2 Unix SMB/CIFS implementation.
3 kerberos utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Guenther Deschner 2003
8 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
9 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 #include "system/kerberos.h"
28 #include "auth/kerberos/kerberos.h"
29 #include "auth/credentials/credentials.h"
30 #include "auth/credentials/credentials_krb5.h"
32 /**********************************************************************************
33 Verify an incoming ticket and parse out the principal name and
34 authorization_data if available.
35 ***********************************************************************************/
37 NTSTATUS
ads_verify_ticket(TALLOC_CTX
*mem_ctx
,
38 struct smb_krb5_context
*smb_krb5_context
,
39 krb5_auth_context
*auth_context
,
40 struct cli_credentials
*machine_account
,
42 const DATA_BLOB
*enc_ticket
,
45 krb5_keyblock
**keyblock
)
47 krb5_keyblock
*local_keyblock
;
50 krb5_flags ap_req_options
= 0;
51 krb5_principal server
;
54 struct keytab_container
*keytab_container
;
57 * TODO: Actually hook in the replay cache in Heimdal, then
58 * re-add calls to setup a replay cache here, in our private
59 * directory. This will eventually prevent replay attacks
62 packet
.length
= enc_ticket
->length
;
63 packet
.data
= (krb5_pointer
)enc_ticket
->data
;
65 /* Grab the keytab, however generated */
66 ret
= cli_credentials_get_keytab(machine_account
, &keytab_container
);
68 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
71 /* This ensures we lookup the correct entry in that keytab */
72 ret
= principal_from_credentials(mem_ctx
, machine_account
, smb_krb5_context
,
75 ret
= krb5_rd_req_return_keyblock(smb_krb5_context
->krb5_context
, auth_context
, &packet
,
77 keytab_container
->keytab
, &ap_req_options
, tkt
,
82 DEBUG(3,("ads_secrets_verify_ticket: failed to decrypt with error %s\n",
83 smb_get_krb5_error_message(smb_krb5_context
->krb5_context
, ret
, mem_ctx
)));
84 return NT_STATUS_LOGON_FAILURE
;
86 *keyblock
= local_keyblock
;
89 ret
= krb5_mk_rep(smb_krb5_context
->krb5_context
, *auth_context
, &packet_out
);
91 krb5_free_ticket(smb_krb5_context
->krb5_context
, *tkt
);
93 DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n",
94 smb_get_krb5_error_message(smb_krb5_context
->krb5_context
, ret
, mem_ctx
)));
95 return NT_STATUS_LOGON_FAILURE
;
98 *ap_rep
= data_blob_talloc(mem_ctx
, packet_out
.data
, packet_out
.length
);
99 krb5_free_data_contents(smb_krb5_context
->krb5_context
, &packet_out
);