source3/libads/kerberos_util.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    krb5 set password implementation
   4    Copyright (C) Andrew Tridgell 2001
   5    Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #include "includes.h"
  22 #include "smb_krb5.h"
  23 #include "ads.h"
  24 #include "lib/param/loadparm.h"
  25
  26 #ifdef HAVE_KRB5
  27
  28 /* run kinit to setup our ccache */
  29 int ads_kinit_password(ADS_STRUCT *ads)
  30 {
  31         char *s;
  32         int ret;
  33         const char *account_name;
  34         fstring acct_name;
  35
  36         if (ads->auth.password == NULL || ads->auth.password[0] == '\0') {
  37                 return KRB5_LIBOS_CANTREADPWD;
  38         }
  39
  40         if (ads->auth.flags & ADS_AUTH_USER_CREDS) {
  41                 account_name = ads->auth.user_name;
  42                 goto got_accountname;
  43         }
  44
  45         if ( IS_DC ) {
  46                 /* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */
  47                 account_name = lp_workgroup();
  48         } else {
  49                 /* always use the sAMAccountName for security = domain */
  50                 /* lp_netbios_name()$@REA.LM */
  51                 if ( lp_security() == SEC_DOMAIN ) {
  52                         fstr_sprintf( acct_name, "%s$", lp_netbios_name() );
  53                         account_name = acct_name;
  54                 }
  55                 else
  56                         /* This looks like host/lp_netbios_name()@REA.LM */
  57                         account_name = ads->auth.user_name;
  58         }
  59
  60  got_accountname:
  61         if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {
  62                 return KRB5_CC_NOMEM;
  63         }
  64
  65         ret = kerberos_kinit_password_ext(s, ads->auth.password,
  66                                           ads->auth.time_offset,
  67                                           &ads->auth.tgt_expire, NULL,
  68                                           ads->auth.ccache_name, false, false,
  69                                           ads->auth.renewable,
  70                                           NULL, NULL, NULL, NULL);
  71
  72         if (ret) {
  73                 DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
  74                          s, error_message(ret)));
  75         }
  76         SAFE_FREE(s);
  77         return ret;
  78 }
  79
  80 #endif