The branch, master has been updated
via faa3bef gensec_krb5: Use get_krb5_smb_session_key() in
gensec_krb5_session_key()
via 7f9a075 gensec_krb5: Use implementation idependent
krb5_mk_req_extended()
via 739a7ad gensec_krb5: Use kerberos_free_data_contents() to free krb5
data
via 8268501 gensec_krb5: Only set the event context with Heimdal
via 7ea7b60 gensec_krb5: Use krb5_wrap setup_kaddr() to convert address
via ab8628a gensec_krb5: Rename smb_rd_req_return_stuff()
via de224d7 gensec_krb5: Rename gensec_krb5_util to gensec_krb5_heimdal
via 1fe94a6 s4-kdc: pac-glue: Add support for MIT pkinit
via 4f51484 mit_samba: Add missing copyright
via 5ac9de3 mit_samba: Add missing argument passed to
authsam_make_user_info_dc()
from dd5439e tests/samba-tool/user.py: replace deprecated 'add'
subcommand with 'create'
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit faa3bef690a72a7b3f546e04494a8a3baebafc52
Author: Andreas Schneider <a...@samba.org>
Date: Thu Aug 11 15:18:14 2016 +0200
gensec_krb5: Use get_krb5_smb_session_key() in gensec_krb5_session_key()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Tue Aug 30 15:24:02 CEST 2016 on sn-devel-144
commit 7f9a075d9c8d777fd04c1dcec6693e1e27efc3ae
Author: Andreas Schneider <a...@samba.org>
Date: Thu Aug 11 15:04:42 2016 +0200
gensec_krb5: Use implementation idependent krb5_mk_req_extended()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 739a7adaef29d24611ee2d709e01e1cb7ffb31be
Author: Andreas Schneider <a...@samba.org>
Date: Thu Aug 11 15:10:33 2016 +0200
gensec_krb5: Use kerberos_free_data_contents() to free krb5 data
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 8268501972994ce8240a27b68e85f9208b617094
Author: Andreas Schneider <a...@samba.org>
Date: Thu Aug 11 11:22:41 2016 +0200
gensec_krb5: Only set the event context with Heimdal
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7ea7b60649dbc8312963a18119184b51ec2345fc
Author: Andreas Schneider <a...@samba.org>
Date: Thu Aug 11 11:20:42 2016 +0200
gensec_krb5: Use krb5_wrap setup_kaddr() to convert address
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit ab8628ac7a206d5b35022b6161f1ed9963ad0f97
Author: Andreas Schneider <a...@samba.org>
Date: Fri Aug 12 14:41:05 2016 +0200
gensec_krb5: Rename smb_rd_req_return_stuff()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit de224d70062695d50668d1b3084a80ac81d6d79b
Author: Andreas Schneider <a...@samba.org>
Date: Fri Aug 12 14:37:51 2016 +0200
gensec_krb5: Rename gensec_krb5_util to gensec_krb5_heimdal
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 1fe94a659e8fdeb9ddb07c9f5a3126f1cdaa459c
Author: Andreas Schneider <a...@samba.org>
Date: Wed Aug 10 15:57:05 2016 +0200
s4-kdc: pac-glue: Add support for MIT pkinit
This only makes sure the code compiles again. I'm not able to test this
yet.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 4f51484b4071d54183fbca0db4cfb21960016214
Author: Andreas Schneider <a...@samba.org>
Date: Thu Jun 9 16:02:23 2016 +0200
mit_samba: Add missing copyright
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 5ac9de30f0bc184fae14daca80a476de8161ea6d
Author: Andreas Schneider <a...@samba.org>
Date: Thu Jun 30 16:25:41 2016 +0200
mit_samba: Add missing argument passed to authsam_make_user_info_dc()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
source4/auth/gensec/gensec_krb5.c | 116 ++++++++++++++-------
.../gensec/{gensec_krb5_util.h => gensec_krb5.h} | 8 +-
.../{gensec_krb5_util.c => gensec_krb5_heimdal.c} | 61 ++++++-----
source4/auth/gensec/wscript_build | 2 +-
source4/kdc/mit_samba.c | 3 +
source4/kdc/pac-glue.c | 101 ++++++++++++++++++
6 files changed, 216 insertions(+), 75 deletions(-)
