search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-kerberos: fix ads_dedicated_keytab_verify_ticket with heimdal.
[Samba.git] / source3 / libads / kerberos_verify.c
blobfe22898a26e2a49ad904ddc8107ab3d6ebdaa0e5
1 /*
2 Unix SMB/CIFS implementation.
3 kerberos utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Guenther Deschner 2003, 2005
8 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
9 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
10 Copyright (C) Jeremy Allison 2007
11
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
16
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
21
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 #include "includes.h"
27
28 #ifdef HAVE_KRB5
29
30 #if !defined(HAVE_KRB5_PRINC_COMPONENT)
31 const krb5_data *krb5_princ_component(krb5_context, krb5_principal, int );
32 #endif
33
34 static bool ads_dedicated_keytab_verify_ticket(krb5_context context,
35 krb5_auth_context auth_context,
36 const DATA_BLOB *ticket,
37 krb5_ticket **pp_tkt,
38 krb5_keyblock **keyblock,
39 krb5_error_code *perr)
40 {
41 krb5_error_code ret = 0;
42 bool auth_ok = false;
43 krb5_keytab keytab = NULL;
44 krb5_keytab_entry kt_entry;
45 krb5_ticket *dec_ticket = NULL;
46
47 krb5_data packet;
48 krb5_kvno kvno = 0;
49 krb5_enctype enctype;
50
51 *pp_tkt = NULL;
52 *keyblock = NULL;
53 *perr = 0;
54
55 ZERO_STRUCT(kt_entry);
56
57 ret = smb_krb5_open_keytab(context, lp_dedicated_keytab_file(), true,
58 &keytab);
59 if (ret) {
60 DEBUG(1, ("smb_krb5_open_keytab failed (%s)\n",
61 error_message(ret)));
62 goto out;
63 }
64
65 packet.length = ticket->length;
66 packet.data = (char *)ticket->data;
67
68 ret = krb5_rd_req(context, &auth_context, &packet, NULL, keytab,
69 NULL, &dec_ticket);
70 if (ret) {
71 DEBUG(0, ("krb5_rd_req failed (%s)\n", error_message(ret)));
72 goto out;
73 }
74
75 #ifdef HAVE_ETYPE_IN_ENCRYPTEDDATA /* Heimdal */
76 enctype = dec_ticket->ticket.key.keytype;
77 #else /* MIT */
78 enctype = dec_ticket->enc_part.enctype;
79 kvno = dec_ticket->enc_part.kvno;
80 #endif
81
82 /* Get the key for checking the pac signature */
83 ret = krb5_kt_get_entry(context, keytab, dec_ticket->server,
84 kvno, enctype, &kt_entry);
85 if (ret) {
86 DEBUG(0, ("krb5_kt_get_entry failed (%s)\n",
87 error_message(ret)));
88 goto out;
89 }
90
91 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
92 ret = krb5_copy_keyblock(context, &kt_entry.keyblock, keyblock);
93 #elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) /* MIT */
94 ret = krb5_copy_keyblock(context, &kt_entry.key, keyblock);
95 #else
96 #error UNKNOWN_KRB5_KEYTAB_ENTRY_FORMAT
97 #endif
98 smb_krb5_kt_free_entry(context, &kt_entry);
99
100 if (ret) {
101 DEBUG(0, ("failed to copy key: %s\n",
102 error_message(ret)));
103 goto out;
104 }
105
106 auth_ok = true;
107 *pp_tkt = dec_ticket;
108 dec_ticket = NULL;
109
110 out:
111 if (dec_ticket)
112 krb5_free_ticket(context, dec_ticket);
113
114 if (keytab)
115 krb5_kt_close(context, keytab);
116
117 *perr = ret;
118 return auth_ok;
119 }
120
121 /**********************************************************************************
122 Try to verify a ticket using the system keytab... the system keytab has kvno -1 entries, so
123 it's more like what microsoft does... see comment in utils/net_ads.c in the
124 ads_keytab_add_entry function for details.
