| blob | 865f91682a352039e5454cef5645522803480d81 |
1 --- source/configure.in 22 Feb 2003 12:19:18 -0000 1.409
2 +++ source/configure.in 24 Feb 2003 06:04:25 -0000
3 @@ -627,6 +627,15 @@
4 fi
6 ############################################
7 +# support for using Kerberos keytab instead of secrets database
8 +
9 +AC_ARG_ENABLE(keytab,
10 +[ --enable-keytab Turn on support for Kerberos keytabs in lieu of secrets DB (default=no)],
11 + [if eval "test x$enable_keytab = xyes"; then
12 + AC_DEFINE(USE_KEYTAB,1,[Use Kerberos keytab])
13 + fi])
14 +
15 +############################################
16 # we need dlopen/dlclose/dlsym/dlerror for PAM, the password database plugins and the plugin loading code
17 AC_SEARCH_LIBS(dlopen, [dl])
18 # dlopen/dlclose/dlsym/dlerror will be checked again later and defines will be set then
19 --- source/passdb/secrets.c 1 Feb 2003 04:39:15 -0000 1.54
20 +++ source/passdb/secrets.c 24 Feb 2003 06:04:26 -0000
21 @@ -221,6 +221,72 @@
22 return True;
23 }
25 +#ifdef USE_KEYTAB
26 +/************************************************************************
27 + Read local secret from the keytab
28 +************************************************************************/
29 +
30 +static BOOL secrets_fetch_keytab_password(uint8 ret_pwd[16], time_t *pass_last_set_time)
31 +{
32 + char spn[MAXHOSTNAMELEN + 2], *p;
33 + krb5_context context;
34 + krb5_error_code ret;
35 + krb5_principal princ;
36 + krb5_keyblock *key;
37 +
38 + ret = krb5_init_context(&context);
39 + if (ret) {
40 + DEBUG(1, ("secrets_fetch_keytab_password: failed to initialize Kerberos context\n"));
41 + return False;
42 + }
43 +
44 + spn[sizeof(spn) - 1] = '\0';
45 + if (gethostname(spn, sizeof(spn) - 2) < 0) {
46 + DEBUG(1, ("secrets_fetch_keytab_password: could not determine local hostname\n"));
47 + krb5_free_context(context);
48 + return False;
49 + }
50 +
51 + for (p = spn; *p && *p != '.'; p++)
52 + *p = toupper(*p);
53 + *p++ = '$';
54 + *p = '\0';
55 +
56 + ret = krb5_parse_name(context, spn, &princ);
57 + if (ret) {
58 + DEBUG(1, ("secrets_fetch_keytab_password: failed to parse name %s\n", spn));
59 + krb5_free_context(context);
60 + return False;
61 + }
62 +
63 +#ifdef ENCTYPE_ARCFOUR_HMAC
64 + ret = krb5_kt_read_service_key(context, NULL, princ, 0, ENCTYPE_ARCFOUR_HMAC, &key);
65 +#elif defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
66 + ret = krb5_kt_read_service_key(context, NULL, princ, 0, ENCTYPE_ARCFOUR_HMAC_MD5, &key);
67 +#else
68 +#error ENCTYPE_ARCFOUR_HMAC or ENCTYPE_ARCFOUR_HMAC_MD5 required for keytab secret storage
69 +#endif
70 + if (ret) {
71 + DEBUG(1, ("secrets_fetch_keytab_password: failed to read secret for %s\n", spn));
72 + krb5_free_context(context);
73 + return False;
74 + }
75 + if (key->keyvalue.length != 16) {
76 + DEBUG(1, ("secrets_fetch_keytab_password: key is incorrect length\n"));
77 + krb5_free_context(context);
78 + return False;
79 + }
80 +
81 + memcpy(ret_pwd, key->keyvalue.data, key->keyvalue.length);
82 + time(pass_last_set_time); /* XXX */
83 +
84 + krb5_free_keyblock(context, key);
85 + krb5_free_context(context);
86 +
87 + return True;