rename source4/auth/gensec/{gensec_krb5_util.h => gensec_krb5.h} (56%)
rename source4/auth/gensec/{gensec_krb5_util.c => gensec_krb5_heimdal.c} (81%)
Changeset truncated at 500 lines:
diff --git a/source4/auth/gensec/gensec_krb5.c
b/source4/auth/gensec/gensec_krb5.c
index 2af6b14..8dbec15 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -41,7 +41,7 @@
#include "lib/util/util_net.h"
#include "../lib/util/asn1.h"
#include "auth/kerberos/pac_utils.h"
-#include "gensec_krb5_util.h"
+#include "gensec_krb5.h"
_PUBLIC_ NTSTATUS gensec_krb5_init(void);
@@ -150,6 +150,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security
*gensec_security, bool
if (tlocal_addr) {
ssize_t socklen;
struct sockaddr_storage ss;
+ bool ok;
socklen = tsocket_address_bsd_sockaddr(tlocal_addr,
(struct sockaddr *) &ss,
@@ -158,12 +159,9 @@ static NTSTATUS gensec_krb5_start(struct gensec_security
*gensec_security, bool
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
- ret =
krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
- (const struct sockaddr *) &ss, &my_krb5_addr);
- if (ret) {
- DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address
(local) failed (%s)\n",
-
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
- ret,
gensec_krb5_state)));
+ ok = setup_kaddr(&my_krb5_addr, &ss);
+ if (!ok) {
+ DBG_WARNING("setup_kaddr (local) failed\n");
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
@@ -173,6 +171,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security
*gensec_security, bool
if (tremote_addr) {
ssize_t socklen;
struct sockaddr_storage ss;
+ bool ok;
socklen = tsocket_address_bsd_sockaddr(tremote_addr,
(struct sockaddr *) &ss,
@@ -181,12 +180,9 @@ static NTSTATUS gensec_krb5_start(struct gensec_security
*gensec_security, bool
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
- ret =
krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
- (const struct sockaddr *) &ss, &peer_krb5_addr);
- if (ret) {
- DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address
(local) failed (%s)\n",
-
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
- ret,
gensec_krb5_state)));
+ ok = setup_kaddr(&peer_krb5_addr, &ss);
+ if (!ok) {
+ DBG_WARNING("setup_kaddr (remote) failed\n");
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
@@ -287,7 +283,9 @@ static NTSTATUS gensec_krb5_common_client_creds(struct
gensec_security *gensec_s
const char *hostname;
krb5_data in_data = { .length = 0 };
krb5_data *in_data_p = NULL;
+#ifdef SAMBA4_USES_HEIMDAL
struct tevent_context *previous_ev;
+#endif
if (lpcfg_parm_bool(gensec_security->settings->lp_ctx,
NULL, "gensec_krb5", "send_authenticator_checksum",
true)) {
@@ -320,23 +318,58 @@ static NTSTATUS gensec_krb5_common_client_creds(struct
gensec_security *gensec_s
return NT_STATUS_UNSUCCESSFUL;
}
+#ifdef SAMBA4_USES_HEIMDAL
/* Do this every time, in case we have weird recursive issues here */
ret =
smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, ev,
&previous_ev);
if (ret != 0) {
DEBUG(1, ("gensec_krb5_start: Setting event context failed\n"));
return NT_STATUS_NO_MEMORY;
}
+#endif
if (principal) {
krb5_principal target_principal;
ret =
krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
&target_principal);
if (ret == 0) {
- ret =
krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context,
-
&gensec_krb5_state->auth_context,
-
gensec_krb5_state->ap_req_options,
- target_principal,
- in_data_p,
ccache_container->ccache,
- &gensec_krb5_state->enc_ticket);
+ krb5_creds this_cred;
+ krb5_creds *cred;
+
+ ZERO_STRUCT(this_cred);
+ ret =
krb5_cc_get_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
+ ccache_container->ccache,
+ &this_cred.client);
