Re: heimdal didn't have AP_OPTS_USE_SUBKEY
On Sat, Feb 01, 2003 at 01:01:07PM +0100, Stefan (metze) Metzmacher wrote: Hi Jeremy, the latest HEAD didn't not compile with heimdal on SuSE8.1 because AP_OPTS_USE_SUBKEY is not defined in the heimdal/krb5.h only in the MIT krb5.h :-( is it possible to fix samba that it finally compiles fine? Yes, I haven't finished the HEAD converion to Heimdal yet, because HEAD uses some nasty MIT internals I need to look at converting. Jeremy.
Re: heimdal didn't have AP_OPTS_USE_SUBKEY
Also, if you are going to support specific enctypes, note that Heimdal defines ENCTYPE_ARCFOUR_HMAC_MD5 rather than ENCTYPE_ARCFOUR_HMAC. -- Luke -- Luke Howard | PADL Software Pty Ltd | www.padl.com
Re: heimdal didn't have AP_OPTS_USE_SUBKEY
Sorry, the previously posted patch was needlessly complicated. The attached patch just contains the Kerberos-related stuff. -- Luke Index: configure.in === RCS file: /cvsroot/samba/source/configure.in,v retrieving revision 1.397 diff -u -r1.397 configure.in --- configure.in1 Feb 2003 11:00:39 - 1.397 +++ configure.in2 Feb 2003 12:12:47 - @@ -2198,6 +2198,8 @@ # now see if we can find the gssapi libs in standard paths + AC_CHECK_LIB(gssapi, gss_display_status, [LIBS=$LIBS -lgssapi; + AC_DEFINE(HAVE_GSSAPI,1,[Whether GSSAPI is available])]) AC_CHECK_LIB(gssapi_krb5, gss_display_status, [LIBS=$LIBS -lgssapi_krb5; AC_DEFINE(HAVE_GSSAPI,1,[Whether GSSAPI is available])]) Index: libads/kerberos_verify.c === RCS file: /cvsroot/samba/source/libads/kerberos_verify.c,v retrieving revision 1.5 diff -u -r1.5 kerberos_verify.c --- libads/kerberos_verify.c11 Jan 2003 03:29:31 - 1.5 +++ libads/kerberos_verify.c2 Feb 2003 12:12:48 - @@ -3,7 +3,7 @@ kerberos utility library Copyright (C) Andrew Tridgell 2001 Copyright (C) Remus Koos 2001 - + Copyright (C) Luke Howard 2003 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -29,25 +29,28 @@ authorization_data if available */ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, - char **principal, DATA_BLOB *auth_data) + char **principal, DATA_BLOB *auth_data, + uint8 session_key[16]) { krb5_context context; krb5_auth_context auth_context = NULL; krb5_keytab keytab = NULL; krb5_data packet; krb5_ticket *tkt = NULL; - krb5_data salt; - krb5_encrypt_block eblock; int ret, i; +#ifndef XAD krb5_keyblock * key; krb5_principal host_princ; char *host_princ_s; fstring myname; char *password_s; +#endif krb5_data password; - krb5_enctype *enctypes = NULL; - BOOL auth_ok = False; + krb5_keyblock *skey; +#ifdef XAD + /* We would rather use the keytab. */ +#else if (!secrets_init()) { DEBUG(1,(secrets_init failed\n)); return NT_STATUS_LOGON_FAILURE; @@ -61,6 +64,7 @@ password.data = password_s; password.length = strlen(password_s); +#endif /* XAD */ ret = krb5_init_context(context); if (ret) { @@ -83,6 +87,7 @@ return NT_STATUS_LOGON_FAILURE; } +#ifndef XAD fstrcpy(myname, global_myname()); strlower(myname); asprintf(host_princ_s, HOST/%s@%s, myname, lp_realm()); @@ -92,69 +97,58 @@ return NT_STATUS_LOGON_FAILURE; } - ret = krb5_principal2salt(context, host_princ, salt); - if (ret) { - DEBUG(1,(krb5_principal2salt failed (%s)\n, error_message(ret))); - return NT_STATUS_LOGON_FAILURE; - } - if (!(key = (krb5_keyblock *)malloc(sizeof(*key { return NT_STATUS_NO_MEMORY; } - if ((ret = krb5_get_permitted_enctypes(context, enctypes))) { - DEBUG(1,(krb5_get_permitted_enctypes failed (%s)\n, -error_message(ret))); - return NT_STATUS_LOGON_FAILURE; + ret = create_kerberos_key_from_string(context, host_princ, password, key); + if (ret) { + continue; } - /* we need to setup a auth context with each possible encoding type in turn */ - for (i=0;enctypes[i];i++) { - krb5_use_enctype(context, eblock, enctypes[i]); - - ret = krb5_string_to_key(context, eblock, key, password, salt); - if (ret) { - continue; - } + krb5_auth_con_setuseruserkey(context, auth_context, key); +#endif /* XAD */ - krb5_auth_con_setuseruserkey(context, auth_context, key); + packet.length = ticket-length; + packet.data = (krb5_pointer)ticket-data; - packet.length = ticket-length; - packet.data = (krb5_pointer)ticket-data; - - if (!(ret = krb5_rd_req(context, auth_context, packet, - NULL, keytab, NULL, tkt))) { - krb5_free_ktypes(context, enctypes); - auth_ok = True; - break; - } - } - - if (!auth_ok) { + if ((ret = krb5_rd_req(context, auth_context, packet, + NULL, keytab, NULL, tkt))) { DEBUG(3,(krb5_rd_req with auth failed (%s)\n,