88 +}
89 +#endif /* USE_KEYTAB */
90 +
91 /************************************************************************
92 Routine to get the trust account password for a domain.
93 The user of this function must have locked the trust password file using
94 @@ -243,6 +309,12 @@
95 pass_last_set_time = 0;
96 return True;
97 }
98 +
99 +#ifdef USE_KEYTAB
100 + if (is_myworkgroup(domain)) {
101 + return secrets_fetch_keytab_password(ret_pwd, pass_last_set_time);
102 + }
103 +#endif /* USE_KEYTAB */
105 if (!(pass = secrets_fetch(trust_keystr(domain), &size))) {
106 DEBUG(5, ("secrets_fetch failed!\n"));
108 --- source/libsmb/clikrb5.c 2003-07-02 00:32:55.000000000 +0200
109 +++ source/libsmb/clikrb5.c 2003-07-02 00:37:22.000000000 +0200
110 @@ -316,11 +316,13 @@
111 krb5_enctype enc_types[] = {
112 #ifdef ENCTYPE_ARCFOUR_HMAC
113 ENCTYPE_ARCFOUR_HMAC,
114 +#elif defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
115 + ENCTYPE_ARCFOUR_HMAC_MD5,
116 #endif
117 ENCTYPE_DES_CBC_MD5,
118 ENCTYPE_DES_CBC_CRC,
119 ENCTYPE_NULL};
120 -
121 +
122 retval = krb5_init_context(&context);
123 if (retval) {
124 DEBUG(1,("krb5_init_context failed (%s)\n",
125 @@ -367,24 +369,26 @@
127 BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, uint8 session_key[16])
128 {
129 -#ifdef ENCTYPE_ARCFOUR_HMAC
130 krb5_keyblock *skey;
131 -#endif
132 BOOL ret = False;
134 memset(session_key, 0, 16);
136 -#ifdef ENCTYPE_ARCFOUR_HMAC
137 +#if defined(ENCTYPE_ARCFOUR_HMAC) || defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
138 if (krb5_auth_con_getremotesubkey(context, auth_context, &skey) == 0 && skey != NULL) {
139 if (KRB5_KEY_TYPE(skey) ==
140 +# ifdef ENCTYPE_ARCFOUR_HMAC
141 ENCTYPE_ARCFOUR_HMAC
142 +# else
143 + ENCTYPE_ARCFOUR_HMAC_MD5
144 +# endif /* ENCTYPE_ARCFOUR_HMAC */
145 && KRB5_KEY_LENGTH(skey) == 16) {
146 memcpy(session_key, KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
147 ret = True;
148 }
149 krb5_free_keyblock(context, skey);
150 }
151 -#endif /* ENCTYPE_ARCFOUR_HMAC */
152 +#endif /* ENCTYPE_ARCFOUR_HMAC || HAVE_ENCTYPE_ARCFOUR_HMAC_MD5 */
154 return ret;
155 }
156 @@ -395,5 +399,12 @@
157 DEBUG(0,("NO KERBEROS SUPPORT\n"));
158 return data_blob(NULL, 0);
159 }
160 +BOOL krb5_get_smb_session_key(krb5_context context, krb5_auth_context ac, uint8 session_key[16])
161 + {
162 + DEBUG(0,("NO KERBEROS SUPPORT\n"));
163 + memset(session_key, 0, 16);
164 + return False;
165 + }
166 + //#endif
168 #endif
169 --- source/libads/kerberos_verify.c 2003-06-28 23:40:55.000000000 +0200
170 +++ source/libads/kerberos_verify.c 2003-07-02 00:50:13.000000000 +0200
171 @@ -38,7 +38,9 @@
172 krb5_keytab keytab = NULL;
173 krb5_data packet;
174 krb5_ticket *tkt = NULL;
175 - int ret, i;
176 + int ret;
177 +#ifndef USE_KEYTAB
178 + int i;
179 krb5_keyblock * key;
180 krb5_principal host_princ;
181 char *host_princ_s;
182 @@ -46,8 +48,10 @@
183 char *password_s;
184 krb5_data password;
185 krb5_enctype *enctypes = NULL;
186 +#endif /* USE_KEYTAB */
187 BOOL auth_ok = False;
189 +#ifndef USE_KEYTAB
190 if (!secrets_init()) {
191 DEBUG(1,("secrets_init failed\n"));
192 return NT_STATUS_LOGON_FAILURE;
193 @@ -61,6 +65,7 @@
195 password.data = password_s;
196 password.length = strlen(password_s);
197 +#endif /* USE_KEYTAB */
199 ret = krb5_init_context(&context);
200 if (ret) {
201 @@ -82,7 +87,16 @@
202 DEBUG(1,("krb5_auth_con_init failed (%s)\n", error_message(ret)));
203 return NT_STATUS_LOGON_FAILURE;
204 }
205 +#ifdef USE_KEYTAB
206 + packet.length = ticket->length;
207 + packet.data = (krb5_pointer)ticket->data;
209 + if (!(ret = krb5_rd_req(context, &auth_context, &packet,
210 + NULL, keytab, NULL, &tkt))) {
211 + auth_ok = True;
212 + }
213 +
214 +#else
215 fstrcpy(myname, global_myname());
216 strlower(myname);
217 asprintf(&host_princ_s, "HOST/%s@%s", myname, lp_realm());
218 @@ -121,6 +135,9 @@
219 }
220 }
222 + SAFE_FREE(key);
223 +#endif /* USE_KEYTAB */
224 +
225 if (!auth_ok) {
226 DEBUG(3,("krb5_rd_req with auth failed (%s)\n",
227 error_message(ret)));
228 --- source/Makefile.in 2003-07-01 23:35:49.000000000 +0200
229 +++ source/Makefile.in 2003-07-02 01:20:09.000000000 +0200
230 @@ -806,7 +806,7 @@
232 bin/pdbedit@EXEEXT@: $(PDBEDIT_OBJ) @BUILD_POPT@ bin/.dummy
233 @echo Linking $@
234 - @$(CC) $(FLAGS) -o $@ $(IDMAP_LIBS) $(PDBEDIT_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@ $(PASSDBLIBS)
235 + @$(CC) $(FLAGS) -o $@ $(IDMAP_LIBS) $(PDBEDIT_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@ $(PASSDBLIBS) $(KRB5LIBS)
237 bin/samtest@EXEEXT@: $(SAMTEST_OBJ) @BUILD_POPT@ bin/.dummy
238 @echo Linking $@
239 @@ -1062,7 +1062,7 @@
241 bin/wbinfo@EXEEXT@: $(WBINFO_OBJ) @BUILD_POPT@ bin/.dummy
242 @echo Linking $@
243 - @$(LINK) -o $@ $(WBINFO_OBJ) $(LIBS) @POPTLIBS@
244 + @$(LINK) -o $@ $(WBINFO_OBJ) $(LIBS) @POPTLIBS@ $(KRB5LIBS)
246 bin/ntlm_auth@EXEEXT@: $(NTLM_AUTH_OBJ) $(PARAM_OBJ) $(LIB_OBJ) \
247 $(UBIQX_OBJ) @BUILD_POPT@ bin/.dummy