Changeset 745 for trunk/server/source4/heimdal/kuser/kinit.c

Timestamp:

Nov 27, 2012, 4:43:17 PM (13 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: updated trunk to 3.6.0

Location:

trunk/server

Files:

• . (modified) (1 prop)
• source4/heimdal/kuser/kinit.c (modified) (18 diffs)

trunk/server/source4/heimdal/kuser/kinit.c

@@ -3 +3 @@
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -34 +36 @@
 #include "kuser_locl.h"
 
-#ifndef HEIMDAL_SMALLER
-#include "krb5-v4compat.h"
-#endif
-
-struct krb5_dh_moduli;
-struct AlgorithmIdentifier;
-struct _krb5_krb_auth_data;
-#include <krb5-private.h>
+#ifdef __APPLE__
+#include <Security/Security.h>
+#endif
 
 #ifndef NO_NTLM
@@ -68 +65 @@
 char *keytab_str        = NULL;
 int do_afslog           = -1;
-#ifndef HEIMDAL_SMALLER
-int get_v4_tgt          = -1;
-int convert_524         = 0;
-static char *krb4_cc_name;
-#endif
 int fcache_version;
 char *password_file     = NULL;
 char *pk_user_id        = NULL;
 int pk_enterprise_flag = 0;
+struct hx509_certs_data *ent_user_id = NULL;
 char *pk_x509_anchors   = NULL;
 int pk_use_enckey       = 0;
@@ -98 +91 @@
      * C: v4 cache name?
      * 5:
+     *
+     * old flags
+     * 4:
+     * 9:
      */
-#ifndef HEIMDAL_SMALLER
-    { "524init",        '4', arg_flag, &get_v4_tgt,
-      NP_("obtain version 4 TGT", "") },
-
-    { "524convert",     '9', arg_flag, &convert_524,
-      NP_("only convert ticket to version 4", "") },
-#endif
     { "afslog",         0  , arg_flag, &do_afslog,
       NP_("obtain afs tokens", "")  },
@@ -112 +102 @@
       NP_("credentials cache", ""), "cachename" },
 
-    { "forwardable",    'f', arg_flag, &forwardable_flag,
+    { "forwardable",    0, arg_negative_flag, &forwardable_flag,
+      NP_("get tickets not forwardable", "")},
+
+    { NULL,             'f', arg_flag, &forwardable_flag,
       NP_("get forwardable tickets", "")},
 
@@ -232 +225 @@
 }
 
-#ifndef HEIMDAL_SMALLER
-
-static krb5_error_code
-do_524init(krb5_context context, krb5_ccache ccache,
-           krb5_creds *creds, const char *server)
-{
-    krb5_error_code ret;
-
-    struct credentials c;
-    krb5_creds in_creds, *real_creds;
-
-    if(creds != NULL)
-        real_creds = creds;
-    else {
-        krb5_principal client;
-        krb5_cc_get_principal(context, ccache, &client);
-        memset(&in_creds, 0, sizeof(in_creds));
-        ret = get_server(context, client, server, &in_creds.server);
-        if(ret) {
-            krb5_free_principal(context, client);
-            return ret;
-        }
-        in_creds.client = client;
-        ret = krb5_get_credentials(context, 0, ccache, &in_creds, &real_creds);
-        krb5_free_principal(context, client);
-        krb5_free_principal(context, in_creds.server);
-        if(ret)
-            return ret;
-    }
-    ret = krb524_convert_creds_kdc_ccache(context, ccache, real_creds, &c);
-    if(ret)
-        krb5_warn(context, ret, "converting creds");
-    else {
-        krb5_error_code tret = _krb5_krb_tf_setup(context, &c, NULL, 0);
-        if(tret)
-            krb5_warn(context, tret, "saving v4 creds");
-    }
-
-    if(creds == NULL)
-        krb5_free_creds(context, real_creds);
-    memset(&c, 0, sizeof(c));
-
-    return ret;
-}
-
-#endif
-
 static int
 renew_validate(krb5_context context,
@@ -358 +304 @@
     if(ret == 0 && server == NULL) {
         /* only do this if it's a general renew-my-tgt request */
-#ifndef HEIMDAL_SMALLER
-        if(get_v4_tgt)
-            do_524init(context, cache, out, NULL);
-#endif
 #ifndef NO_AFS
         if(do_afslog && k_hasafs())
@@ -445 +387 @@
     }
 
