Changeset 124 for branches/samba-3.0/source/libads

Timestamp:

Mar 12, 2008, 9:08:18 AM (17 years ago)

Author:

Paul Smedley

Message:

Update source to 3.0.28a

Location:

branches/samba-3.0/source/libads

Files:

• kerberos.c (modified) (2 diffs)
• sasl.c (modified) (7 diffs)
• util.c (modified) (1 diff)

branches/samba-3.0/source/libads/kerberos.c

@@ -363 +363 @@
 }
 
+/************************************************************************
+ Routine to get the default realm from the kerberos credentials cache.
+ Caller must free if the return value is not NULL.
+************************************************************************/
+
+char *kerberos_get_default_realm_from_ccache( void )
+{
+        char *realm = NULL;
+        krb5_context ctx = NULL;
+        krb5_ccache cc = NULL;
+        krb5_principal princ = NULL;
+
+        initialize_krb5_error_table();
+        if (krb5_init_context(&ctx)) {
+                return NULL;
+        }
+
+        DEBUG(5,("kerberos_get_default_realm_from_ccache: "
+                "Trying to read krb5 cache: %s\n",
+                krb5_cc_default_name(ctx)));
+        if (krb5_cc_default(ctx, &cc)) {
+                DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+                        "failed to read default cache\n"));
+                goto out;
+        }
+        if (krb5_cc_get_principal(ctx, cc, &princ)) {
+                DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+                        "failed to get default principal\n"));
+                goto out;
+        }
+
+#if defined(HAVE_KRB5_PRINCIPAL_GET_REALM)
+        realm = SMB_STRDUP(krb5_principal_get_realm(ctx, princ));
+#elif defined(HAVE_KRB5_PRINC_REALM)
+        {
+                krb5_data *realm_data = krb5_princ_realm(ctx, princ);
+                realm = SMB_STRNDUP(realm_data->data, realm_data->length);
+        }
+#endif
+
+  out:
+
+        if (princ) {
+                krb5_free_principal(ctx, princ);
+        }
+        if (cc) {
+                krb5_cc_close(ctx, cc);
+        }
+        if (ctx) {
+                krb5_free_context(ctx);
+        }
+
+        return realm;
+}
+
 
 /************************************************************************
@@ -622 +677 @@
                 return False;
         }
-                
-        file_contents = talloc_asprintf(fname, "[libdefaults]\n\tdefault_realm = %s\n\n"
-                                "[realms]\n\t%s = {\n"
-                                "\t%s\t}\n",
-                                realm_upper, realm_upper, kdc_ip_string);
+
+        file_contents = talloc_asprintf(fname,
+                                        "[libdefaults]\n\tdefault_realm = %s\n"
+                                        "default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
+                                        "default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
+                                        "preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
+                                        "[realms]\n\t%s = {\n"
+                                        "\t%s\t}\n",
+                                        realm_upper, realm_upper, kdc_ip_string);
 
         if (!file_contents) {

branches/samba-3.0/source/libads/sasl.c

@@ -138 +138 @@
 
 #ifdef HAVE_KRB5
+struct ads_service_principal {
+         char *string;
+#ifdef HAVE_GSSAPI
+         gss_name_t name;
+#endif
+};
+
+static void ads_free_service_principal(struct ads_service_principal *p)
+{
+        SAFE_FREE(p->string);
+
+#ifdef HAVE_GSSAPI
+        if (p->name) {
+                uint32 minor_status;
+                gss_release_name(&minor_status, &p->name);
+        }
+#endif
+        ZERO_STRUCTP(p);
+}
+
+static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
+                                                 const char *given_principal,
+                                                 struct ads_service_principal *p)
+{
+        ADS_STATUS status;
+#ifdef HAVE_GSSAPI
+        gss_buffer_desc input_name;
+        /* GSS_KRB5_NT_PRINCIPAL_NAME */
+        gss_OID_desc nt_principal =
+        {10, CONST_DISCARD(char *, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01")};
+        uint32 minor_status;
+        int gss_rc;
+#endif
+
+        ZERO_STRUCTP(p);
+
+        /* I've seen a child Windows 2000 domain not send
+           the principal name back in the first round of
+           the SASL bind reply.  So we guess based on server
+           name and realm.  --jerry  */
+        /* Also try best guess when we get the w2k8 ignore
+           principal back - gd */
+
+        if (!given_principal ||
+            strequal(given_principal, ADS_IGNORE_PRINCIPAL)) {
+
+                status = ads_guess_service_principal(ads, &p->string);
+                if (!ADS_ERR_OK(status)) {
+                        return status;
+                }
+        } else {
+                p->string = SMB_STRDUP(given_principal);
+                if (!p->string) {
+                        return ADS_ERROR(LDAP_NO_MEMORY);
+                }
+        }
+
+#ifdef HAVE_GSSAPI
+        input_name.value = p->string;
+        input_name.length = strlen(p->string);
+
+        gss_rc = gss_import_name(&minor_status, &input_name, &nt_principal, &p->name);
+        if (gss_rc) {
+                ads_free_service_principal(p);
+                return ADS_ERROR_GSS(gss_rc, minor_status);
+        }
+#endif
+
+        return ADS_SUCCESS;
+}
+
 /* 
    perform a LDAP/SASL/SPNEGO/KRB5 bind
 */
-static ADS_STATUS ads_sasl_spnego_krb5_bind(ADS_STRUCT *ads, const char *principal)
+static ADS_STATUS ads_sasl_spnego_rawkrb5_bind(ADS_STRUCT *ads, const char *principal)
 {
         DATA_BLOB blob = data_blob(NULL, 0);
@@ -168 +239 @@
         return ADS_ERROR(rc);
 }
+
+static ADS_STATUS ads_sasl_spnego_krb5_bind(ADS_STRUCT *ads,
+                                            struct ads_service_principal *p)
+{
+        return ads_sasl_spnego_rawkrb5_bind(ads, p->string);
+}
+
 #endif
 
