab, - krb5_kvno kvno, - const char *princ_s, - krb5_enctype *enctypes, - krb5_data password, - bool no_salt, - bool keep_old_entries); -char *smb_krb5_principal_get_realm(krb5_context context, - krb5_principal principal); -#endif /* HAVE_KRB5 */ - - #ifdef HAVE_LDAP /* function declarations not included in proto.h */ diff --git a/source3/include/krb5_protos.h b/source3/include/krb5_protos.h new file mode 100644 index 0000000..2a6069a --- /dev/null +++ b/source3/include/krb5_protos.h @@ -0,0 +1,147 @@ +/* work around broken krb5.h on sles9 */ +#ifdef SIZEOF_LONG +#undef SIZEOF_LONG +#endif + + +#if defined(HAVE_KRB5) +krb5_error_code smb_krb5_parse_name(krb5_context context, + const char *name, /* in unix charset */ + krb5_principal *principal); + +krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx, + krb5_context context, + krb5_const_principal principal, + char **unix_name); + +#ifndef HAVE_KRB5_SET_REAL_TIME +krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds); +#endif + +krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc); + +#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) +krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock); +#endif + +#ifndef HAVE_KRB5_FREE_UNPARSED_NAME +void krb5_free_unparsed_name(krb5_context ctx, char *val); +#endif + +/* Stub out initialize_krb5_error_table since it is not present in all + * Kerberos implementations. If it's not present, it's not necessary to + * call it. + */ +#ifndef HAVE_INITIALIZE_KRB5_ERROR_TABLE +#define initialize_krb5_error_table() +#endif + +/* Samba wrapper function for krb5 functionality. */ +bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr); +int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype, bool no_salt); +bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt); +krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt); +krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters); +#if defined(HAVE_KRB5_LOCATE_KDC) +krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters); +#endif +krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes); +bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote); +krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry); +krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, int enctype); +void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype); +bool kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2); +void kerberos_free_data_contents(krb5_context context, krb5_data *pdata); +NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx, + DATA_BLOB *pac_data_blob, + krb5_context context, + krb5_keyblock *service_keyblock, + krb5_const_principal client_principal, + time_t tgs_authtime, + struct PAC_DATA **pac_data_out); +void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum, + struct PAC_SIGNATURE_DATA *sig); +krb5_error_code smb_krb5_verify_checksum(krb5_context context, + const krb5_keyblock *keyblock, + krb5_keyusage usage, + krb5_checksum *cksum, + uint8 *data, + size_t length); +time_t get_authtime_from_tkt(krb5_ticket *tkt); +void smb_krb5_free_ap_req(krb5_context context, + krb5_ap_req *ap_req); +krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context, + const krb5_data *inbuf, + krb5_kvno *kvno, + krb5_enctype *enctype); +krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context, + krb5_auth_context *auth_context, + const krb5_data *inbuf, + krb5_const_principal server, + krb5_keytab keytab, + krb5_flags *ap_req_options, + krb5_ticket **ticket, + krb5_keyblock **keyblock); +krb5_error_code smb_krb5_parse_name_norealm(krb5_context context, + const char *name, + krb5_principal *principal); +bool smb_krb5_principal_compare_any_realm(krb5_context context, + krb5_const_principal princ1, + krb5_const_principal princ2); +int cli_krb5_get_ticket(const char *principal, time_t time_offset, + DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, + uint32 extra_ap_opts, const char *ccname, + time_t *tgs_expire); +krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *expire_time); +krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code); +krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr); +krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr); +NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error); +krb5_error_code nt_status_to_krb5(NTSTATUS nt_status); +void smb_krb5_free_error(krb5_context context, krb5_error *krberror); +krb5_error_code handle_krberror_packet(krb5_context context, + krb5_data *packet); + +void smb_krb5_get_init_creds_opt_free(krb5_context context, + krb5_get_init_creds_opt *opt); +krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context, + krb5_get_init_creds_opt **opt); +krb5_error_code smb_krb5_mk_error(krb5_context context, + krb5_error_code error_code, + const krb5_principal server, + krb5_data *reply); +krb5_enctype smb_get_enctype_from_kt_entry(krb5_keytab_entry *kt_entry); +krb5_error_code smb_krb5_enctype_to_string(krb5_context context, + krb5_enctype enctype, + char **etype_s); +krb5_error_code smb_krb5_open_keytab(krb5_context context, + const char *keytab_name, + bool write_access, + krb5_keytab *keytab); +krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx, + krb5_context context, + krb5_keytab keytab, + const char **keytab_name); +int smb_krb5_kt_add_entry_ext(krb5_context context, + krb5_keytab keytab, + krb5_kvno kvno, + const char *princ_s, + krb5_enctype *enctypes, + krb5_data password, + bool no_salt, + bool keep_old_entries); -- Samba Shared Repository