samba-mutual-auth.diff [plain text]
--- source/configure.in 22 Feb 2003 12:19:18 -0000 1.409
+++ source/configure.in 24 Feb 2003 06:04:25 -0000
@@ -627,6 +627,15 @@
fi
############################################
+# support for using Kerberos keytab instead of secrets database
+
+AC_ARG_ENABLE(keytab,
+[ --enable-keytab Turn on support for Kerberos keytabs in lieu of secrets DB (default=no)],
+ [if eval "test x$enable_keytab = xyes"; then
+ AC_DEFINE(USE_KEYTAB,1,[Use Kerberos keytab])
+ fi])
+
+############################################
# we need dlopen/dlclose/dlsym/dlerror for PAM, the password database plugins and the plugin loading code
AC_SEARCH_LIBS(dlopen, [dl])
# dlopen/dlclose/dlsym/dlerror will be checked again later and defines will be set then
--- source/passdb/secrets.c 1 Feb 2003 04:39:15 -0000 1.54
+++ source/passdb/secrets.c 24 Feb 2003 06:04:26 -0000
@@ -221,6 +221,72 @@
return True;
}
+#ifdef USE_KEYTAB
+/************************************************************************
+ Read local secret from the keytab
+************************************************************************/
+
+static BOOL secrets_fetch_keytab_password(uint8 ret_pwd[16], time_t *pass_last_set_time)
+{
+ char spn[MAXHOSTNAMELEN + 2], *p;
+ krb5_context context;
+ krb5_error_code ret;
+ krb5_principal princ;
+ krb5_keyblock *key;
+
+ ret = krb5_init_context(&context);
+ if (ret) {
+ DEBUG(1, ("secrets_fetch_keytab_password: failed to initialize Kerberos context\n"));
+ return False;
+ }
+
+ spn[sizeof(spn) - 1] = '\0';
+ if (gethostname(spn, sizeof(spn) - 2) < 0) {
+ DEBUG(1, ("secrets_fetch_keytab_password: could not determine local hostname\n"));
+ krb5_free_context(context);
+ return False;
+ }
+
+ for (p = spn; *p && *p != '.'; p++)
+ *p = toupper(*p);
+ *p++ = '$';
+ *p = '\0';
+
+ ret = krb5_parse_name(context, spn, &princ);
+ if (ret) {
+ DEBUG(1, ("secrets_fetch_keytab_password: failed to parse name %s\n", spn));
+ krb5_free_context(context);
+ return False;
+ }
+
+#ifdef ENCTYPE_ARCFOUR_HMAC
+ ret = krb5_kt_read_service_key(context, NULL, princ, 0, ENCTYPE_ARCFOUR_HMAC, &key);
+#elif defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
+ ret = krb5_kt_read_service_key(context, NULL, princ, 0, ENCTYPE_ARCFOUR_HMAC_MD5, &key);
+#else
+#error ENCTYPE_ARCFOUR_HMAC or ENCTYPE_ARCFOUR_HMAC_MD5 required for keytab secret storage
+#endif
+ if (ret) {
+ DEBUG(1, ("secrets_fetch_keytab_password: failed to read secret for %s\n", spn));
+ krb5_free_context(context);
+ return False;
+ }
+ if (key->keyvalue.length != 16) {
+ DEBUG(1, ("secrets_fetch_keytab_password: key is incorrect length\n"));
+ krb5_free_context(context);
+ return False;
+ }
+
+ memcpy(ret_pwd, key->keyvalue.data, key->keyvalue.length);
+ time(pass_last_set_time); /* XXX */
+
+ krb5_free_keyblock(context, key);
+ krb5_free_context(context);
+
+ return True;
+}
+#endif /* USE_KEYTAB */
+
/************************************************************************
Routine to get the trust account password for a domain.