125 ***********************************************************************************/
126
127 static bool ads_keytab_verify_ticket(krb5_context context,
128 krb5_auth_context auth_context,
129 const DATA_BLOB *ticket,
130 krb5_ticket **pp_tkt,
131 krb5_keyblock **keyblock,
132 krb5_error_code *perr)
133 {
134 krb5_error_code ret = 0;
135 bool auth_ok = False;
136 krb5_keytab keytab = NULL;
137 krb5_kt_cursor kt_cursor;
138 krb5_keytab_entry kt_entry;
139 char *valid_princ_formats[7] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL };
140 char *entry_princ_s = NULL;
141 fstring my_name, my_fqdn;
142 int i;
143 int number_matched_principals = 0;
144 krb5_data packet;
145
146 *pp_tkt = NULL;
147 *keyblock = NULL;
148 *perr = 0;
149
150 /* Generate the list of principal names which we expect
151 * clients might want to use for authenticating to the file
152 * service. We allow name$,{host,cifs}/{name,fqdn,name.REALM}. */
153
154 fstrcpy(my_name, global_myname());
155
156 my_fqdn[0] = '\0';
157 name_to_fqdn(my_fqdn, global_myname());
158
159 if (asprintf(&valid_princ_formats[0], "%s$@%s", my_name, lp_realm()) == -1) {
160 goto out;
161 }
162 if (asprintf(&valid_princ_formats[1], "host/%s@%s", my_name, lp_realm()) == -1) {
163 goto out;
164 }
165 if (asprintf(&valid_princ_formats[2], "host/%s@%s", my_fqdn, lp_realm()) == -1) {
166 goto out;
167 }
168 if (asprintf(&valid_princ_formats[3], "host/%s.%s@%s", my_name, lp_realm(), lp_realm()) == -1) {
169 goto out;
170 }
171 if (asprintf(&valid_princ_formats[4], "cifs/%s@%s", my_name, lp_realm()) == -1) {
172 goto out;
173 }
174 if (asprintf(&valid_princ_formats[5], "cifs/%s@%s", my_fqdn, lp_realm()) == -1) {
175 goto out;
176 }
177 if (asprintf(&valid_princ_formats[6], "cifs/%s.%s@%s", my_name, lp_realm(), lp_realm()) == -1) {
178 goto out;
179 }
180
181 ZERO_STRUCT(kt_entry);
182 ZERO_STRUCT(kt_cursor);
183
184 ret = smb_krb5_open_keytab(context, NULL, False, &keytab);
185 if (ret) {
186 DEBUG(1, ("ads_keytab_verify_ticket: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
187 goto out;
188 }
189
190 /* Iterate through the keytab. For each key, if the principal
191 * name case-insensitively matches one of the allowed formats,
192 * try verifying the ticket using that principal. */
193
194 ret = krb5_kt_start_seq_get(context, keytab, &kt_cursor);
195 if (ret) {
196 DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (%s)\n", error_message(ret)));
197 goto out;
198 }
199
200 while (!auth_ok && (krb5_kt_next_entry(context, keytab, &kt_entry, &kt_cursor) == 0)) {
201 ret = smb_krb5_unparse_name(context, kt_entry.principal, &entry_princ_s);
202 if (ret) {
203 DEBUG(1, ("ads_keytab_verify_ticket: smb_krb5_unparse_name failed (%s)\n",
204 error_message(ret)));
205 goto out;
206 }
207
208 for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
209
210 if (!strequal(entry_princ_s, valid_princ_formats[i])) {
211 continue;
212 }
213
214 number_matched_principals++;
215 packet.length = ticket->length;
216 packet.data = (char *)ticket->data;
217 *pp_tkt = NULL;
218
219 ret = krb5_rd_req_return_keyblock_from_keytab(context, &auth_context, &packet,
220 kt_entry.principal, keytab,
221 NULL, pp_tkt, keyblock);
222
223 if (ret) {
224 DEBUG(10,("ads_keytab_verify_ticket: "
225 "krb5_rd_req_return_keyblock_from_keytab(%s) failed: %s\n",
226 entry_princ_s, error_message(ret)));