+ if (ret != 0) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ ret =
krb5_copy_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
+ target_principal,
+ &this_cred.server);
+ if (ret != 0) {
+
krb5_free_cred_contents(gensec_krb5_state->smb_krb5_context->krb5_context,
+ &this_cred);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ this_cred.times.endtime = 0;
+
+ ret =
krb5_get_credentials(gensec_krb5_state->smb_krb5_context->krb5_context,
+ 0,
+ ccache_container->ccache,
+ &this_cred,
+ &cred);
+
krb5_free_cred_contents(gensec_krb5_state->smb_krb5_context->krb5_context,
+ &this_cred);
+ if (ret != 0) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ ret =
krb5_mk_req_extended(gensec_krb5_state->smb_krb5_context->krb5_context,
+
&gensec_krb5_state->auth_context,
+
gensec_krb5_state->ap_req_options,
+ in_data_p,
+ cred,
+
&gensec_krb5_state->enc_ticket);
+
krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
target_principal);
}
@@ -350,7 +383,9 @@ static NTSTATUS gensec_krb5_common_client_creds(struct
gensec_security *gensec_s
&gensec_krb5_state->enc_ticket);
}
+#ifdef SAMBA4_USES_HEIMDAL
smb_krb5_context_remove_event_ctx(gensec_krb5_state->smb_krb5_context,
previous_ev, ev);
+#endif
switch (ret) {
case 0:
@@ -618,11 +653,13 @@ static NTSTATUS gensec_krb5_update(struct gensec_security
*gensec_security,
inbuf.length = in.length;
}
- ret =
smb_rd_req_return_stuff(gensec_krb5_state->smb_krb5_context->krb5_context,
- &gensec_krb5_state->auth_context,
- &inbuf, keytab->keytab,
server_in_keytab,
- &outbuf,
- &gensec_krb5_state->ticket,
+ ret =
smb_krb5_rd_req_decoded(gensec_krb5_state->smb_krb5_context->krb5_context,
+ &gensec_krb5_state->auth_context,
+ &inbuf,
+ keytab->keytab,
+ server_in_keytab,
+ &outbuf,
+ &gensec_krb5_state->ticket,
&gensec_krb5_state->keyblock);
if (ret) {
@@ -637,7 +674,8 @@ static NTSTATUS gensec_krb5_update(struct gensec_security
*gensec_security,
} else {
*out = data_blob_talloc(out_mem_ctx, outbuf.data,
outbuf.length);
}
- krb5_data_free(&outbuf);
+
kerberos_free_data_contents(gensec_krb5_state->smb_krb5_context->krb5_context,
+ &outbuf);
return NT_STATUS_OK;
}
@@ -655,8 +693,9 @@ static NTSTATUS gensec_krb5_session_key(struct
gensec_security *gensec_security,
struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state
*)gensec_security->private_data;
krb5_context context =
gensec_krb5_state->smb_krb5_context->krb5_context;
krb5_auth_context auth_context = gensec_krb5_state->auth_context;
- krb5_keyblock *skey;
krb5_error_code err = -1;
+ bool remote = false;
+ bool ok;
if (gensec_krb5_state->state_position != GENSEC_KRB5_DONE) {
return NT_STATUS_NO_USER_SESSION_KEY;
@@ -664,25 +703,24 @@ static NTSTATUS gensec_krb5_session_key(struct
gensec_security *gensec_security,
switch (gensec_security->gensec_role) {
case GENSEC_CLIENT:
- err = krb5_auth_con_getlocalsubkey(context, auth_context,
&skey);
+ remote = false;
break;
case GENSEC_SERVER:
- err = krb5_auth_con_getremotesubkey(context, auth_context,
&skey);
+ remote = true;
break;
}
- if (err == 0 && skey != NULL) {
- DEBUG(10, ("Got KRB5 session key of length %d\n",
- (int)KRB5_KEY_LENGTH(skey)));
- *session_key = data_blob_talloc(mem_ctx,
- KRB5_KEY_DATA(skey),
KRB5_KEY_LENGTH(skey));
- dump_data_pw("KRB5 Session Key:\n", session_key->data,
session_key->length);
- krb5_free_keyblock(context, skey);
- return NT_STATUS_OK;
- } else {
+ ok = get_krb5_smb_session_key(mem_ctx,
+ context,
+ auth_context,
+ session_key,
+ remote);
+ if (!ok) {
DEBUG(10, ("KRB5 error getting session key %d\n", err));
return NT_STATUS_NO_USER_SESSION_KEY;
}
+
+ return NT_STATUS_OK;
}
static NTSTATUS gensec_krb5_session_info(struct gensec_security
*gensec_security,