+#ifdef __APPLE__
+    if (passwd[0] == '\0') {
+        const char *realm;
+        OSStatus osret;
+        UInt32 length;
+        void *buffer;
+        char *name;
+
+        realm = krb5_principal_get_realm(context, principal);
+
+        ret = krb5_unparse_name_flags(context, principal,
+                                      KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
+        if (ret)
+            goto nopassword;
+
+        osret = SecKeychainFindGenericPassword(NULL, strlen(realm), realm,
+                                               strlen(name), name,
+                                               &length, &buffer, NULL);
+        free(name);
+        if (osret == noErr && length < sizeof(passwd) - 1) {
+            memcpy(passwd, buffer, length);
+            passwd[length] = '\0';
+        }
+    nopassword:
+        do { } while(0);
+    }
+#endif
 
     memset(&cred, 0, sizeof(cred));
@@ -466 +435 @@
     if (canonicalize_flag)
         krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
-    if (pk_enterprise_flag && windows_flag)
+    if ((pk_enterprise_flag || enterprise_flag || canonicalize_flag) && windows_flag)
         krb5_get_init_creds_opt_set_win2k(context, opt, TRUE);
-    if (pk_user_id || anonymous_flag) {
+    if (pk_user_id || ent_user_id || anonymous_flag) {
         ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
                                                  principal,
@@ -482 +451 @@
         if (ret)
             krb5_err(context, 1, ret, "krb5_get_init_creds_opt_set_pkinit");
+        if (ent_user_id)
+            krb5_get_init_creds_opt_set_pkinit_user_certs(context, opt, ent_user_id);
     }
 
@@ -544 +515 @@
                                           opt);
         krb5_kt_close(context, kt);
-    } else if (pk_user_id || anonymous_flag) {
+    } else if (pk_user_id || ent_user_id || anonymous_flag) {
         ret = krb5_get_init_creds_password (context,
                                             &cred,
@@ -741 +712 @@
                         ctx->ccache, ctx->ticket_life, 0);
 
-#ifndef HEIMDAL_SMALLER
-    if(get_v4_tgt || convert_524)
-        do_524init(ctx->context, ctx->ccache, NULL, server_str);
-#endif
 #ifndef NO_AFS
     if(do_afslog && k_hasafs())
@@ -796 +763 @@
 
     if (pk_enterprise_flag) {
-        ret = _krb5_pk_enterprise_cert(context, pk_user_id,
-                                       argv[0], &principal);
+        ret = krb5_pk_enterprise_cert(context, pk_user_id,
+                                      argv[0], &principal,
+                                      &ent_user_id);
         if (ret)
             krb5_err(context, 1, ret, "krb5_pk_enterprise_certs");
+
+        pk_user_id = NULL;
 
     } else if (anonymous_flag) {
@@ -807 +777 @@
                                   NULL);
         if (ret)
-            krb5_err(context, 1, ret, "krb5_build_principal");
+            krb5_err(context, 1, ret, "krb5_make_principal");
         krb5_principal_set_type(context, principal, KRB5_NT_WELLKNOWN);
 
@@ -831 +801 @@
                                 krb5_principal_get_realm(context, principal),
                                 "renewable", FALSE, &renewable_flag);
-#ifndef HEIMDAL_SMALLER
-    if(get_v4_tgt == -1)
-        krb5_appdefault_boolean(context, "kinit",
-                                krb5_principal_get_realm(context, principal),
-                                "krb4_get_tickets", FALSE, &get_v4_tgt);
-#endif
     if(do_afslog == -1)
         krb5_appdefault_boolean(context, "kinit",
@@ -854 +818 @@
                      krb5_cc_get_name(context, ccache));
             setenv("KRB5CCNAME", s, 1);
-#ifndef HEIMDAL_SMALLER
-            if (get_v4_tgt) {
-                int fd;
-                if (asprintf(&krb4_cc_name, "%s_XXXXXX", TKT_ROOT) < 0)
-                    krb5_errx(context, 1, "out of memory");
-                if((fd = mkstemp(krb4_cc_name)) >= 0) {
-                    close(fd);
-                    setenv("KRBTKFILE", krb4_cc_name, 1);
-                } else {
-                    free(krb4_cc_name);
-                    krb4_cc_name = NULL;
+        } else {
+            ret = krb5_cc_cache_match(context, principal, &ccache);
+            if (ret) {
+                const char *type;
+                ret = krb5_cc_default (context, &ccache);
+                if (ret)
+                    krb5_err (context, 1, ret, N_("resolving credentials cache", ""));
+
+                /* 
+                 * Check if the type support switching, and we do,
+                 * then do that instead over overwriting the current
+                 * default credential
+                 */
+                type = krb5_cc_get_type(context, ccache);
+                if (krb5_cc_support_switch(context, type)) {
+                    krb5_cc_close(context, ccache);
+                    ret = krb5_cc_new_unique(context, type, NULL, &ccache);
                 }
             }
-#endif
-        } else {
-            ret = krb5_cc_cache_match(context, principal, &ccache);
-            if (ret)
-                ret = krb5_cc_default (context, &ccache);
         }
     }
@@ -915 +880 @@
     }
 
-#ifndef HEIMDAL_SMALLER
-    if(!convert_524)
-#endif
-        get_new_tickets(context, principal, ccache, ticket_life, 1);
-
-#ifndef HEIMDAL_SMALLER
-    if(get_v4_tgt || convert_524)
-        do_524init(context, ccache, NULL, server_str);
-#endif
+    get_new_tickets(context, principal, ccache, ticket_life, 1);
+
 #ifndef NO_AFS
     if(do_afslog && k_hasafs())
@@ -949 +907 @@
         
         krb5_cc_destroy(context, ccache);
-#ifndef HEIMDAL_SMALLER
-        _krb5_krb_dest_tkt(context, krb4_cc_name);
-#endif
 #ifndef NO_AFS
         if(k_hasafs())