227
228 /* workaround for MIT:
229 * as krb5_ktfile_get_entry will explicitly
230 * close the krb5_keytab as soon as krb5_rd_req
231 * has successfully decrypted the ticket but the
232 * ticket is not valid yet (due to clockskew)
233 * there is no point in querying more keytab
234 * entries - Guenther */
235
236 if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
237 ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
238 ret == KRB5KRB_AP_ERR_SKEW) {
239 break;
240 }
241 } else {
242 DEBUG(3,("ads_keytab_verify_ticket: "
243 "krb5_rd_req_return_keyblock_from_keytab succeeded for principal %s\n",
244 entry_princ_s));
245 auth_ok = True;
246 break;
247 }
248 }
249
250 /* Free the name we parsed. */
251 SAFE_FREE(entry_princ_s);
252
253 /* Free the entry we just read. */
254 smb_krb5_kt_free_entry(context, &kt_entry);
255 ZERO_STRUCT(kt_entry);
256 }
257 krb5_kt_end_seq_get(context, keytab, &kt_cursor);
258
259 ZERO_STRUCT(kt_cursor);
260
261 out:
262
263 for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
264 SAFE_FREE(valid_princ_formats[i]);
265 }
266
267 if (!auth_ok) {
268 if (!number_matched_principals) {
269 DEBUG(3, ("ads_keytab_verify_ticket: no keytab principals matched expected file service name.\n"));
270 } else {
271 DEBUG(3, ("ads_keytab_verify_ticket: krb5_rd_req failed for all %d matched keytab principals\n",
272 number_matched_principals));
273 }
274 }
275
276 SAFE_FREE(entry_princ_s);
277
278 {
279 krb5_keytab_entry zero_kt_entry;
280 ZERO_STRUCT(zero_kt_entry);
281 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
282 smb_krb5_kt_free_entry(context, &kt_entry);
283 }
284 }
285
286 {
287 krb5_kt_cursor zero_csr;
288 ZERO_STRUCT(zero_csr);
289 if ((memcmp(&kt_cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
290 krb5_kt_end_seq_get(context, keytab, &kt_cursor);
291 }
292 }
293
294 if (keytab) {
295 krb5_kt_close(context, keytab);
296 }
297 *perr = ret;
298 return auth_ok;
299 }
300
301 /**********************************************************************************
302 Try to verify a ticket using the secrets.tdb.
303 ***********************************************************************************/
304
305 static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
306 krb5_auth_context auth_context,
307 krb5_principal host_princ,
308 const DATA_BLOB *ticket,
309 krb5_ticket **pp_tkt,
310 krb5_keyblock **keyblock,
311 krb5_error_code *perr)
312 {
313 krb5_error_code ret = 0;
314 bool auth_ok = False;
315 char *password_s = NULL;
316 krb5_data password;
317 krb5_enctype enctypes[] = {
318 #if defined(ENCTYPE_ARCFOUR_HMAC)
319 ENCTYPE_ARCFOUR_HMAC,
320 #endif
321 ENCTYPE_DES_CBC_CRC,
322 ENCTYPE_DES_CBC_MD5,
323 ENCTYPE_NULL
324 };
325 krb5_data packet;
326 int i;
327
328 *pp_tkt = NULL;
329 *keyblock = NULL;
330 *perr = 0;
331
332
333 if (!secrets_init()) {
334 DEBUG(1,("ads_secrets_verify_ticket: secrets_init failed\n"));
335 *perr = KRB5_CONFIG_CANTOPEN;
336 return False;
337 }
338
339 password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
340 if (!password_s) {
341 DEBUG(1,("ads_secrets_verify_ticket: failed to fetch machine password\n"));
342 *perr = KRB5_LIBOS_CANTREADPWD;
343 return False;
344 }
345
346 password.data = password_s;
347 password.length = strlen(password_s);
348
349 /* CIFS doesn't use addresses in tickets. This would break NAT. JRA */