@@ -816,7 +854,7 @@ static NTSTATUS gensec_krb5_wrap(struct gensec_security
*gensec_security,
}
*out = data_blob_talloc(mem_ctx, output.data, output.length);
- krb5_data_free(&output);
+ kerberos_free_data_contents(context, &output);
} else {
return NT_STATUS_ACCESS_DENIED;
}
@@ -847,7 +885,7 @@ static NTSTATUS gensec_krb5_unwrap(struct gensec_security
*gensec_security,
}
*out = data_blob_talloc(mem_ctx, output.data, output.length);
- krb5_data_free(&output);
+ kerberos_free_data_contents(context, &output);
} else {
return NT_STATUS_ACCESS_DENIED;
}
diff --git a/source4/auth/gensec/gensec_krb5_util.h
b/source4/auth/gensec/gensec_krb5.h
similarity index 56%
rename from source4/auth/gensec/gensec_krb5_util.h
rename to source4/auth/gensec/gensec_krb5.h
index 09be3ff..ee684be 100644
--- a/source4/auth/gensec/gensec_krb5_util.h
+++ b/source4/auth/gensec/gensec_krb5.h
@@ -1,10 +1,10 @@
/* See gensec_krb5_util.c for the license */
-krb5_error_code smb_rd_req_return_stuff(krb5_context context,
+krb5_error_code smb_krb5_rd_req_decoded(krb5_context context,
krb5_auth_context *auth_context,
const krb5_data *inbuf,
- krb5_keytab keytab,
+ krb5_keytab keytab,
krb5_principal acceptor_principal,
- krb5_data *outbuf,
- krb5_ticket **ticket,
+ krb5_data *outbuf,
+ krb5_ticket **ticket,
krb5_keyblock **keyblock);
diff --git a/source4/auth/gensec/gensec_krb5_util.c
b/source4/auth/gensec/gensec_krb5_heimdal.c
similarity index 81%
rename from source4/auth/gensec/gensec_krb5_util.c
rename to source4/auth/gensec/gensec_krb5_heimdal.c
index 1e72293..7e9cb5a 100644
--- a/source4/auth/gensec/gensec_krb5_util.c
+++ b/source4/auth/gensec/gensec_krb5_heimdal.c
@@ -1,34 +1,34 @@
/*
* Copyright (c) 1997 - 2006 Kungliga Tekniska H�gskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
*
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
*
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
*
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
*
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
*
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
*/
/* This file for code taken from the Heimdal code, to preserve licence */
@@ -37,16 +37,16 @@
#include "includes.h"
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
-#include "gensec_krb5_util.h"
+#include "gensec_krb5.h"
/* Taken from accept_sec_context.c,v 1.65 */
-krb5_error_code smb_rd_req_return_stuff(krb5_context context,
+krb5_error_code smb_krb5_rd_req_decoded(krb5_context context,
krb5_auth_context *auth_context,
const krb5_data *inbuf,
- krb5_keytab keytab,
+ krb5_keytab keytab,
krb5_principal acceptor_principal,
- krb5_data *outbuf,
- krb5_ticket **ticket,
+ krb5_data *outbuf,
+ krb5_ticket **ticket,
krb5_keyblock **keyblock)
{
krb5_rd_req_in_ctx in = NULL;
@@ -80,7 +80,7 @@ krb5_error_code smb_rd_req_return_stuff(krb5_context context,
/*
* We need to remember some data on the context_handle.
*/
- kret = krb5_rd_req_out_get_ticket(context, out,
+ kret = krb5_rd_req_out_get_ticket(context, out,
ticket);
if (kret == 0) {
kret = krb5_rd_req_out_get_keyblock(context, out,
@@ -100,4 +100,3 @@ krb5_error_code smb_rd_req_return_stuff(krb5_context
context,
return kret;
}
-
diff --git a/source4/auth/gensec/wscript_build
b/source4/auth/gensec/wscript_build
index 3c7cc2e..c4e6918 100755
--- a/source4/auth/gensec/wscript_build
+++ b/source4/auth/gensec/wscript_build
@@ -6,7 +6,7 @@ bld.SAMBA_SUBSYSTEM('gensec_util',
autoproto='gensec_proto.h')
bld.SAMBA_MODULE('gensec_krb5',
- source='gensec_krb5.c gensec_krb5_util.c',
+ source='gensec_krb5.c gensec_krb5_heimdal.c',
subsystem='gensec',
init_function='gensec_krb5_init',
deps='samba-credentials authkrb5 com_err gensec_util',