Re: heimdal didn't have AP_OPTS_USE_SUBKEY
Please try the following patch (attached). This patch also includes a few other things, so edit as appropriate: - support for the DCE NP funnel (available from http://www.padl.com/~lukeh/XAD/dce_funnel.tar.gz) - support for using the keytab instead of the secrets database - support for using RC4 Kerberos session keys as named pipe session keys (have not tested with MIT) You probably won't want any of these things except perhaps for the latter, but I'm including them to meet our obligations under the GPL. cheers, -- Luke Index: Makefile.in === RCS file: /cvsroot/samba/source/Makefile.in,v retrieving revision 1.606 diff -u -r1.606 Makefile.in --- Makefile.in 1 Feb 2003 06:26:16 - 1.606 +++ Makefile.in 2 Feb 2003 00:00:36 - @@ -228,7 +228,7 @@ RPC_SPOOLSS_OBJ = rpc_server/srv_spoolss.o rpc_server/srv_spoolss_nt.o RPC_PIPE_OBJ = rpc_server/srv_pipe_hnd.o rpc_server/srv_util.o \ - rpc_server/srv_pipe.o rpc_server/srv_lsa_hnd.o + rpc_server/srv_pipe.o rpc_server/srv_lsa_hnd.o +rpc_server/srv_dce_funnel.o # These are like they are to avoid a dependency on GNU MAKE @LSA_DYNAMIC_YES@RPC_MODULES1 = bin/librpc_lsarpc.@SHLIBEXT@ Index: configure.in === RCS file: /cvsroot/samba/source/configure.in,v retrieving revision 1.397 diff -u -r1.397 configure.in --- configure.in1 Feb 2003 11:00:39 - 1.397 +++ configure.in2 Feb 2003 00:00:40 - @@ -2165,6 +2165,9 @@ AC_CHECK_LIB(krb5, krb5_auth_con_setkey, [AC_DEFINE(HAVE_KRB5_AUTH_CON_SETKEY,1,[Whether krb5_auth_con_setkey is available])]) AC_CHECK_LIB(krb5, krb5_auth_con_setuseruserkey, [AC_DEFINE(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY,1,[Whether krb5_auth_con_setuseruserkey is available])]) AC_CHECK_LIB(krb5, krb5_locate_kdc, [AC_DEFINE(HAVE_KRB5_LOCATE_KDC,1,[Whether krb5_locate_kdc is available])]) + AC_CHECK_LIB(krb5, krb5_get_permitted_enctypes, +[AC_DEFINE(HAVE_KRB5_GET_PERMITTED_ENCTYPES,1,[Whether krb5_get_permitted_enctypes is +available])]) + AC_CHECK_LIB(krb5, krb5_free_ktypes, [AC_DEFINE(HAVE_KRB5_FREE_KTYPES,1,[Whether +krb5_free_ktypes is available])]) + AC_CHECK_LIB(krb5, krb5_get_default_in_tkt_etypes, +[AC_DEFINE(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES,1,[Whether +krb5_get_default_in_tkt_etypes is available])]) AC_CACHE_CHECK([for addrtype in krb5_address],samba_cv_HAVE_ADDRTYPE_IN_KRB5_ADDRESS,[ AC_TRY_COMPILE([#include krb5.h], @@ -2198,6 +2201,8 @@ # now see if we can find the gssapi libs in standard paths + AC_CHECK_LIB(gssapi, gss_display_status, [LIBS=$LIBS -lgssapi; + AC_DEFINE(HAVE_GSSAPI,1,[Whether GSSAPI is available])]) AC_CHECK_LIB(gssapi_krb5, gss_display_status, [LIBS=$LIBS -lgssapi_krb5; AC_DEFINE(HAVE_GSSAPI,1,[Whether GSSAPI is available])]) Index: include/includes.h === RCS file: /cvsroot/samba/source/include/includes.h,v retrieving revision 1.295 diff -u -r1.295 includes.h --- include/includes.h 30 Jan 2003 20:36:59 - 1.295 +++ include/includes.h 2 Feb 2003 00:00:41 - void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt); krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt); krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters); +krb5_error_code krb5_get_permitted_enctypes(krb5_context context, krb5_enctype +**enctypes); +void krb5_free_ktypes(krb5_context context, krb5_enctype *enctypes); #endif /* HAVE_KRB5 */ Index: libads/kerberos_verify.c === RCS file: /cvsroot/samba/source/libads/kerberos_verify.c,v retrieving revision 1.5 diff -u -r1.5 kerberos_verify.c --- libads/kerberos_verify.c11 Jan 2003 03:29:31 - 1.5 +++ libads/kerberos_verify.c2 Feb 2003 00:00:41 - @@ -3,7 +3,7 @@ kerberos utility library Copyright (C) Andrew Tridgell 2001 Copyright (C) Remus Koos 2001 - + Copyright (C) Luke Howard 2003 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -29,15 +29,14 @@ authorization_data if available */ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, - char **principal, DATA_BLOB *auth_data) + char **principal, DATA_BLOB *auth_data, + uint8 session_key[16]) { krb5_context context; krb5_auth_context auth_context = NULL; krb5_keytab keytab = NULL; krb5_data packet; krb5_ticket *tkt = NULL; - krb5_data salt; - krb5_encrypt_block eblock; int ret, i; krb5_keyblock *