350
351 packet.length = ticket->length;
352 packet.data = (char *)ticket->data;
353
354 /* We need to setup a auth context with each possible encoding type in turn. */
355 for (i=0;enctypes[i];i++) {
356 krb5_keyblock *key = NULL;
357
358 if (!(key = SMB_MALLOC_P(krb5_keyblock))) {
359 ret = ENOMEM;
360 goto out;
361 }
362
363 if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i], false)) {
364 SAFE_FREE(key);
365 continue;
366 }
367
368 krb5_auth_con_setuseruserkey(context, auth_context, key);
369
370 if (!(ret = krb5_rd_req(context, &auth_context, &packet,
371 NULL,
372 NULL, NULL, pp_tkt))) {
373 DEBUG(10,("ads_secrets_verify_ticket: enc type [%u] decrypted message !\n",
374 (unsigned int)enctypes[i] ));
375 auth_ok = True;
376 krb5_copy_keyblock(context, key, keyblock);
377 krb5_free_keyblock(context, key);
378 break;
379 }
380
381 DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
382 ("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
383 (unsigned int)enctypes[i], error_message(ret)));
384
385 /* successfully decrypted but ticket is just not valid at the moment */
386 if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
387 ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
388 ret == KRB5KRB_AP_ERR_SKEW) {
389 krb5_free_keyblock(context, key);
390 break;
391 }
392
393 krb5_free_keyblock(context, key);
394
395 }
396
397 out:
398 SAFE_FREE(password_s);
399 *perr = ret;
400 return auth_ok;
401 }
402
403 /**********************************************************************************
404 Verify an incoming ticket and parse out the principal name and
405 authorization_data if available.
406 ***********************************************************************************/
407
408 NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
409 const char *realm,
410 time_t time_offset,
411 const DATA_BLOB *ticket,
412 char **principal,
413 struct PAC_DATA **pac_data,
414 DATA_BLOB *ap_rep,
415 DATA_BLOB *session_key,
416 bool use_replay_cache)
417 {
418 NTSTATUS sret = NT_STATUS_LOGON_FAILURE;
419 NTSTATUS pac_ret;
420 DATA_BLOB auth_data;
421 krb5_context context = NULL;
422 krb5_auth_context auth_context = NULL;
423 krb5_data packet;
424 krb5_ticket *tkt = NULL;
425 krb5_rcache rcache = NULL;
426 krb5_keyblock *keyblock = NULL;
427 time_t authtime;
428 krb5_error_code ret = 0;
429 int flags = 0;
430 krb5_principal host_princ = NULL;
431 krb5_const_principal client_principal = NULL;
432 char *host_princ_s = NULL;
433 bool auth_ok = False;
434 bool got_auth_data = False;
435 struct named_mutex *mutex = NULL;
436
437 ZERO_STRUCT(packet);
438 ZERO_STRUCT(auth_data);
439
440 *principal = NULL;
441 *pac_data = NULL;
442 *ap_rep = data_blob_null;
443 *session_key = data_blob_null;
444
445 initialize_krb5_error_table();
446 ret = krb5_init_context(&context);
447 if (ret) {
448 DEBUG(1,("ads_verify_ticket: krb5_init_context failed (%s)\n", error_message(ret)));
449 return NT_STATUS_LOGON_FAILURE;
450 }
451
452 if (time_offset != 0) {
453 krb5_set_real_time(context, time(NULL) + time_offset, 0);
454 }
455
456 ret = krb5_set_default_realm(context, realm);
457 if (ret) {
458 DEBUG(1,("ads_verify_ticket: krb5_set_default_realm failed (%s)\n", error_message(ret)));
459 goto out;
460 }
461
462 /* This whole process is far more complex than I would
463 like. We have to go through all this to allow us to store