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 69cddac..f501584 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -2,6 +2,8 @@
MIT-Samba4 library
Copyright (c) 2010, Simo Sorce <i...@samba.org>
+ Copyright (c) 2014-2015 Guenther Deschner <g...@samba.org>
+ Copyright (c) 2014-2016 Andreas Schneider <a...@samba.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -644,6 +646,7 @@ int mit_samba_kpasswd_change_password(struct
mit_samba_context *ctx,
ctx->db_ctx->samdb,
lpcfg_netbios_name(ctx->db_ctx->lp_ctx),
lpcfg_sam_name(ctx->db_ctx->lp_ctx),
+
lpcfg_sam_dnsname(ctx->db_ctx->lp_ctx),
p->realm_dn,
p->msg,
data_blob(NULL, 0),
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index ff3f62a..ad72e2e 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -234,6 +234,7 @@ NTSTATUS samba_get_cred_info_ndr_blob(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
+#ifdef SAMBA4_USES_HEIMDAL
krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context,
const krb5_keyblock
*pkreplykey,
const DATA_BLOB
*cred_ndr_blob,
@@ -309,6 +310,106 @@ krb5_error_code
samba_kdc_encrypt_pac_credentials(krb5_context context,
return 0;
}
+#else /* SAMBA4_USES_HEIMDAL */
+krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context,
+ const krb5_keyblock
*pkreplykey,
+ const DATA_BLOB
*cred_ndr_blob,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *cred_info_blob)
+{
+ krb5_key cred_key;
+ krb5_enctype cred_enctype;
+ struct PAC_CREDENTIAL_INFO pac_cred_info = { .version = 0, };
+ krb5_error_code code;
+ const char *krb5err;
+ enum ndr_err_code ndr_err;
+ NTSTATUS nt_status;
+ krb5_data cred_ndr_data;
+ krb5_enc_data cred_ndr_crypt;
+ size_t enc_len = 0;
+
+ *cred_info_blob = data_blob_null;
+
+ code = krb5_k_create_key(context,
+ pkreplykey,
+ &cred_key);
+ if (code != 0) {
+ krb5err = krb5_get_error_message(context, code);
+ DEBUG(1, ("Failed initializing cred data crypto: %s\n",
krb5err));
+ krb5_free_error_message(context, krb5err);
+ return code;
+ }
+
+ cred_enctype = krb5_k_key_enctype(context, cred_key);
+
+ DEBUG(10, ("Plain cred_ndr_blob (len %zu)\n",
+ cred_ndr_blob->length));
+ dump_data_pw("PAC_CREDENTIAL_DATA_NDR",
+ cred_ndr_blob->data, cred_ndr_blob->length);
+
+ pac_cred_info.encryption_type = cred_enctype;
+
+ cred_ndr_data.magic = 0;
+ cred_ndr_data.data = (char *)cred_ndr_blob->data;
+ cred_ndr_data.length = cred_ndr_blob->length;
+
+ code = krb5_c_encrypt_length(context,
+ cred_enctype,
+ cred_ndr_data.length,
+ &enc_len);
+ if (code != 0) {
+ krb5err = krb5_get_error_message(context, code);
+ DEBUG(1, ("Failed initializing cred data crypto: %s\n",
krb5err));
+ krb5_free_error_message(context, krb5err);
+ return code;
+ }
+
+ pac_cred_info.encrypted_data = data_blob_talloc_zero(mem_ctx, enc_len);
+ if (pac_cred_info.encrypted_data.data == NULL) {
+ DBG_ERR("Out of memory\n");
+ return ENOMEM;
+ }
+
+ cred_ndr_crypt.ciphertext.length = enc_len;
+ cred_ndr_crypt.ciphertext.data = (char
*)pac_cred_info.encrypted_data.data;
+
+ code = krb5_k_encrypt(context,
+ cred_key,
+ KRB5_KU_OTHER_ENCRYPTED,
+ NULL,
+ &cred_ndr_data,
+ &cred_ndr_crypt);
+ krb5_k_free_key(context, cred_key);
+ if (code != 0) {
+ krb5err = krb5_get_error_message(context, code);
+ DEBUG(1, ("Failed crypt of cred data: %s\n", krb5err));
+ krb5_free_error_message(context, krb5err);
+ return code;
+ }
+
+ if (DEBUGLVL(10)) {
+ NDR_PRINT_DEBUG(PAC_CREDENTIAL_INFO, &pac_cred_info);
+ }
+
+ ndr_err = ndr_push_struct_blob(cred_info_blob, mem_ctx, &pac_cred_info,
+ (ndr_push_flags_fn_t)ndr_push_PAC_CREDENTIAL_INFO);
+ TALLOC_FREE(pac_cred_info.encrypted_data.data);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ nt_status = ndr_map_error2ntstatus(ndr_err);
--
Samba Shared Repository
