From 28eae08ef71094f9ce053ca27a35f91e040d983c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 11 Aug 2016 11:29:53 +0200
Subject: [PATCH] gensec_krb5: Implement smb_krb5_rd_req_decoded() with MIT
 Kerberos
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Sep 29 11:56:41 CEST 2016 on sn-devel-144
---
 source4/auth/gensec/gensec_krb5.c     |   1 +
 source4/auth/gensec/gensec_krb5_mit.c | 102 ++++++++++++++++++++++++++++++++++
 source4/auth/gensec/wscript_build     |   8 ++-
 3 files changed, 109 insertions(+), 2 deletions(-)
 create mode 100644 source4/auth/gensec/gensec_krb5_mit.c

diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 24b556f8bf2..e1ac7367542 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -664,6 +664,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
 					      &gensec_krb5_state->keyblock);
 
 		if (ret) {
+			DBG_WARNING("smb_krb5_rd_req_decoded failed\n");
 			return NT_STATUS_LOGON_FAILURE;
 		}
 		unwrapped_out.data = (uint8_t *)outbuf.data;
diff --git a/source4/auth/gensec/gensec_krb5_mit.c b/source4/auth/gensec/gensec_krb5_mit.c
new file mode 100644
index 00000000000..f7b3129f7f0
--- /dev/null
+++ b/source4/auth/gensec/gensec_krb5_mit.c
@@ -0,0 +1,102 @@
+
+#include "includes.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+#include "gensec_krb5.h"
+
+static krb5_error_code smb_krb5_get_longterm_key(krb5_context context,
+						 krb5_const_principal server,
+						 krb5_kvno kvno,
+						 krb5_enctype etype,
+						 krb5_keytab keytab,
+						 krb5_keyblock **keyblock_out)
+{
+	krb5_error_code code = EINVAL;
+
+	krb5_keytab_entry kt_entry;
+
+	code = krb5_kt_get_entry(context,
+				 keytab,
+				 server,
+				 kvno,
+				 etype,
+				 &kt_entry);
+	if (code != 0) {
+		return code;
+	}
+
+	code = krb5_copy_keyblock(context,
+				  &kt_entry.key,
+				  keyblock_out);
+	krb5_free_keytab_entry_contents(context, &kt_entry);
+
+	return code;
+}
+
+krb5_error_code smb_krb5_rd_req_decoded(krb5_context context,
+					krb5_auth_context *auth_context,
+					const krb5_data *request,
+					krb5_keytab keytab,
+					krb5_principal acceptor_principal,
+					krb5_data *reply,
+					krb5_ticket **pticket,
+					krb5_keyblock **pkeyblock)
+{
+	krb5_error_code code;
+	krb5_flags ap_req_options = 0;
+	krb5_ticket *ticket = NULL;
+	krb5_keyblock *keyblock = NULL;
+
+	*pticket = NULL;
+	*pkeyblock = NULL;
+	reply->length = 0;
+	reply->data = NULL;
+
+	code = krb5_rd_req(context,
+			   auth_context,
+			   request,
+			   acceptor_principal,
+			   keytab,
+			   &ap_req_options,
+			   &ticket);
+	if (code != 0) {
+		DBG_ERR("krb5_rd_req failed: %s\n",
+			error_message(code));
+		return code;
+	}
+
+	/*
+	 * Get the long term key from the keytab to be able to verify the PAC
+	 * signature.
+	 *
+	 * FIXME: Use ticket->enc_part.kvno ???
+	 * Getting the latest kvno with passing 0 fixes:
+	 * make -j test TESTS="samba4.winbind.pac.ad_member"
+	 */
+	code = smb_krb5_get_longterm_key(context,
+					 ticket->server,
+					 0, /* kvno */
+					 ticket->enc_part.enctype,
+					 keytab,
+					 &keyblock);
+	if (code != 0) {
+		DBG_ERR("smb_krb5_get_longterm_key failed: %s\n",
+			error_message(code));
+		krb5_free_ticket(context, ticket);
+
+		return code;
+	}
+
+	code = krb5_mk_rep(context, *auth_context, reply);
+	if (code != 0) {
+		DBG_ERR("krb5_mk_rep failed: %s\n",
+			error_message(code));
+		krb5_free_ticket(context, ticket);
+		krb5_free_keyblock(context, keyblock);
+	}
+
+	*pticket = ticket;
+	*pkeyblock = keyblock;
+
+	return code;
+}
diff --git a/source4/auth/gensec/wscript_build b/source4/auth/gensec/wscript_build
index c4e69183b28..a1d30a94af9 100755
--- a/source4/auth/gensec/wscript_build
+++ b/source4/auth/gensec/wscript_build
@@ -5,13 +5,17 @@ bld.SAMBA_SUBSYSTEM('gensec_util',
                     deps='tevent-util tevent samba-util LIBTSOCKET',
                     autoproto='gensec_proto.h')
 
+gensec_krb5_sources = 'gensec_krb5_heimdal.c'
+if bld.CONFIG_SET('SAMBA_USES_MITKDC'):
+    gensec_krb5_sources = 'gensec_krb5_mit.c'
+
 bld.SAMBA_MODULE('gensec_krb5',
-	source='gensec_krb5.c gensec_krb5_heimdal.c',
+	source='gensec_krb5.c ' + gensec_krb5_sources,
 	subsystem='gensec',
 	init_function='gensec_krb5_init',
 	deps='samba-credentials authkrb5 com_err gensec_util',
 	internal_module=False,
-        enabled=bld.AD_DC_BUILD_IS_ENABLED() and bld.CONFIG_SET('SAMBA4_USES_HEIMDAL')
+        enabled=bld.AD_DC_BUILD_IS_ENABLED()
 	)
 
 
-- 
2.11.4.GIT