464 the secret internally, instead of using /etc/krb5.keytab */
465
466 ret = krb5_auth_con_init(context, &auth_context);
467 if (ret) {
468 DEBUG(1,("ads_verify_ticket: krb5_auth_con_init failed (%s)\n", error_message(ret)));
469 goto out;
470 }
471
472 krb5_auth_con_getflags( context, auth_context, &flags );
473 if ( !use_replay_cache ) {
474 /* Disable default use of a replay cache */
475 flags &= ~KRB5_AUTH_CONTEXT_DO_TIME;
476 krb5_auth_con_setflags( context, auth_context, flags );
477 }
478
479 if (asprintf(&host_princ_s, "%s$", global_myname()) == -1) {
480 goto out;
481 }
482
483 strlower_m(host_princ_s);
484 ret = smb_krb5_parse_name(context, host_princ_s, &host_princ);
485 if (ret) {
486 DEBUG(1,("ads_verify_ticket: smb_krb5_parse_name(%s) failed (%s)\n",
487 host_princ_s, error_message(ret)));
488 goto out;
489 }
490
491
492 if ( use_replay_cache ) {
493
494 /* Lock a mutex surrounding the replay as there is no
495 locking in the MIT krb5 code surrounding the replay
496 cache... */
497
498 mutex = grab_named_mutex(talloc_tos(), "replay cache mutex",
499 10);
500 if (mutex == NULL) {
501 DEBUG(1,("ads_verify_ticket: unable to protect "
502 "replay cache with mutex.\n"));
503 ret = KRB5_CC_IO;
504 goto out;
505 }
506
507 /* JRA. We must set the rcache here. This will prevent
508 replay attacks. */
509
510 ret = krb5_get_server_rcache(context,
511 krb5_princ_component(context, host_princ, 0),
512 &rcache);
513 if (ret) {
514 DEBUG(1,("ads_verify_ticket: krb5_get_server_rcache "
515 "failed (%s)\n", error_message(ret)));
516 goto out;
517 }
518
519 ret = krb5_auth_con_setrcache(context, auth_context, rcache);
520 if (ret) {
521 DEBUG(1,("ads_verify_ticket: krb5_auth_con_setrcache "
522 "failed (%s)\n", error_message(ret)));
523 goto out;
524 }
525 }
526
527 switch (lp_kerberos_method()) {
528 default:
529 case KERBEROS_VERIFY_SECRETS:
530 auth_ok = ads_secrets_verify_ticket(context, auth_context,
531 host_princ, ticket, &tkt, &keyblock, &ret);
532 break;
533 case KERBEROS_VERIFY_SYSTEM_KEYTAB:
534 auth_ok = ads_keytab_verify_ticket(context, auth_context,
535 ticket, &tkt, &keyblock, &ret);
536 break;
537 case KERBEROS_VERIFY_DEDICATED_KEYTAB:
538 auth_ok = ads_dedicated_keytab_verify_ticket(context,
539 auth_context, ticket, &tkt, &keyblock, &ret);
540 break;
541 case KERBEROS_VERIFY_SECRETS_AND_KEYTAB:
542 /* First try secrets.tdb and fallback to the krb5.keytab if
543 necessary. This is the pre 3.4 behavior when
544 "use kerberos keytab" was true.*/
545 auth_ok = ads_secrets_verify_ticket(context, auth_context,
546 host_princ, ticket, &tkt, &keyblock, &ret);
547
548 if (!auth_ok) {
549 /* Only fallback if we failed to decrypt the ticket */
550 if (ret != KRB5KRB_AP_ERR_TKT_NYV &&
551 ret != KRB5KRB_AP_ERR_TKT_EXPIRED &&
552 ret != KRB5KRB_AP_ERR_SKEW) {
553 auth_ok = ads_keytab_verify_ticket(context,
554 auth_context, ticket, &tkt, &keyblock,
555 &ret);
556 }
557 }
558 break;
559 }
560
561 if ( use_replay_cache ) {
562 TALLOC_FREE(mutex);
563 #if 0
564 /* Heimdal leaks here, if we fix the leak, MIT crashes */
565 if (rcache) {
566 krb5_rc_close(context, rcache);
567 }
568 #endif
569 }
570
571 if (!auth_ok) {
572 DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n",
573 error_message(ret)));
574 /* Try map the error return in case it's something like
575 * a clock skew error.
