source3/libads/kerberos_util.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    krb5 set password implementation
   4    Copyright (C) Andrew Tridgell 2001
   5    Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #include "includes.h"
  22 #include "smb_krb5.h"
  23 #include "ads.h"
  24 #include "lib/param/loadparm.h"
  25
  26 #ifdef HAVE_KRB5
  27
  28 /* run kinit to setup our ccache */
  29 int ads_kinit_password(ADS_STRUCT *ads)
  30 {
  31         char *s;
  32         int ret;
  33         const char *account_name;
  34         fstring acct_name;
  35
  36         if (ads->auth.flags & ADS_AUTH_USER_CREDS) {
  37                 account_name = ads->auth.user_name;
  38                 goto got_accountname;
  39         }
  40
  41         if ( IS_DC ) {
  42                 /* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */
  43                 account_name = lp_workgroup();
  44         } else {
  45                 /* always use the sAMAccountName for security = domain */
  46                 /* lp_netbios_name()$@REA.LM */
  47                 if ( lp_security() == SEC_DOMAIN ) {
  48                         fstr_sprintf( acct_name, "%s$", lp_netbios_name() );
  49                         account_name = acct_name;
  50                 }
  51                 else
  52                         /* This looks like host/lp_netbios_name()@REA.LM */
  53                         account_name = ads->auth.user_name;
  54         }
  55
  56  got_accountname:
  57         if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {
  58                 return KRB5_CC_NOMEM;
  59         }
  60
  61         if (!ads->auth.password) {
  62                 SAFE_FREE(s);
  63                 return KRB5_LIBOS_CANTREADPWD;
  64         }
  65
  66         ret = kerberos_kinit_password_ext(s, ads->auth.password,
  67                                           ads->auth.time_offset,
  68                                           &ads->auth.tgt_expire, NULL,
  69                                           ads->auth.ccache_name, false, false,
  70                                           ads->auth.renewable, NULL);
  71
  72         if (ret) {
  73                 DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
  74                          s, error_message(ret)));
  75         }
  76         SAFE_FREE(s);
  77         return ret;
  78 }
  79
  80 #endif