@@ -179 +257 @@
         ADS_STATUS status;
         DATA_BLOB blob;
-        char *principal = NULL;
+        char *given_principal = NULL;
         char *OIDs[ASN1_MAX_OIDS];
 #ifdef HAVE_KRB5
@@ -202 +280 @@
         /* the server sent us the first part of the SPNEGO exchange in the negprot 
            reply */
-        if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) {
+        if (!spnego_parse_negTokenInit(blob, OIDs, &given_principal)) {
                 data_blob_free(&blob);
                 status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
@@ -220 +298 @@
                 free(OIDs[i]);
         }
-        DEBUG(3,("ads_sasl_spnego_bind: got server principal name = %s\n", principal));
+        DEBUG(3,("ads_sasl_spnego_bind: got server principal name = %s\n", given_principal));
 
 #ifdef HAVE_KRB5
@@ -226 +304 @@
             got_kerberos_mechanism) 
         {
-                /* I've seen a child Windows 2000 domain not send 
-                   the principal name back in the first round of 
-                   the SASL bind reply.  So we guess based on server
-                   name and realm.  --jerry  */
-                if ( !principal ) {
-                        if ( ads->server.realm && ads->server.ldap_server ) {
-                                char *server, *server_realm;
-                                
-                                server = SMB_STRDUP( ads->server.ldap_server );
-                                server_realm = SMB_STRDUP( ads->server.realm );
-                                
-                                if ( !server || !server_realm )
-                                        return ADS_ERROR(LDAP_NO_MEMORY);
-
-                                strlower_m( server );
-                                strupper_m( server_realm );                             
-                                asprintf( &principal, "ldap/%s@%s", server, server_realm );
-
-                                SAFE_FREE( server );
-                                SAFE_FREE( server_realm );
-
-                                if ( !principal )
-                                        return ADS_ERROR(LDAP_NO_MEMORY);                               
-                        }
-                        
-                }
-                
-                status = ads_sasl_spnego_krb5_bind(ads, principal);
+                struct ads_service_principal p;
+
+                status = ads_generate_service_principal(ads, given_principal, &p);
+                SAFE_FREE(given_principal);
+                if (!ADS_ERR_OK(status)) {
+                        return status;
+                }
+
+                status = ads_sasl_spnego_krb5_bind(ads, &p);
                 if (ADS_ERR_OK(status)) {
-                        SAFE_FREE(principal);
+                        ads_free_service_principal(&p);
                         return status;
                 }
@@ -265 +324 @@
 
                 if (ADS_ERR_OK(status)) {
-                        status = ads_sasl_spnego_krb5_bind(ads, principal);
-                }
+                        status = ads_sasl_spnego_krb5_bind(ads, &p);
+                        if (!ADS_ERR_OK(status)) {
+                                DEBUG(0,("kinit succeeded but "
+                                        "ads_sasl_spnego_krb5_bind failed: %s\n",
+                                        ads_errstr(status)));
+                        }
+                }
+
+                ads_free_service_principal(&p);
 
                 /* only fallback to NTLMSSP if allowed */
                 if (ADS_ERR_OK(status) || 
                     !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
-                        SAFE_FREE(principal);
                         return status;
                 }
-        }
-#endif
-
-        SAFE_FREE(principal);
+        } else
+#endif
+        {
+                SAFE_FREE(given_principal);
+        }
 
         /* lets do NTLMSSP ... this has the big advantage that we don't need

branches/samba-3.0/source/libads/util.c

@@ -53 +53 @@
         return ret;
 }
+
+ADS_STATUS ads_guess_service_principal(ADS_STRUCT *ads,
+                                       char **returned_principal)
+{
+        char *princ = NULL;
+
+        if (ads->server.realm && ads->server.ldap_server) {
+                char *server, *server_realm;
+
+                server = SMB_STRDUP(ads->server.ldap_server);
+                server_realm = SMB_STRDUP(ads->server.realm);
+
+                if (!server || !server_realm) {
+                        return ADS_ERROR(LDAP_NO_MEMORY);
+                }
+
+                strlower_m(server);
+                strupper_m(server_realm);
+                asprintf(&princ, "ldap/%s@%s", server, server_realm);
+
+                SAFE_FREE(server);
+                SAFE_FREE(server_realm);
+
+                if (!princ) {
+                        return ADS_ERROR(LDAP_NO_MEMORY);
+                }
+        } else if (ads->config.realm && ads->config.ldap_server_name) {
+                char *server, *server_realm;
+
+                server = SMB_STRDUP(ads->config.ldap_server_name);
+                server_realm = SMB_STRDUP(ads->config.realm);
+
+                if (!server || !server_realm) {
+                        return ADS_ERROR(LDAP_NO_MEMORY);
+                }
+
+                strlower_m(server);
+                strupper_m(server_realm);
+                asprintf(&princ, "ldap/%s@%s", server, server_realm);
+
+                SAFE_FREE(server);
+                SAFE_FREE(server_realm);
+
+                if (!princ) {
+                        return ADS_ERROR(LDAP_NO_MEMORY);
+                }
+        }
+
+        if (!princ) {
+                return ADS_ERROR(LDAP_PARAM_ERROR);
+        }
+
+        *returned_principal = princ;
+
+        return ADS_SUCCESS;
+}
+
 #endif