576 */
577 sret = krb5_to_nt_status(ret);
578 if (NT_STATUS_IS_OK(sret) || NT_STATUS_EQUAL(sret,NT_STATUS_UNSUCCESSFUL)) {
579 sret = NT_STATUS_LOGON_FAILURE;
580 }
581 DEBUG(10,("ads_verify_ticket: returning error %s\n",
582 nt_errstr(sret) ));
583 goto out;
584 }
585
586 authtime = get_authtime_from_tkt(tkt);
587 client_principal = get_principal_from_tkt(tkt);
588
589 ret = krb5_mk_rep(context, auth_context, &packet);
590 if (ret) {
591 DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n",
592 error_message(ret)));
593 goto out;
594 }
595
596 *ap_rep = data_blob(packet.data, packet.length);
597 if (packet.data) {
598 kerberos_free_data_contents(context, &packet);
599 ZERO_STRUCT(packet);
600 }
601
602 get_krb5_smb_session_key(context, auth_context, session_key, True);
603 dump_data_pw("SMB session key (from ticket)\n", session_key->data, session_key->length);
604
605 #if 0
606 file_save("/tmp/ticket.dat", ticket->data, ticket->length);
607 #endif
608
609 /* continue when no PAC is retrieved or we couldn't decode the PAC
610 (like accounts that have the UF_NO_AUTH_DATA_REQUIRED flag set, or
611 Kerberos tickets encrypted using a DES key) - Guenther */
612
613 got_auth_data = get_auth_data_from_tkt(mem_ctx, &auth_data, tkt);
614 if (!got_auth_data) {
615 DEBUG(3,("ads_verify_ticket: did not retrieve auth data. continuing without PAC\n"));
616 }
617
618 if (got_auth_data) {
619 pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data);
620 if (!NT_STATUS_IS_OK(pac_ret)) {
621 DEBUG(3,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(pac_ret)));
622 *pac_data = NULL;
623 }
624 data_blob_free(&auth_data);
625 }
626
627 #if 0
628 #if defined(HAVE_KRB5_TKT_ENC_PART2)
629 /* MIT */
630 if (tkt->enc_part2) {
631 file_save("/tmp/authdata.dat",
632 tkt->enc_part2->authorization_data[0]->contents,
633 tkt->enc_part2->authorization_data[0]->length);
634 }
635 #else
636 /* Heimdal */
637 if (tkt->ticket.authorization_data) {
638 file_save("/tmp/authdata.dat",
639 tkt->ticket.authorization_data->val->ad_data.data,
640 tkt->ticket.authorization_data->val->ad_data.length);
641 }
642 #endif
643 #endif
644
645 if ((ret = smb_krb5_unparse_name(context, client_principal, principal))) {
646 DEBUG(3,("ads_verify_ticket: smb_krb5_unparse_name failed (%s)\n",
647 error_message(ret)));
648 sret = NT_STATUS_LOGON_FAILURE;
649 goto out;
650 }
651
652 sret = NT_STATUS_OK;
653
654 out:
655
656 TALLOC_FREE(mutex);
657
658 if (!NT_STATUS_IS_OK(sret)) {
659 data_blob_free(&auth_data);
660 }
661
662 if (!NT_STATUS_IS_OK(sret)) {
663 data_blob_free(ap_rep);
664 }
665
666 if (host_princ) {
667 krb5_free_principal(context, host_princ);
668 }
669
670 if (keyblock) {
671 krb5_free_keyblock(context, keyblock);
672 }
673
674 if (tkt != NULL) {
675 krb5_free_ticket(context, tkt);
676 }
677
678 SAFE_FREE(host_princ_s);
679
680 if (auth_context) {
681 krb5_auth_con_free(context, auth_context);
682 }
683
684 if (context) {
685 krb5_free_context(context);
686 }
687
688 return sret;
689 }
690
691 #endif /* HAVE_KRB5 */
Samba GIT mirror