The user of this function must have locked the trust password file using
@@ -243,6 +309,12 @@
pass_last_set_time = 0;
return True;
}
+
+#ifdef USE_KEYTAB
+ if (is_myworkgroup(domain)) {
+ return secrets_fetch_keytab_password(ret_pwd, pass_last_set_time);
+ }
+#endif /* USE_KEYTAB */
if (!(pass = secrets_fetch(trust_keystr(domain), &size))) {
DEBUG(5, ("secrets_fetch failed!\n"));
--- source/libsmb/clikrb5.c 2003-07-02 00:32:55.000000000 +0200
+++ source/libsmb/clikrb5.c 2003-07-02 00:37:22.000000000 +0200
@@ -316,11 +316,13 @@
krb5_enctype enc_types[] = {
#ifdef ENCTYPE_ARCFOUR_HMAC
ENCTYPE_ARCFOUR_HMAC,
+#elif defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
+ ENCTYPE_ARCFOUR_HMAC_MD5,
#endif
ENCTYPE_DES_CBC_MD5,
ENCTYPE_DES_CBC_CRC,
ENCTYPE_NULL};
-
+
retval = krb5_init_context(&context);
if (retval) {
DEBUG(1,("krb5_init_context failed (%s)\n",
@@ -367,24 +369,26 @@
BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, uint8 session_key[16])
{
-#ifdef ENCTYPE_ARCFOUR_HMAC
krb5_keyblock *skey;
-#endif
BOOL ret = False;
memset(session_key, 0, 16);
-#ifdef ENCTYPE_ARCFOUR_HMAC
+#if defined(ENCTYPE_ARCFOUR_HMAC) || defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
if (krb5_auth_con_getremotesubkey(context, auth_context, &skey) == 0 && skey != NULL) {
if (KRB5_KEY_TYPE(skey) ==
+# ifdef ENCTYPE_ARCFOUR_HMAC
ENCTYPE_ARCFOUR_HMAC
+# else
+ ENCTYPE_ARCFOUR_HMAC_MD5
+# endif /* ENCTYPE_ARCFOUR_HMAC */
&& KRB5_KEY_LENGTH(skey) == 16) {
memcpy(session_key, KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
ret = True;
}
krb5_free_keyblock(context, skey);
}
-#endif /* ENCTYPE_ARCFOUR_HMAC */
+#endif /* ENCTYPE_ARCFOUR_HMAC || HAVE_ENCTYPE_ARCFOUR_HMAC_MD5 */
return ret;
}
@@ -395,5 +399,12 @@
DEBUG(0,("NO KERBEROS SUPPORT\n"));
return data_blob(NULL, 0);
}
+BOOL krb5_get_smb_session_key(krb5_context context, krb5_auth_context ac, uint8 session_key[16])
+ {
+ DEBUG(0,("NO KERBEROS SUPPORT\n"));
+ memset(session_key, 0, 16);
+ return False;
+ }
+ //#endif
#endif
--- source/libads/kerberos_verify.c 2003-06-28 23:40:55.000000000 +0200
+++ source/libads/kerberos_verify.c 2003-07-02 00:50:13.000000000 +0200
@@ -38,7 +38,9 @@
krb5_keytab keytab = NULL;
krb5_data packet;
krb5_ticket *tkt = NULL;
- int ret, i;
+ int ret;
+#ifndef USE_KEYTAB
+ int i;
krb5_keyblock * key;
krb5_principal host_princ;
char *host_princ_s;
@@ -46,8 +48,10 @@
char *password_s;
krb5_data password;
krb5_enctype *enctypes = NULL;
+#endif /* USE_KEYTAB */
BOOL auth_ok = False;
+#ifndef USE_KEYTAB
if (!secrets_init()) {
DEBUG(1,("secrets_init failed\n"));
return NT_STATUS_LOGON_FAILURE;
@@ -61,6 +65,7 @@
password.data = password_s;
password.length = strlen(password_s);
+#endif /* USE_KEYTAB */
ret = krb5_init_context(&context);
if (ret) {
@@ -82,7 +87,16 @@
DEBUG(1,("krb5_auth_con_init failed (%s)\n", error_message(ret)));
return NT_STATUS_LOGON_FAILURE;
}
+#ifdef USE_KEYTAB
+ packet.length = ticket->length;
+ packet.data = (krb5_pointer)ticket->data;
+ if (!(ret = krb5_rd_req(context, &auth_context, &packet,
+ NULL, keytab, NULL, &tkt))) {
+ auth_ok = True;
+ }
+
+#else
fstrcpy(myname, global_myname());
strlower(myname);
asprintf(&host_princ_s, "HOST/%s@%s", myname, lp_realm());
@@ -121,6 +135,9 @@
}
}
+ SAFE_FREE(key);
+#endif /* USE_KEYTAB */
+
if (!auth_ok) {
DEBUG(3,("krb5_rd_req with auth failed (%s)\n",
error_message(ret)));
--- source/Makefile.in 2003-07-01 23:35:49.000000000 +0200
+++ source/Makefile.in 2003-07-02 01:20:09.000000000 +0200
@@ -806,7 +806,7 @@
bin/pdbedit@EXEEXT@: $(PDBEDIT_OBJ) @BUILD_POPT@ bin/.dummy
@echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(IDMAP_LIBS) $(PDBEDIT_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@ $(PASSDBLIBS)
+ @$(CC) $(FLAGS) -o $@ $(IDMAP_LIBS) $(PDBEDIT_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@ $(PASSDBLIBS) $(KRB5LIBS)
bin/samtest@EXEEXT@: $(SAMTEST_OBJ) @BUILD_POPT@ bin/.dummy
@echo Linking $@
@@ -1062,7 +1062,7 @@
bin/wbinfo@EXEEXT@: $(WBINFO_OBJ) @BUILD_POPT@ bin/.dummy
@echo Linking $@
- @$(LINK) -o $@ $(WBINFO_OBJ) $(LIBS) @POPTLIBS@
+ @$(LINK) -o $@ $(WBINFO_OBJ) $(LIBS) @POPTLIBS@ $(KRB5LIBS)
bin/ntlm_auth@EXEEXT@: $(NTLM_AUTH_OBJ) $(PARAM_OBJ) $(LIB_OBJ) \
$(UBIQX_OBJ) @BUILD_POPT@ bin/.dummy